[getdns-api] Request for DNS updates

Tony Finch dot at dotat.at
Wed Mar 13 07:26:35 MST 2013

Phillip Hallam-Baker <hallam at gmail.com> wrote:
> On Wed, Mar 13, 2013 at 7:37 AM, Tony Finch <dot at dotat.at> wrote:
> > Phillip Hallam-Baker <hallam at gmail.com> wrote:
> >>
> >> Developing a client API for those would be non trivial. The credential
> >> model supported at present is designed to support the use case in
> >> which an administrator of a domain can request updates be made to an
> >> authoritative server.
> >
> > Which credential model? There are several: IP address, TSIG, SIG(0),
> > GSS-TSIG, ... And it's fairly straightforward to restrict updates to
> > individual names or subtrees within a zone.
> As I said, restricting to individual names isn't actually enough.
> If I have an outsourced mail service I do not want to give the
> outsourcer the ability to put arbitrary records in example.com, they
> would be limited to MX records.

Yes, you can do that too. BIND's update authorization model is pretty
flexible and if the builtin features aren't enough it can call another
program to make the decision.

In any case server-side authorization is somewhat off-topic; what matters
is that a DNS UPDATE client is able to authenticate itself using the
standard mechanisms.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the getdns-api mailing list