Re: IPv6 Pain Experiment

[Mark Andrews <marka () isc org>]

Actually you can do exactly the same thing for glue.  KEY records below bottom of zone cut exactly the same way as you 
have A and AAAA below bottom of zone cut.  The only difference is the zone listed in the UPDATE message.


zone example.com {
        ...
        update-policy {
                // allow a TSIG or SIG(0) update signed with administrator.example.com to change anything in the zone
                grant adminstrator.example.com. zonesub ANY;
                // allow a TSIG or SIG(0) update signed with name X to update anything at X
                grant * self * ANY;
        };
};


Now is that a “complicated” policy?

Coming soon “grant * tcp-self . PTR(1);”  allow a TCP UPDATE to install a single PTR record at the matching reverse 
name of the TCP source address.  https://gitlab.isc.org/isc-projects/bind9/merge_requests/2124


> On 3 Oct 2019, at 12:30 pm, Masataka Ohta <mohta () necom830 hpcl titech ac jp> wrote:
>
> Mark Andrews wrote:
>
> > There is also nothing stopping machines updating their addresses in
> > the DNS dynamically securely.
> Except that glue A/AAAA can not be updated so easily
> and security configuration is even more painful than
> address configuration.
>
>                                       Masataka Ohta

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org