Opened 8 years ago

Closed 5 years ago

#2065 closed enhancement (wontfix)

support BIND9-compatible update-policy ACL for DDNS

Reported by: jinmei Owned by:
Priority: medium Milestone: Remaining BIND10 tickets
Component: ddns Version: bind10-old
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 9 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description (last modified by jinmei)

For controlling the permission for specific domain names,
specific type of RRs, etc.

See the corresponding BIND 9 option:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies

This ticket doesn't intend to provide a full compatibility to the BIND
9 counter part, but it should at least support the "name" and
"subdomain" nametype. For example, we should be able to specify
the following in some zone specific configuration of b10-ddns:

grant key.dyn.example.com name foo.dyn.example.com AAAA

which would allow updates to foo.dyn.example.com/AAAA by a DDNS
request signed with a TSIG key whose key name is key.dyn.example.com.

This task will probably have to be broken down into multiple subtasks:
at least it would (probably) need to update the generic ACL framework to allow
this to happen and update b10-ddns and python ddns module so they
understand and handle this fine-grained access control.

Subtickets

Change History (8)

comment:1 Changed 8 years ago by shane

  • Estimated Difficulty changed from 0 to 8

comment:2 Changed 8 years ago by jinmei

  • Description modified (diff)

comment:3 Changed 8 years ago by jinmei

  • Estimated Difficulty changed from 8 to 0

comment:4 Changed 8 years ago by jinmei

  • Description modified (diff)

comment:5 Changed 8 years ago by vorner

I think we don't really need to update the python part. We can simply add more checks (check for domain, subdomain, type of the query). Then the generic part will construct the ACL from it. The python part (or DDNS) just passes the configuration through.

comment:6 Changed 7 years ago by shane

  • Milestone New Tasks deleted

comment:7 Changed 6 years ago by tomek

  • Milestone set to Remaining BIND10 tickets

comment:8 Changed 5 years ago by tomek

  • Resolution set to wontfix
  • Status changed from new to closed
  • Version set to old-bind10

This issue is related to bind10 code that is no longer part of Kea.

If you are interested in BIND10/Bundy framework or its DNS components,
please check http://bundy-dns.de.

Closing ticket.

Note: See TracTickets for help on using tickets.