The Update Policy DNS deployment option provides more control over DNS updates than the Allow Dynamic Updates option. Update Policy provides more options for matching clients’ identities and for determining the resource records that clients may update.
The Update Policy and Allow Dynamic Updates options are mutually exclusive and can't normally be set at the same level in Address Manager.
To set the Update Policy DNS deployment option:
- Navigate to the level at which you want to set a DNS deployment option and select the Deployment options tab. The Deployment options tab appears at the configuration, view, zone, IP block, and IP network levels.
- Select New > DNS option.
-
Under General, configure the following parameters:
- Name—select Update Policy. The corresponding parameter fields for the Update Policy option are displayed.
-
Define the update policy with the following fields:
- Privilege—determines if the client may perform an update. Select grant to allow matching clients to perform an update. Select deny to prevent matching clients from performing an update.
- Name type—determines the update policy’s matching criteria.
Select a name type from the list:
Nametype Description subdomain Matches when the name to be updated is identical to or a subdomain of the value in the Name field. self Matches when the name to be updated matches the value in the Identity field. When using this option, type the same fully-qualified domain name in the Identity and Name fields. name Matches when the name to be updated is identical to the value in the Name field. wildcard Matches when the name to be updated is a DNS wildcard matching the value in the Name field. selfsub Matches when the name to be updated is identical to or a subdomain of the value in the Identity field. When using this option, type the same value in the Identity and Name fields. selfwild Matches when the name to be updated is DNS wildcard matching a subdomain of the value in the Identity field. krb5-self Matches when the client’s MIT Kerberos principal matches the value in the Identity field. ms-self Matches when the client’s Microsoft Kerberos principal matches the value in the Identity field. krb5-subdomain Matches when the client’s MIT Kerberos principal matches or is in a subdomain of the value in the Identity field. ms-subdomain Matches when the client’s Microsoft Kerberos principal matches or is in a subdomain of the value in the Identity field. tcp-self Matches when the name to be updated is sent through TCP and the client’s IP address matches the in-ADDR.ARPA or IP6.ARPA namespaces. 6to4-self Allows the 6to4 prefix to be updated by any TCP connection from the 6to4 network or from the corresponding IPv4 address. - Name—specifies a fully-qualified domain name for matching. Type a
fully-qualified domain name.Note: The Name field must be set based on the following rules:
- If the Name type is set to self, selfsub, or selfwild, the Name field value must contain either the period (.) symbol or the same value as the Identity.
- If the Name type is set to selfkrb5, ms-self, subdomain, ms-subdomain, krb5-subdomain, tcp-self, or 6to4-self, the Name field value must always be a period (.) symbol.
- For all other Name type values, the Name value must be set.
- Identity type—specifies criteria for matching the client. Select
Name to specify a client name, wildcard name, or GSS-TSIG
Kerberos principal. Select Key to specify a TSIG key. When you
select Name, an Identity text field appears; type a client
name, DNS wildcard, or GSS-TSIG Kerberos principal. The conventions for
specifying a Kerberos principal vary, depending on the type of client
and the role it performs.When specifying a Kerberos principal, observe the following conventions:
Type of Client Kerberos principal convention DHCP Server performing DNS registration when DHCP clients lease an IP address Convention: serviceName/hostName@REALM
For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM
All other DNS clients Convention: serviceName/hostName@REALM
For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM
When you select Key, a drop-down menu of TSIG keys created on the TSIG tab displays; select a TSIG key from the list.
- Resource record type—defines the resource records that you want
to match and update. You can select two wide ranges of records, or
create a custom list of records. Select the types of resource records to
update:
- default—when selected, the policy matches all resource record types except for RRSIG, NS, SOA, NSEC, and NSEC3.
- any—when selected, the policy matches all resource record types except for NSEC and NSEC3.
- remaining options—to create a custom list of resource
records, select one or more record types from the list.
Select Add to table to add policy definition to the update policy.
To adjust the position of a policy definition in the list, select the up and down arrows for the policy definition to move it up or down in the list.
To remove a policy definition from the list, select the remove icon for the policy definition.
-
Under
Servers, select the servers to which the option will apply:
- All servers—applies the deployment option to all servers in the configuration.
- Server group—applies the deployment option to a specific server group in the configuration. Select a server group from the drop-down menu.
- Server—applies the deployment option to a specific server in the configuration. Select a server from the drop-down menu.
Note: You can't override deployment options set at the configuration level from the server group level if the deployment option is applied to a specific server within a server group. - In the Change control section, add comments if required.
- Select Create to create the DNS deployment option and return to the Deployment options tab, or select Create and add another to create the DNS deployment option and re-open the Create DNS option window.