- Restrictions for updates to statics records. For more information, see Restricting Updates to Static Records
- Restrictions for updates to records marked as protected. For more information, see Restricting Updates to Protected Records.
- Restrictions based on GSS-TSIG principal authentication. For more information, see Restricting Updates Based on GSS-TSIG Principal Authentication.
- Restrictions based on FQDN patterns. For more information, see Restricting Updates Based on FQDN Patterns.
Only static and dynamic record source type support secure dynamic updates. You can see the record source type in the Resource Record Viewer. The following table shows which type of secure dynamic updates is applicable to different record source types.
Table 21.1 Secure Dynamic Update Types
Sometimes when the updating record has the same data as the existing record, you may need to initialize the record creation timestamp to avoid unwanted DNS record scavenging. For more information, see Forcing Creation Timestamp Initialization for Unchanged Records.
Failed attempts to dynamically update secured records are recorded in the NIOS syslog. You can view it, as described in Viewing the Syslog and Searching in the Syslog.
You can use Smart Folders to organize data by record source, principal, or protection state. For more information, see .
This method prevents updates to all RRsets containing static records at once in the Grid, DNS view, or zone. To prevent updates to specific static records, see Restricting Updates to Protected Records.
When you upgrade from a previous NIOS version to NIOS 7.3 or later, all dynamic updated records are labelled as static records if you enable the Secure Dynamic Updates feature. Infoblox suggests that you enable this feature only after all records are changed to Dynamic. NIOS tags the RRsets that are not auto-generated as static records.
- In the DNS Resource Records viewer, select a record or multiple records.
- In the Toolbar, select Protect Records -> Enable Protection.
In the properties dialog for a record, click Updates, select the Protected check box checkbox, and then click Save & Close.
This method implies tracking the Kerberos GSS-TSIG principal that created a record and restricting DDNS updates attempted by a different GSS-TSIG principal on this record.
The Resource Record Viewer displays the GSS-TSIG authentication information in the Principal column: it displays the principal name if the client that created the record is authenticated and the principal is tracked.
The tracked principal is also displayed in the record properties. You can change the principal associated to a record by clicking Select Principal in the record properties and specifying the required principal.
Additionally, you can use dynamic update groups to manage the allowed principals. For more information, see About Dynamic Update Groups.
To restrict updates based on GSS-TSIG principal authentication:
In some cases, for example, in DHCP failover associations, you need to allow different GSS-TSIG principals to update each other's records. To that end, you can join multiple principals into clusters, where all principals are considered as equivalent and therefore can update affected records without being their originators. You can join multiple clusters into a dynamic update group. The clusters within a group, however, are not considered equivalent and cannot update each other's records.
When you have several dynamic update groups defined, you can assign different groups to be active for the Grid, a DNS view, or a zone as described in Restricting Updates Based on GSS-TSIG Principal Authentication. If no group is assigned, then no principals are considered to be equivalent.
For information on how to add dynamic update groups and clusters, see Managing Dynamic Update Groups and Clusters.
Viewing and modifying the configuration of a dynamic update group requires Grid DNS permissions. Selecting a group as active for the Grid, a view, or a zone requires read permission on the Grid DNS, as well as write permission on the object being modified.
- To delete an FQDN pattern, select the check box checkbox next to the pattern and click the Delete icon.