IPv6 Pain Experiment

Mark Andrews marka at isc.org
Thu Oct 3 03:37:57 UTC 2019


Actually you can do exactly the same thing for glue.  KEY records below bottom of zone cut exactly the same way as you have A and AAAA below bottom of zone cut.  The only difference is the zone listed in the UPDATE message.


zone example.com {
	...
	update-policy {
		// allow a TSIG or SIG(0) update signed with administrator.example.com to change anything in the zone
		grant adminstrator.example.com. zonesub ANY;
		// allow a TSIG or SIG(0) update signed with name X to update anything at X
		grant * self * ANY;
	};
};


Now is that a “complicated” policy?

Coming soon “grant * tcp-self . PTR(1);”  allow a TCP UPDATE to install a single PTR record at the matching reverse name of the TCP source address.  https://gitlab.isc.org/isc-projects/bind9/merge_requests/2124


> On 3 Oct 2019, at 12:30 pm, Masataka Ohta <mohta at necom830.hpcl.titech.ac.jp> wrote:
> 
> Mark Andrews wrote:
> 
>> There is also nothing stopping machines updating their addresses in
>> the DNS dynamically securely.
> Except that glue A/AAAA can not be updated so easily
> and security configuration is even more painful than
> address configuration.
> 
> 					Masataka Ohta

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list