Update Policy DNS Deployment Option - BlueCat Address Manager - 8.3.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.0

The Update Policy DNS deployment option provides more control over DNS updates than the Allow Dynamic Updates option. Update Policy provides more options for matching clients’ identities and for determining the resource records that clients may update.

The Update Policy and Allow Dynamic Updates options are mutually exclusive and cannot normally be set at the same level in Address Manager. This is not applicable to Windows servers.

To set the Update Policy DNS deployment option:

  1. From the configuration drop-down menu, select a configuration.
  2. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Navigate to the level at which you want to set a DNS deployment option and click the Deployment Options tab. Deployment Options tabs appear at the configuration, view, zone, IP block, and IP network levels.
  4. Under Deployment Options, click New and select DNS Option.
  5. From the Option list, select Update Policy. The Update Policy fields appear on the page.
  6. Define the update policy with the following fields:
    • Privilege—determines if the client may perform an update. Select grant to allow matching clients to perform an update. Select deny to prevent matching clients from performing an update.
    • Identity—specifies criteria for matching the client. Select Name to specify a client name, wildcard name, or GSS-TSIG Kerberos principal. Select Key to specify a TSIG key. When you select Name, a text field appears beside the Identity field; type a client name, DNS wildcard, or GSS-TSIG Kerberos principal. The conventions for specifying a Kerberos principal vary, depending on the type of client and the role it performs.
      When specifying a Kerberos principal, observe the following conventions:
      Type of Client Kerberos principal convention
      Windows Server or Client performing direct DNS registration

      Convention: computerName$@REALM

      For example: for the computer name docserver in the realm EXAMPLE.COM, type the Kerberos principal as: docserver$@EXAMPLE.COM

      Windows DHCP Server performing DNS registration when DHCP clients lease an IP address

      Convention: dhcpDDNSuserName@REALM

      The dhcpDDNSuserName is the user name configured in the Windows Automated Deployment Services (ADS). In Windows DHCP Administration, this user is configured for DDNS.

      For example: for the DHCP DDNS user named wsmith in the realm EXAMPLE.COM, type the Kerberos principal as: wsmith@EXAMPLE.COM

      DHCP Server performing DNS registration when DHCP clients lease an IP address

      Convention: serviceName/hostName@REALM

      For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM

      All other DNS clients

      Convention: serviceName/hostName@REALM

      For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM

      When you select Key, a drop-down menu of TSIG keys created on the TSIG tab appears; select a TSIG key from the list.

    • Nametype—determines the update policy’s matching criteria. Select a name type from the list:
      Nametype Description
      subdomain Matches when the name to be updated is identical to or a subdomain of the value in the Name field.
      self Matches when the name to be updated matches the value in the Identity field. When using this option, type the same fully-qualified domain name in the Identity and Name fields.
      name Matches when the name to be updated is identical to the value in the Name field.
      wildcard Matches when the name to be updated is a DNS wildcard matching the value in the Name field.
      selfsub Matches when the name to be updated is identical to or a subdomain of the value in the Identity field. When using this option, type the same value in the Identity and Name fields.
      subwild Matches when the name to be updated is DNS wildcard matching a subdomain of the value in the Identity field.
      krb5-self Matches when the client’s MIT Kerberos principal matches the value in the Identity field.
      ms-self Matches when the client’s Microsoft Kerberos principal matches the value in the Identity field.
      krb5-subdomain Matches when the client’s MIT Kerberos principal matches or is in a subdomain of the value in the Identity field.
      ms-subdomain Matches when the client’s Microsoft Kerberos principal matches or is in a subdomain of the value in the Identity field.
      tcp-self Matches when the name to be updated is sent through TCP and the client’s IP address matches the in-ADDR.ARPA or IP6.ARPA namespaces.
      6to4-self Allows the 6to4 prefix to be updated by any TCP connection from the 6to4 network or from the corresponding IPv4 address.
    • Name—specifies a fully-qualified domain name for matching. Type a fully-qualified domain name.
    • RR Types—defines the resource records that you want to match and update. You can select two wide ranges of records, or create a custom list of records. Select the types of resource records to update:
      • Default—when selected, the policy matches all resource record types except for RRSIG, NS, SOA, NSEC, and NSEC3.
      • ANY—when selected, the policy matches all resource record types except for NSEC and NSEC3.
      • Custom—when selected, a drop-down list appears. To create a custom list of resource records, select one or more record types from the list. To select a single record type, click on it in the list. To select multiple record types, CTRL-click on them in the list.

        Click Add to add policy definition to the update policy.

        To adjust the position of a policy definition in the list, select the definition and click Move Up and Move Down to move it up or down in the list or click and drag the policy definition in the list.

        To remove a policy definition from the list, select it and click Remove.

  7. Under Servers, select the servers to which the option will apply:
    • All Servers—applies the deployment option to all servers in the configuration.
    • Server Group—applies the deployment option to a specific server group in the configuration. Select a server group from the drop-down menu.
    • Specific Server—applies the deployment option to a specific server in the configuration. Select a server from the drop-down menu.
  8. Under Change Control, add comments, if required.
  9. Click Add.