[Pdns-users] DNSSEC : One key by client to update only this client's dynamic A record

Kevin P. Fleming kevin at km6g.us
Tue Jun 22 18:40:52 UTC 2021


This is not related to DNSSEC, but can still be done.

At A.dyndns.xxx.com you'd have a CNAME which points to an A record at
A.customers.dyndns.xxx.com, and the user's TSIG key would only allow
modifying the record(s) in that subzone. So you'd have one  subzone
per customer, and the TSIG keys would allow access to one subzone
each.

On Tue, Jun 22, 2021 at 2:18 PM David J. via Pdns-users
<pdns-users at mailman.powerdns.com> wrote:
>
> Hello everyone,
>
> I would like to configure my own dyndns service. I managed to configure
> and make it work.
> I try now to secure this service.
>
> I followed with success this doc :
> https://doc.powerdns.com/authoritative/dnsupdate.html). However, as far
> as I understand there is only one key for the whole zone Which means,
> any client can update any record.
>
> I would like to be able to generate one key per client (dnssec-keygen -n
> host ?) and authorize this key to be able to update only the associated
> record.
> Example :
> - The zone is dyndns.xxx.com
> - A client would like to have the dynamic record A.dyndns.xxx.com
> - B would like B.dyndns.xxx.com
> - A must be able to update A.dyndns.xxx.com and only this record
> - Same for B.
>
> Can someone  give me an hint, an URL to achieve that with pdns please ?
> Did I miss something in the doc ?
>
> Thank you very much,
>
> Best regards,
>
> --
> David J
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list