When configuring permissions for DNS Zones (see DNS Zone Permissions settings), there are four types of permissions you can add and apply. These permissions are:
Active Directory Domain Controller Updates: Allows or Denies GSS-TSIG updates from Active Directory (AD) Domain Controllers.
Secure Client Updates: Allows or Denies host name updates using GSS-TSIG.
Creator Owned GSS-TSIG Records: Allows or Denies other GSS-TSIG updates that are not from Active Directory and are not a host name update.
Update to Name: Allows or Denies a specific identity to update a name.
The Permissions section of the DNS Zones tab lets you view and manage permissions for the zone. Within the DNS Zones tab, click the Permissions list to expand it.
Name | Unique | Description |
---|---|---|
Active Directory Domain Controller Updates | Yes | Allows or Denies GSS-TSIG updates from Active Directory (AD) Domain Controllers. The host name of the AD must be listed in the Allowed Domain Controllers list. You can manually add or allow it from the Recently Denied Updaters list. Note:
By default, Active Directory might first send unsigned updates, as well as unsigned updates that are allowed by another permission in the list. This could result in unexpected behaviour from the DDNS service. Active Directory tries to send GSS-TSIG updates only when the unsigned updates are denied. To help avoid this:
|
Secure Client Updates | Yes | Allows or Denies host name updates using GSS-TSIG. Client GSS-TSIG updates will be allowed or denied from updating its own host record or PTR record. |
Creator Owned GSS TSIG Records | Yes | Allows or Denies other GSS-TSIG updates that are not from Active Directory and are not a host name update. |
Update to Name | No | Allows or Denies a specific identity to update a name. Supported
identities are:
|
Active Directory Domain Controller permission
The Active Directory Domain Controller permission allows or denies GSS-TSIG updates from Active Directory (AD) Domain Controllers. This permission is unique — only one instance can appear in the Permissions list.
By default, Active Directory might first send unsigned updates, as well as unsigned updates that are allowed by another permission in the list. This could result in unexpected behavior from the DDNS service. Active Directory tries to send GSS-TSIG updates only when the unsigned updates are denied.
To help avoid this:
-
Add an Update to Name permission and set it to Deny.
-
Select an IP address as the identity type
-
Enter the IP address of the Active Directory instance in the identity value field.
When configuring this permission, add the host name of the AD (for which GSS-TSIG updates are allowed) to the Allowed Domain Controllers list. You can manually add or allow available domain controllers from the Recently Denied Updaters list.
To configure Active Directory Domain Controller Update permissions:
-
In the Active Directory Domain Controller Updates permission, click Manage Domain Controllers.
-
If you set this permission to Allow:
-
To add a new domain controller to the list of allowed controllers, in Host name, enter the name of a Domain Controller and its domain, then click Add.
To remove a domain controller from the list, select its checkbox and click Delete.
-
To add a domain controller that was recently denied under Recently Denied Updaters, select one or more available domain controllers and click Allow. Doing so allows them to send DNS updates.
The Recently Denied Updaters list contains Domain controllers recently sent updates from unknown domains. The Distributed DDNS Service automatically adds controllers to this list when it detects updates sent from unknown domain controllers.
Note: If you set the Active Directory Domain Controllers permission to Deny, all domain controllers are prevented from sending DNS updates. -
-
Click Save to save the permission changes.
Secure Client Updates permission
Allows or Denies host name updates using GSS-TSIG. Client GSS-TSIG updates will be allowed or denied from updating its own host record or PTR record. This permission is unique — only one instance can appear in the Permissions list.
The Secure Client Updates Permission is a simple Allow/Deny permission. It requires no additional configuration.
Creator Owned GSS TSIG Record permission
The Creator Owned GSS TSIG Records permission lets you allow or deny a host from updating a resource record (host or PTR) that belongs to another host. In this case, the host that sends the update is considered the owner of the resource record.
This permission is unique — only one instance can appear in the Permissions list. However, within this permission, you can manage entries that allow or deny access for different identities, domains, and records.
Records displayed in this section are generated automatically by the DDNS Service or added manually by the administrator. If no GSS TSIG Record permissions appear in the list, you must first import a set of GSS TSIG Record permissions before you can add, delete, or otherwise manage them.
To import a list of Creator Owned GSS TSIG permissions:
Before you start, create your CSV file with the list of permissions to import. In some organizations, you might instead receive a file from your system administrator.
For details on how to create the CSV file, see Creator Owned GSS-TSIG Record permission import file.
-
Log in to Gateway and open Distrbuted DDNS. (Click the Navigator button in the top left corner and click Distributed DDNS.)
- Click the DNS Zones tab and expand Permissions.
-
Within the Permissions list, in the Creator Owned GSS TSIG Record permission, click Manage Record Permissions.
In the Manage Record Permissions window, click Import Permissions.
In the Import Permissions window, click Select File and browse to the CSV file that you created.
If you want to remove the existing set of Creator Owned GSS TSIG Record permissions before importing those in the file, select Remove old permissions before importing.
Otherwise, leave the selection on Keep old permissions. Distributed DDNS will keep the existing permissions and only remove any duplicates.
To edit an existing list of Creator Owned GSS TSIG Record permissions:
In the list of DNS Zone permissions, click the Creator Owned GSS TSIG Records entry.
Click Manage Record Permissions.
Add, delete, and edit the list of permissions as needed:
To add a new permission entry: Click Clone to create a new resource record permission entry.
Distributed DDNS adds a new entry with the same Identity and Domain. You can now edit the details of that entry as needed.
- To edit a permission: In the fields for each permission, edit the details needed.
-
Allow/Deny: In the Allow/Deny field (the first column), select whether you want to Allow or Deny the host.
-
Host Identity: The client name that is allowed or denied from performing updates.
-
Domain: The domain name, is part of the client FQDN.
-
Record Name: The name of the resource record that the client is allowed to or denied from updating.
-
Resource Type: displays the type of resource record.
-
To enable or disable a permission: In the permission's entry, click Enable to enable a record permission, or Disable to disable it. Disabled permissions are completely ignored. The Enable/Disable button only appears if a Record exists.
Note: You cannot edit a record permission that has been disabled.To completely delete a permission: In the permission's entry, click Delete.
Click Enable to enable a record permission; click Disable to disable a record permission. This button only appears when a record exists.
Note: You cannot edit a record permission that has been disabled.Click Delete to delete the record permission.
Click OK to save the permission changes.
Update to Name permission
Allows or Denies a specific identity from updating names. You can add multiple Update to Name permissions, one for each identity.
To edit an Update to Name permission:
In the DNS Zones permission list, locate the specific Update To Name permission that you want to edit.
Edit the fields of the permission as follows.
In the domain field (the first field), enter the domain to which you want the name update permission applied. You can include a
*
wildcard character, such as*.ad.example.com
.In the identity type field, select the type of identity to which this permission will be applied. You can select from the following:
-
TSIG Key: TSIG key name. Allows or denies an update signed by the entered key name. The update can be TSIG signed or GSS-TSIG signed.
-
AD Host ID: Kerberos identity (GSS-TSIG only). Allows or denies a GSS-TSIG update sent from a client with the entered name.
-
IP: Client's IP address. Allows or denies an update sent from the entered IP address. This update can be unsigned, TSIG signed, or GSS-TSIG signed.
-
CIDR: Client's network block. Allow or deny an update sent from the entered IP network. This update can be unsigned, TSIG signed, or GSS-TSIG signed.
-
In the identity field, enter the identity of the entity to which the permission will be applied, as indicated by the selected identity type. For example, if the identity type is AD Host ID, enter the client name in the identity field.
Any changes to fields are applied right away.