Details for the DNS Service

This topic covers details for writing policies to control access to the DNS service.

Aggregate Resource-Type

dns

Individual Resource-Types

dns-zones

dns-records

dns-steering-policies

dns-steering-policy-attachments

dns-tsig-keys

dns-views

dns-resolvers

Comments

A policy that uses <verb> dns is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in dns.

Supported Variables

The DNS service supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The dns-zones resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-zone.id`	Entity (OCID)	Use this variable to control access to specific DNS zones by OCID.
`target.dns-zone.name`	String	Use this variable to control access to specific DNS zones by name.
`target.dns-zone.apex-label`	String	The most significant DNS label for the target zone. Example: If the target zone's name is "service.example.com", the value of this variable would be "service."
`target.dns-zone.parent-domain`	String	The domain name of the target zone's parent zone.
`target.dns.scope`	String	Valid values are "public" and "private".

The dns-records resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-zone.id`	Entity (OCID)	Use this variable to control access to specific DNS zones by OCID.
`target.dns-zone.name`	String	Use this variable to control access to specific DNS zones by name.
`target.dns-record.type`	List (String)	Use this variable to control access to specific DNS records by type. Valid values in the list can be any supported DNS resource type. For example, "A", "AAAA", "TXT", and so on. See Supported Resource Records.
`target.dns-domain.name`	List (String)	Use this variable to control access to specific domain names. Applicable to the following API operations: `GetDomainRecords` `PatchDomainRecords` `UpdateDomainRecords` `DeleteRRSet` `GetRRSet` `PatchRRSet` `UpdateRRSet`
`target.dns-zone.source-compartment.id`	Entity (OCID)	Use this variable to control access to the current compartment of the DNS zone by OCID.
`target.dns-zone.destination-compartment.id`	Entity (OCID)	Use this variable to control access to the destination compartment of the DNS zone by OCID.

Note

Use the target.dns-record.type and target.dns-domain.name variables in your authorization policy to restrict users when modifying records of a specific type in a specific subdomain. A policy like this would allow a specific group of users to modify "A" records in the "example.com" domain:

Allow group <GroupName> to use dns in compartment <CompartmentName> where all {target.dns-record.type='A', target.dns-domain.name = 'example.com'}

Users will only be authorized to use RRSet API operations with this type of authorization policy.

The dns-steering-policies resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-steering-policy.id`	Entity (OCID)	Use this variable to control access to specific steering policies by OCID.
`target.dns-steering-policy.display-name`	String	Use this variable to control access to specific steering policies by name.
`target.dns-steering-policy.source-compartment.id`	Entity (OCID)	Use this variable to control access to the current compartment of the steering policy by OCID.
`target.dns-steering-policy.destination-compartment.id`	Entity (OCID)	Use this variable to control access to the destination compartment of the steering policy by OCID.

The dns-tsig-keys resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-tsig-key.id`	Entity (OCID)	Use this variable to control access to specific TSIG keys by OCID.
`target.dns-tsig-key.name`	String	Use this variable to control access to specific TSIG keys by name.
`target.dns-tsig-key.source-compartment.id`	Entity (OCID)	Use this variable to control access to the current compartment of a specific TSIG key by OCID.
`target.dns-tsig-key.destination-compartment.id`	Entity (OCID)	Use this variable to control access to the destination compartment of the specific TSIG key by OCID.

The dns-view resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-view.id`	Entity (OCID)	Use this variable to control access to specific view by OCID.
`target.dns-view.display-name`	String	Use this variable to control access to specific view by name.
`target.dns-view.source-compartment.id`	Entity (OCID)	Use this variable to control access to the current compartment of a specific view by OCID.
`target.dns-view.destination-compartment.id`	Entity (OCID)	Use this variable to control access to the destination compartment of the specific view by OCID.

The dns-resolver resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-resolver.id`	Entity (OCID)	Use this variable to control access to specific resolver by OCID.
`target.dns-resolver.display-name`	String	Use this variable to control access to specific resolver by name.
`target.dns-resolver.source-compartment.id`	Entity (OCID)	Use this variable to control access to the current compartment of a specific resolver by OCID.
`target.dns-resolver.destination-compartment.id`	Entity (OCID)	Use this variable to control access to the destination compartment of the specific resolver by OCID.

The dns-resolver-endpoint resource type can use the following variables:


Variable	Variable Type	Comments
`target.dns-resolver-endpoint.name`	String	Use this variable to control access to specific resolver endpoints by name.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the manage verb for the dns-records resource-type covers no extra permissions or API operations compared to the use verb.

dns-zones


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_ZONE_INSPECT	`ListZones`	none
read	INSPECT + DNS_ZONE_READ	`GetZone`	`GetZoneRecords`
use	READ + DNS_ZONE_UPDATE	`UpdateZone`	`UpdateZoneRecords` `PatchZoneRecords` `CreateSteeringPolicyAttachment` `DeleteSteeringPolicyAttachment`
manage	UPDATE + DNS_ZONE_CREATE DNS_ZONE_DELETE DNS_ZONE_MOVE	`CreateZone` `DeleteZone` `ChangeZoneCompartment`	none

dns-records


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_RECORD_INSPECT	none	none
read	INSPECT + DNS_RECORD_READ	`GetDomainRecords` `GetRRSet`	`GetZoneRecords`
use	READ + DNS_RECORD_UPDATE	`PatchDomainRecords` `UpdateDomainRecords` `DeleteRRSet` `PatchRRSet` `UpdateRRSet`	`UpdateZoneRecords` `PatchZoneRecords` `UpdateSteeringPolicyAttachment`
manage	UPDATE + DNS_RECORD_CREATE DNS_RECORD_DELETE	no extra	none

dns-steering-policies


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_STEERING_POLICY_INSPECT	`ListSteeringPolicies`	none
read	INSPECT + DNS_STEERING_POLICY_READ	`GetSteeringPolicy`	`UpdateSteeringPolicyAttachment` `DeleteSteeringPolicyAttachment`
use	READ + DNS_POLICY_STEERING_UPDATE	`UpdateSteeringPolicy`	none
manage	UPDATE + DNS_STEERING_POLICY_CREATE DNS_STEERING_POLICY_DELETE DNS_STEERING_POLICY_MOVE	`CreateSteeringPolicy` `DeleteSteeringPolicy` `ChangeSteeringPolicyCompartment`	none

dns-steering-policy-attachments


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_STEERING_ATTACHMENT_INSPECT	`ListSteeringPolicyAttachments`	none
read	INSPECT + DNS_STEERING_ATTACHMENT_READ	`GetSteeringPolicyAttachment`	none

dns-tsig-keys


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_TSIG_KEY_INSPECT	`ListTsigKeys`	none
read	INSPECT + DNS_TSIG_KEY_READ	`GetTsigKey`	none
use	READ + DNS_TSIG_KEY_UPDATE	`UpdateTsigKey`	none
manage	USE + DNS_TSIG_KEY_CREATE DNS_TSIG_KEY_DELETE DNS_TSIG_KEY_MOVE	`CreateTsigKey` `DeleteTsigKey` `ChangeTsigKeyCompartment`	none

dns-views


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_VIEW_INSPECT	`ListViews`	none
read	INSPECT + DNS_VIEW_READ	`GetView`	none
use	READ + DNS_VIEW_UPDATE	`UpdateView`	none
manage	USE + DNS_VIEW_CREATE DNS_VIEW_DELETE DNS_VIEW_MOVE	`CreateView` `DeleteView` `ChangeViewCompartment`	none

dns-resolvers


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_RESOLVER_INSPECT	`ListResolvers`	none
read	INSPECT + DNS_RESOLVER_READ	`GetResolver`	none
use	READ + DNS_RESOLVER_UPDATE	`UpdateResolver`	none
manage	USE + DNS_RESOLVER_CREATE DNS_RESOLVER_DELETE DNS_RESOLVER_MOVE	`CreateResolver` `DeleteResolver` `ChangeResolverCompartment`	none

dns-resolver-endpoint


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DNS_RESOLVER_ENDPOINT_INSPECT	`ListResolverEndpoints`	none
read	INSPECT + DNS_RESOLVER_ENDPOINT_READ	`GetResolverEndpoint`	none
use	READ + DNS_RESOLVER_ENDPOINT_UPDATE	`UpdateResolverEndpoint`	none
manage	USE + DNS_RESOLVER_ENDPOINT_CREATE DNS_RESOLVER_ENDPOINT_DELETE	`CreateResolverEndpointDeleteResolverEndpoint`	none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListZones`	DNS_ZONE_INSPECT
`CreateZone`	DNS_ZONE_CREATE
`CreateChildZone`	DNS_ZONE_CREATE and DNS_RECORD_UPDATE
`DeleteZone`	DNS_ZONE_DELETE
`GetZone`	DNS_ZONE_READ
`UpdateZone`	DNS_ZONE_UPDATE
`ChangeZoneCompartment`	DNS_ZONE_MOVE
`GetZoneRecords`	DNS_ZONE_READ and DNS_RECORD_READ
`PatchZoneRecords`	DNS_ZONE_UPDATE and DNS_RECORD_UPDATE
`UpdateZoneRecords`	DNS_ZONE_UPDATE and DNS_RECORD_UPDATE
`GetDomainRecords`	DNS_RECORD_READ
`PatchDomainRecords`	DNS_RECORD_UPDATE
`UpdateDomainRecords`	DNS_RECORD_UPDATE
`DeleteRRSet`	DNS_RECORD_UPDATE
`GetRRSet`	DNS_RECORD_READ
`PatchRRSet`	DNS_RECORD_UPDATE
`UpdateRRSet`	DNS_RECORD_UPDATE
`ListSteeringPolicies`	DNS_STEERING_POLICY_INSPECT
`CreateSteeringPolicy`	DNS_STEERING_POLICY_CREATE
`GetSteeringPolicy`	DNS_STEERING_POLICY_READ
`UpdateSteeringPolicy`	DNS_STEERING_POLICY_UPDATE
`DeleteSteeringPolicy`	DNS_STEERING_POLICY_DELETE
`ChangeSteeringPolicyCompartment`	DNS_STEERING_POLICY_MOVE
`ListSteeringPolicyAttachments`	DNS_STEERING_ATTACHMENT_INSPECT
`CreateSteeringPolicyAttachment`	DNS_ZONE_UPDATE and DNS_STEERING_POLICY_READ
`GetSteeringPolicyAttachment`	DNS_STEERING_ATTACHMENT_READ
`UpdateSteeringPolicyAttachment`	DNS_ZONE_UPDATE and DNS_STEERING_POLICY_READ
`DeleteSteeringPolicyAttachment`	DNS_ZONE_UPDATE and DNS_STEERING_POLICY_READ
`ListTsigKeys`	DNS_TSIG_KEY_INSPECT
`CreateTsigKey`	DNS_TSIG_KEY_CREATE
`GetTsigKey`	DNS_TSIG_KEY_READ
`UpdateTsigKey`	DNS_TSIG_KEY_UPDATE
`DeleteTsigKey`	DNS_TSIG_KEY_DELETE
`ChangeTsigKeyCompartment`	DNS_TSIG_KEY_MOVE
`ListViews`	DNS_VIEW_INSPECT
`CreateView`	DNS_VIEW_CREATE
`GetView`	DNS_VIEW_READ
`UpdateView`	DNS_VIEW_UPDATE
`DeleteView`	DNS_VIEW_DELETE
`ChangeViewCompartment`	DNS_VIEW_MOVE
`ListResolvers`	DNS_RESOLVER_INSPECT
`GetResolver`	DNS_RESOLVER_READ
`UpdateResolver`	DNS_RESOLVER_UPDATE
`ChangeResolverCompartment`	DNS_RESOLVER_MOVE
`ListResolverEndpoints`	DNS_RESOLVER_ENDPOINT_INSPECT and DNS_RESOLVER_READ
`CreateResolverEndpoint`	DNS_RESOLVER_UPDATE and DNS_RESOLVER_ENDPOINT_CREATE
`GetResolverEndpoint`	DNS_RESOLVER_ENDPOINT_READ
`UpdateResolverEndpoint`	DNS_RESOLVER_UPDATE and DNS_RESOLVER_ENDPOINT_UPDATE
`DeleteResolverEndpoint`	DNS_RESOLVER_UPDATE and DNS_RESOLVER_ENDPOINT_DELETE