/
Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges
Document toolboxDocument toolbox

Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges

Owned by Naveen J Oommen
Jan 08, 2025
8 min read

You can further control permissions for DNS resources that have associated IP addresses in a network container, network, or address range. These DNS resources include A records, AAAA records, PTR records, and DNS hosts. Permissions for these resources have been added so you now have more control over who can perform which tasks for these DNS resources without affecting permissions defined for the networks and ranges to which the resources belong. For example, if you want to allow an admin to add, modify, and delete A records associated with IP addresses within a specific network but you do not want the same admin to modify or delete the network, you can grant the admin read-only permission for the specified network and read/write permission for A records in that network.
Similar behavior applies to AAAA records, PTR records, and DNS hosts.
As a superuser, you can now grant permissions to admin groups for more granular access to the following resources:

  • IPv4 and IPv6 DHCP fixed addresses and IPv4 reservations in a range

  • IPv4 and IPv6 host addresses in a range

  • A and AAAA records in a network container, network, or range

  • IPv4 and IPv6 PTR records in a network container, network, or range

For information about how to configure new permissions for these resources, see Configuring Permissions for DNS Resources in Networks and Ranges below.

Best Practices for Configuring Permissions in Networks and Ranges

Before using permissions for DNS resources in networks and ranges, consider the following:

  • You can enable and disable these permissions using the set dns_perm_for_nw_range CLI command. When you disable permissions after you have enabled and defined them, the appliance retains the permissions in an inactive mode. Inactive permissions are not verified nor displayed in Grid Manager. When you re-enable the permissions, the appliance activates them and displays them in Grid Manager. You can also use the show dns_perm_for_nw_range CLI command to verify the status of new permissions.

Note that permissions for fixed addresses and reservations are not controlled by the CLI command; they are always enabled.
You can also enable and disable permissions for DNS Resources in Networks and Ranges through Grid Manager, as described in Enabling Permissions for DNS Resources in Networks and Ranges below.

  • When you switch between enabling and disabling these permissions, changes take effect immediately and a service restart in Grid Manager is not required. However, you may need to refresh Grid Manager to view the changes.

  • You can assign these permissions when DNS, DHCP, or Microsoft Management licenses are installed. If you remove all of these licenses after you have configured relevant permissions for supported resources, the appliance retains the permissions, but you will not be able to see the permissions nor configure them.

Permission Behavior in latest release

This section describes changes to the default behavior when you enable permissions for DNS resources with associated IP addresses in networks and ranges. The following table lists behavior in previous releases and changes made in this release for supported resources. Review these changes before you configure permissions for these resources.

Resources

Permission in latest release

Resources

Permission in latest release

A Records

AAAA Records

PTR Records

DNS Hosts

  • When you enable new permissions, you can define the following permissions for the admins to add, modify, and delete A, AAAA, PTR records and DNS hosts that have associated IP addresses in a network container, network, or range:

    • Read/write permission for the specific records in the zone or a higher level DNS parent object.
      and

    • Read/write permission for the records in the specified network container, network, or range to which the resources belong.

Note: Fields for A, AAAA, PTR records and DNS hosts in a zone or a higher level DNS parent object, except Name, IP Address, MAC Address, DUID and Disabled, can be modified by admins who do not have write permission for the same records in the specified network container, network, or range.

  • You cannot define read-only permission for A, AAAA, and PTR records in a range. The read operation for A, AAAA, PTR, and host records is based on DNS permission hierarchy. In other words, read-only permission for a parent DNS zone allows you to view DNS objects, regardless of the permission you have defined for these resources in their associated ranges.

DHCP-enabled Hosts

  • When you enable new permissions and you want to allow the admin to add, modify, and delete DHCP-enabled hosts that fall within a specific address range, define read/write permission for hosts in that specified range. Note that if the admin has read/write permission for the network, they can add, modify, and delete hosts that do not fall within a specific address range.

Note: Fields for DHCP-enabled host addresses, except Name, Enable in DNS, IPv4/IPv6 Address, MAC Address, DUID, and Disabled, can be modified by admins who do not have write permission for the same addresses in the specified network container, network, or range.

  • Regardless of whether new permissions are enabled, DHCP-enabled host addresses always appear in their respective network containers or networks. However, host addresses in a range appear in the range only when new permissions are enabled.

Fixed Addresses/ Reservations

  • When you enable new permissions and you want to allow the admin to add, modify, and delete fixed addresses and reservations in a specific address range, define read/write permission for fixed addresses or reservations in that specified range. Note that if the admin has read/write permission for the network, they can add, modify, and delete fixed addresses and reservations that do not fall within a specific address range.

  • Fixed addresses appear in their respective network containers, networks, and ranges regardless of whether new permissions are enabled.

Enabling Permissions for DNS Resources in Networks and Ranges

To enable permission for DNS Resources in Networks and Ranges:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> Advanced tab, and then complete the following: 

    • Enable DNS Object Permissions in Networks and Ranges: Select this checkbox to enable DNS object permissions in networks and ranges. When you enable this, admins with Read/Write permission for specific records in a zone or a higher-level DNS parent object, and admins with Read/Write permission for resource records in specified network containers, networks, or ranges can add, modify, and delete A, AAAA, PTR records, and DNS hosts that have associated IP addresses in the network containers, networks, or ranges.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Configuring Permissions for DNS Resources in Networks and Ranges

To define permissions for resources that are associated with IP addresses in a network container, network, or address range, complete the following:

  1. Log in to the appliance through the Infoblox CLI and use the set dns_perm_for_nw_range command to enable new permissions, as follows:
    Infoblox > set dns_perm_for_nw_range on
    You can also enable permission for DNS resources in networks and ranges through the Infoblox GUI, as described in Enabling Permissions for DNS Resources in Networks and Ranges.

  2. Log in to Grid Manager and depending on which permission you want to define, do one of the following:
    Network View: From the Administration tab, select the Networks View tab -> network_view checkbox and click the Edit icon.
    Network Container: From the Data Management tab, select the IPAM tab -> network_container checkbox and click the Edit icon.
    Network: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network checkbox, and then click the Edit icon.
    DHCP Range: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network ->
    addr_range checkbox, and then click the Edit icon.
    Fixed Address: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network ->
    fixed_address checkbox, and then click the Edit icon.
    Reservation: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network ->
    reservation checkbox, and then click the Edit icon.
    Zone: From the Data Management tab, select the DNS tab -> Zones tab -> zone checkbox, and then click the Edit icon.

    Note that you cannot assign permissions for zones that are auto-created.

  3. In the editor, click the Permissions tab, and select the supported permission from the Permissions drop-down list for the admin group or role.

  4. Select a resource from the drop-down list in the Resources column.

  5. Save the configuration.

Permission Examples

The following table lists examples for configuring new permissions for fixed addresses (or reservations) in network 10.1.2.0/24 and range 10.1.2.1-10.1.2.10.

Action

Permission for network 10.1.2.0/24

Permission for range
10.1.2.1-10.1.2.10

 Action Allowed? (Yes/No)

Comment

Action

Permission for network 10.1.2.0/24

Permission for range
10.1.2.1-10.1.2.10

 Action Allowed? (Yes/No)

Comment

Add, modify, or delete fixed address 10.1.2.5

No

No

No

N/A

Add, modify, or delete fixed address 10.1.2.5

No

Read/write for "Fixed addresses in 10.1.2.1-10.1.2.10 Range"

Yes

Read/write permission at the range level is sufficient for creating a fixed address that falls within the range.

Add, modify, or delete fixed address 10.1.2.100

Read/write for "Fixed addresses in 10.1.2.0/24 Network"

Deny for "Fixed addresses in 10.1.2.1-10.1.2.10 Range"

Yes

Since fixed address 10.1.2.100 does not belong to the 10.1.2.1-10.1.2.10 range, read/write permission for "Fixed addresses in 10.1.2.0/24 Network" is sufficient for the operation.


The following table lists some examples for configuring DNS resources that have associated IP addresses in a network or range:

Action

Permission for DNS zone corpxyz.com

Permission for network  10.1.2.0/24

Permission for range 10.1.2.1-10.1.2.10

 Action
Allowed? (Yes/No)

Comment

Action

Permission for DNS zone corpxyz.com

Permission for network  10.1.2.0/24

Permission for range 10.1.2.1-10.1.2.10

 Action
Allowed? (Yes/No)

Comment

Add, modify, or delete an A record with IP address 10.1.2.8

Read/write permission for corpxyz.com

No

No

No

Read/write permission for "A Records in 10.1.2.1-10.1.2.10 range" is also required.

Add, modify, or delete an A record with IP address 10.1.2.8

Read/write permission for corpxyz.com

No

Read/write for "A Records in 10.1.2.1-10.1.2.10

Yes

Since 10.1.2.8 falls within the 10.1.2.1-10.1.2.10 range, read/write permission for "A Records in 10.1.2.1-1 0.1.2.10 Range" and read/write for corpxyz.com are both required.

Add, modify, or delete an A record with IP address 10.1.2.8, and modify or delete a network

Read/write permission for corpxyz.com

Read-only permission for network 10.1.2.0/24



Read/write for "A Records in 10.1.2.1-10.1.2.10 Range

Yes for A record

No for network

Admins can add, modify, and delete A records because they have read/write permissions for the zone and range; but they cannot modify or delete networks because they have read-only permission for network 10.1.2.0/24.

Add, modify or delete DHCP-enabled host address 10.1.2.22

Yes if the host is a DNS host.

N/A if the host is a DHCP host.

Read/write permission for "IPv4 Hosts in 10.1.2.0 network"

No

Yes

Host address 10.1.2.22 is within the 10.1.2.0 network but outside of the 10.1.2.1- 10.1.2.10 range, so read/write permission for "IPv4 Hosts in 10.1.2.0 network" is sufficient.

Add, modify, or delete DHCP-enabled host address 10.1.2.8, and modify or delete a network

Yes if the host is a DNS host.

N/A if the host is a DHCP host.

Read-only permission for network 10.1.2.0/24

Read/write for "Hosts in 10.1.2.1-10.1.2.10 Range

Yes for A record

No for network

Admins can add, modify, and delete DHCP-enabled hosts because they have read/write permissions for "Hosts in 10.1.2.1010.1.2.10 range"; but they cannot modify or delete networks because they have read-only permission for network 10.1.2.0/24.

The following table list an example for permissions required to configure PTR records that have associated IP addresses in a network:

Action

Permission for DNS zone corpxyz.com

Permission for network  10.1.2.0/24

Permission for reverse zone 0.0.10.in-addr.arpa

 Action
Allowed? (Yes/No)

Comment

Action

Permission for DNS zone corpxyz.com

Permission for network  10.1.2.0/24

Permission for reverse zone 0.0.10.in-addr.arpa

 Action
Allowed? (Yes/No)

Comment

Add, modify, or delete a PTR record with IP address 5.0.0.10. Note: You can also add, modify, or delete PTR records in the IPv6 reverse-mapping zone.

Read/write permission for corpxyz.com

No

Yes

Yes

Read/write permission for “PTR Records in corpxyz.com and 0.0.10.in-addr.arpa” is required.