HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

221

222

223

224

225

226

227

228

229

230

named.conf(4) named.conf(4)

transfer-source

See the description of transfer-source.

transfer-source-v6

See the description of transfer-source-v6.

notify-source

See the description of notify-source.

notify-source-v6

See the description of notify-source-v6.

min-refresh-time

, max-refresh-time

min-retry-time

, max-retry-time

See the descriptions above.

Dynamic Update Policies

BIND 9.2 supports two alternative methods of granting clients, the right to perform dynamic updates to a

zone, conﬁgured by the allow-update

and update-policy option, respectively.

The

allow-update clause works the same way as in previous versions of BIND. It grants given clients

the permission to update any record of any name in the zone.

The update-policy clause is new in BIND 9.2 and allows more ﬁne-grained control over what updates

are allowed. A set of rules is speciﬁed, where each rule either grants or denies permissions for one or more

names to be updated by one or more identities. If the dynamic update request message is signed (that is, it

includes either a TSIG or SIG(0) record), the identity of the signer can be determined.

Rules are speciﬁed in the update-policy

zone option, and are only meaningful for master zones.

When the

update-policy statement is present, it is a conﬁguration error for the

allow-update

statement to be present. The update-policy

statement only examines the signer of a message; the

source address is not relevant.

A sample rule deﬁnition is as shown below:

( grant | deny ) identity nametype name [ types ]

Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is

immediately granted or denied and no further rules are examined. A rule is matched when the signer

matches the identity ﬁeld, the name matches the name ﬁeld, and the type is speciﬁed in the type ﬁeld. The

identity ﬁeld speciﬁes a name or a wildcard name. The nametype ﬁeld has four values: name, subdomain,

wildcard, and self:

name Matches when the updated name is the same as the name in the name ﬁeld.

subdomain Matches when the updated name is a subdomain of the name in the name ﬁeld (which

includes the name itself).

wildcard Matches when the updated name is a valid expansion of the wildcard name in the name

ﬁeld.

self Matches when the updated name is the same as the message signer. The name ﬁeld is

ignored.

If no types are speciﬁed, the rule matches all types except SIG, NS, SOA, and NXT. Types may be speciﬁed

by name, including "ANY" (ANY matches all types except NXT, which can never be updated).

Zone File

Types of Resource Records and When to Use Them:

This section describes the concept of a Resource Record (RR) and explains when each is used as per RFC

1034.

Resource Records

A domain name identiﬁes a node. Each node has a set of resource information, which may be empty. The

set of resource information associated with a particular name is composed of separate RRs. The order of

RRs in a set is not signiﬁcant and need not be preserved by nameservers, resolvers, or other parts of the

DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that

a particular nearby server be tried ﬁrst.

HP-UX 11i Version 2: December 2007 Update − 22 − Hewlett-Packard Company 229