2630. [func] Improved syntax for DDNS autoconfiguration: use
"update-policy local;" to switch on local DDNS in a zone. [RT #19875]
This commit is contained in:
Evan Hunt
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.421 2009/07/14 18:08:26 jreed Exp $ -->
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.422 2009/07/14 22:54:57 each Exp $ -->
|
||||
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
<title>BIND 9 Administrator Reference Manual</title>
|
||||
|
||||
@@ -1651,16 +1651,16 @@ controls {
|
||||
|
||||
<para>
|
||||
Dynamic update is enabled by including an
|
||||
<command>allow-update</command>, <command>update-policy</command>
|
||||
clause in the <command>zone</command> statement, or by setting the
|
||||
<command>ddns-autconf</command> option to <userinput>yes</userinput>.
|
||||
<command>allow-update</command> or an <command>update-policy</command>
|
||||
clause in the <command>zone</command> statement.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the zone's <command>ddns-autoconf</command> option is set to
|
||||
<userinput>yes</userinput>, then updates to the zone
|
||||
will be permitted for the key <filename>ddns.key</filename>,
|
||||
If the zone's <command>update-policy</command> is set to
|
||||
<userinput>local</userinput>, updates to the zone
|
||||
will be permitted for the key <varname>local-ddns</varname>,
|
||||
which will be generated by <command>named</command> at startup.
|
||||
See <xref linkend="dynamic_update_policies"/> for more details.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@@ -2217,9 +2217,8 @@ allow-update { key host1-host2. ;};
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You may want to read about the more powerful
|
||||
<command>update-policy</command> statement in
|
||||
<xref linkend="dynamic_update_policies"/>.
|
||||
See <xref linkend="dynamic_update_policies"/> for a discussion of
|
||||
the more flexible <command>update-policy</command> statement.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@@ -5288,6 +5287,58 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>session-keyfile</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
The pathname of the file into which to write a TSIG
|
||||
session key generated by <command>named</command> for use by
|
||||
<command>nsupdate -l</command>. If not specified, the
|
||||
default is <filename>/var/run/named/session.key</filename>.
|
||||
(See <xref linkend="dynamic_update_policies"/>, and in
|
||||
particular the discussion of the
|
||||
<command>update-policy</command> statement's
|
||||
<userinput>local</userinput> option for more
|
||||
information about this feature.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>session-keyname</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
The key name to use for the TSIG session key.
|
||||
If not specified, the default is "local-ddns".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>session-keyalg</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
The algorithm to use for the TSIG session key.
|
||||
Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
|
||||
hmac-sha384, hmac-sha512 and hmac-md5. If not
|
||||
specified, the default is hmac-sha256.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>session-keyfile</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
The pathname of the file into which to write a session TSIG
|
||||
key for use by <command>nsupdate -l</command>. (See the
|
||||
discussion of the <command>update-policy</command>
|
||||
statement's <userinput>local</userinput> option for more
|
||||
details on this feature.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>port</command></term>
|
||||
<listitem>
|
||||
@@ -9123,7 +9174,7 @@ view "external" {
|
||||
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
|
||||
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
|
||||
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
|
||||
<optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
|
||||
<optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
|
||||
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
|
||||
<optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
|
||||
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
|
||||
@@ -9746,19 +9797,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>ddns-autoconf</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
If this flag is set to <userinput>yes</userinput> in
|
||||
a master zone, the zone will be set to allow dynamic
|
||||
updates using a TSIG session key generated by
|
||||
<command>named</command> and stored in a file for use
|
||||
by <command>nsupdate -l</command> on the local system,
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>forward</command></term>
|
||||
<listitem>
|
||||
@@ -10115,15 +10153,14 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
||||
record of any name in the zone.
|
||||
</para>
|
||||
<para>
|
||||
The <command>update-policy</command> clause is new
|
||||
in <acronym>BIND</acronym> 9 and allows more fine-grained
|
||||
control over what updates are allowed. A set of rules
|
||||
is specified, where each rule either grants or denies
|
||||
permissions for one or more names to be updated by
|
||||
one or more identities. If the dynamic update request
|
||||
message is signed (that is, it includes either a TSIG
|
||||
or SIG(0) record), the identity of the signer can be
|
||||
determined.
|
||||
The <command>update-policy</command> clause
|
||||
allows more fine-grained control over what updates are
|
||||
allowed. A set of rules is specified, where each rule
|
||||
either grants or denies permissions for one or more
|
||||
names to be updated by one or more identities. If
|
||||
the dynamic update request message is signed (that is,
|
||||
it includes either a TSIG or SIG(0) record), the
|
||||
identity of the signer can be determined.
|
||||
</para>
|
||||
<para>
|
||||
Rules are specified in the <command>update-policy</command>
|
||||
@@ -10135,9 +10172,39 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
||||
only examines the signer of a message; the source
|
||||
address is not relevant.
|
||||
</para>
|
||||
<para>
|
||||
There is a pre-defined <command>update-policy</command>
|
||||
rule which can be switched on with the command
|
||||
<command>update-policy local;</command>.
|
||||
Switching on this rule in a zone causes
|
||||
<command>named</command> to generate a TSIG session
|
||||
key and place it in a file, and to allow that key
|
||||
to update the zone. (By default, the file is
|
||||
<filename>/var/run/named/session.key</filename>, the key
|
||||
name is "local-ddns" and the key algorithm is HMAC-SHA256,
|
||||
but these values are configurable with the
|
||||
<command>session-keyfile</command>,
|
||||
<command>session-keyname</command> and
|
||||
<command>session-keyalg</command> options, respectively).
|
||||
</para>
|
||||
<para>
|
||||
A client running on the local system, and with appropriate
|
||||
permissions, may read that file and use the key to sign update
|
||||
requests. The zone's update policy will be set to allow that
|
||||
key to change any record within the zone. Assuming the
|
||||
key name is "local-ddns", this policy is equivalent to:
|
||||
</para>
|
||||
|
||||
<programlisting>update-policy { grant local-ddns zonesub any; };
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
This is how a rule definition looks:
|
||||
The command <command>nsupdate -l</command> sends update
|
||||
requests to localhost, and signs them using the session key.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Other rule definitions look like this:
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
@@ -10147,12 +10214,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
|
||||
<para>
|
||||
Each rule grants or denies privileges. Once a message has
|
||||
successfully matched a rule, the operation is immediately
|
||||
granted
|
||||
or denied and no further rules are examined. A rule is matched
|
||||
when the signer matches the identity field, the name matches the
|
||||
name field in accordance with the nametype field, and the type
|
||||
matches
|
||||
the types specified in the type field.
|
||||
granted or denied and no further rules are examined. A rule
|
||||
is matched when the signer matches the identity field, the
|
||||
name matches the name field in accordance with the nametype
|
||||
field, and the type matches the types specified in the type
|
||||
field.
|
||||
</para>
|
||||
<para>
|
||||
No signer is required for <replaceable>tcp-self</replaceable>
|
||||
|
||||
Reference in New Issue
Block a user