Product SiteDocumentation Site

9.13. Setting DNS Access Policies

The FreeIPA DNS domain can define access controls, based on grant/deny rules, for zones. This creates an update-policy statement in the /etc/named.conf file, which defines the DNS access rule.
--update-policy "grant|deny zoneName policyName recordName recordType"
For example, to grant the EXAMPLE.COM zone the ability to edit its own A and AAAA resource record entries:
$ ipa dnszone-mod example.com --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;"

IMPORTANT

If the update policy is set to false, FreeIPA client machines will not be able to add or update their IP address. See Section 9.8, “Enabling Dynamic DNS Updates” for more information.