id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	cvss	sensitive	severity	subproject	feature	estimatedhours	hours	totalhours	internal
2065	support BIND9-compatible update-policy ACL for DDNS	jinmei		"For controlling the permission for specific domain names,
specific type of RRs, etc.

See the corresponding BIND 9 option:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies

This ticket doesn't intend to provide a full compatibility to the BIND
9 counter part, but it should at least support the ""name"" and
""subdomain"" nametype.  For example, we should be able to specify
the following in some zone specific configuration of b10-ddns:
{{{
grant key.dyn.example.com name foo.dyn.example.com AAAA
}}}

which would allow updates to foo.dyn.example.com/AAAA by a DDNS
request signed with a TSIG key whose key name is key.dyn.example.com.

This task will probably have to be broken down into multiple subtasks:
at least it would (probably) need to update the generic ACL framework to allow
this to happen and update b10-ddns and python ddns module so they
understand and handle this fine-grained access control.
"	enhancement	new	medium		DDNS					0	N/A	DNS		9	0	0	0