Actually you can do exactly the same thing for glue. KEY records below bottom of zone cut exactly the same way as you have A and AAAA below bottom of zone cut. The only difference is the zone listed in the UPDATE message. zone example.com { ... update-policy { // allow a TSIG or SIG(0) update signed with administrator.example.com to change anything in the zone grant adminstrator.example.com. zonesub ANY; // allow a TSIG or SIG(0) update signed with name X to update anything at X grant * self * ANY; }; }; Now is that a “complicated” policy? Coming soon “grant * tcp-self . PTR(1);” allow a TCP UPDATE to install a single PTR record at the matching reverse name of the TCP source address. https://gitlab.isc.org/isc-projects/bind9/merge_requests/2124
On 3 Oct 2019, at 12:30 pm, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
Mark Andrews wrote:
There is also nothing stopping machines updating their addresses in the DNS dynamically securely. Except that glue A/AAAA can not be updated so easily and security configuration is even more painful than address configuration.
Masataka Ohta
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org