Update Policy DNS deployment option - BlueCat Integrity

Update Policy DNS deployment option - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale

English

Product name

BlueCat Integrity

Version

9.3.0

The Update Policy DNS deployment option provides more control over DNS updates than the Allow Dynamic Updates option. Update Policy provides more options for matching clients’ identities and for determining the resource records that clients may update.

The Update Policy and Allow Dynamic Updates options are mutually exclusive and can't normally be set at the same level in Address Manager.

To set the Update Policy DNS deployment option:

From the configuration drop-down menu, select a configuration.
Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
Navigate to the level at which you want to set a DNS deployment option and click the Deployment Options tab. Deployment Options tabs appear at the configuration, view, zone, IP block, and IP network levels.
Under Deployment Options, click New and select DNS Option.
From the Option list, select Update Policy. The Update Policy fields appear on the page.

Define the update policy with the following fields:

Privilege—determines if the client may perform an update. Select grant to allow matching clients to perform an update. Select deny to prevent matching clients from performing an update.

Identity—specifies criteria for matching the client. Select Name to specify a client name, wildcard name, or GSS-TSIG Kerberos principal. Select Key to specify a TSIG key. When you select Name, a text field appears beside the Identity field; type a client name, DNS wildcard, or GSS-TSIG Kerberos principal. The conventions for specifying a Kerberos principal vary, depending on the type of client and the role it performs.

When specifying a Kerberos principal, observe the following conventions:

Type of Client	Kerberos principal convention
DHCP Server performing DNS registration when DHCP clients lease an IP address	Convention: serviceName/hostName@REALM For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: `DHCP/host123.example.com@EXAMPLE.COM`
All other DNS clients	Convention: serviceName/hostName@REALM For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: `DHCP/host123.example.com@EXAMPLE.COM`

Type of Client

Kerberos principal convention

DHCP Server performing DNS registration when DHCP clients lease an IP address

Convention: serviceName/hostName@REALM

For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM

All other DNS clients

Convention: serviceName/hostName@REALM

For example: for the service named DHCP, the DDNS host host123.example.com, and the realm EXAMPLE.COM, type the Kerberos principal as: DHCP/host123.example.com@EXAMPLE.COM

When you select Key, a drop-down menu of TSIG keys created on the TSIG tab displays; select a TSIG key from the list.

Nametype—determines the update policy’s matching criteria. Select a name type from the list:

Nametype	Description
subdomain	Matches when the name to be updated is identical to or a subdomain of the value in the Name field.
self	Matches when the name to be updated matches the value in the Identity field. When using this option, type the same fully-qualified domain name in the Identity and Name fields.
name	Matches when the name to be updated is identical to the value in the Name field.
wildcard	Matches when the name to be updated is a DNS wildcard matching the value in the Name field.
selfsub	Matches when the name to be updated is identical to or a subdomain of the value in the Identity field. When using this option, type the same value in the Identity and Name fields.
selfwild	Matches when the name to be updated is DNS wildcard matching a subdomain of the value in the Identity field.
krb5-self	Matches when the client’s MIT Kerberos principal matches the value in the Identity field.
ms-self	Matches when the client’s Microsoft Kerberos principal matches the value in the Identity field.
krb5-subdomain	Matches when the client’s MIT Kerberos principal matches or is in a subdomain of the value in the Identity field.
ms-subdomain	Matches when the client’s Microsoft Kerberos principal matches or is in a subdomain of the value in the Identity field.
tcp-self	Matches when the name to be updated is sent through TCP and the client’s IP address matches the in-ADDR.ARPA or IP6.ARPA namespaces.
6to4-self	Allows the 6to4 prefix to be updated by any TCP connection from the 6to4 network or from the corresponding IPv4 address.

Name—specifies a fully-qualified domain name for matching. Type a fully-qualified domain name.
Note: The Name field must be set based on the following rules:
- If the Nametype is set to self, selfsub, or selfwild, the Name field value must contain either the period (.) symbol or the same value as the Identity.
- If the Nametype is set to selfkrb5, ms-self, subdomain, ms-subdomain, krb5-subdomain, tcp-self, or 6to4-self, the Name field value must always be a period (.) symbol.
- For all other Nametype values, the Name value must be set.
RR Types—defines the resource records that you want to match and update. You can select two wide ranges of records, or create a custom list of records. Select the types of resource records to update:
- Default—when selected, the policy matches all resource record types except for RRSIG, NS, SOA, NSEC, and NSEC3.
- ANY—when selected, the policy matches all resource record types except for NSEC and NSEC3.
- Custom—when selected, a drop-down list appears. To create a custom list of resource records, select one or more record types from the list. To select a single record type, click on it in the list. To select multiple record types, CTRL-click on them in the list.
  Click Add to add policy definition to the update policy.
  
  To adjust the position of a policy definition in the list, select the definition and click Move Up and Move Down to move it up or down in the list or click and drag the policy definition in the list.
  
  To remove a policy definition from the list, select it and click Remove.

Under Servers, select the servers to which the option will apply:
- All Servers—applies the deployment option to all servers in the configuration.
- Server Group—applies the deployment option to a specific server group in the configuration. Select a server group from the drop-down menu.
- Specific Server—applies the deployment option to a specific server in the configuration. Select a server from the drop-down menu.
Note: You can't override deployment options set at the configuration level from the server group level if the deployment option is applied to a specific server within a server group.
Under Change Control, add comments, if required.
Click Add.