Oracle Cloud Infrastructure Documentation

Details for the DNS Service

This topic covers details for writing policies to control access to the DNS service.

Aggregate Resource-Type

dns

Individual Resource-Types

dns-zones

dns-records

dns-traffic

Comments

A policy that uses <verb> dns is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in dns.

Supported Variables

The DNS Service supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The dns-zones resource type can use the following variables:

Variable Variable Type Comments
target.dns-zone.id Entity (OCID) Use this variable to control access to specific DNS zones by OCID.
target.dns-zone.name String Use this variable to control access to specific DNS zones by name.

The dns-records resource type can use the following variables:

Variable Variable Type Comments
target.dns-zone.id Entity (OCID) Use this variable to control access to specific DNS zones by OCID.
target.dns-zone.name String Use this variable to control access to specific DNS zones by name.
target.dns-zone.scope String Valid values are "public" and "private".
target.dns-record.type List (String) Use this variable to control access to specific DNS records by type. Valid values in the last can be any supported DNS resource type. For example, "A", "AAAA", "TXT", and so on. See .
target.dns-domain.name List (String)

Use this variable to control access to specific domain names. Applicable to the following API operations:

  • GetDomainRecords
  • PatchDomainRecords
  • UpdateDomainRecords
  • DeleteRRSet
  • GetRRSet
  • PatchRRSet
  • UpdateRRSet

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the use and manage verbs for the dns-traffic resource-type cover no extra permissions or API operations compared to the read verb.

dns-zones
dns-records
dns-traffic

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListZones DNS_ZONE_INSPECT
CreateZone DNS_ZONE_CREATE
DeleteZone DNS_ZONE_DELETE
GetZone DNS_ZONE_READ
UpdateZone DNS_ZONE_UPDATE
GetZoneRecords DNS_ZONE_READ and DNS_RECORD_READ
PatchZoneRecords DNS_ZONE_UPDATE and DNS_RECORD_UPDATE
UpdateZoneRecords DNS_ZONE_UPDATE and DNS_RECORD_UPDATE
GetDomainRecords DNS_RECORD_READ
PatchDomainRecords DNS_RECORD_UPDATE
UpdateDomainRecords DNS_RECORD_UPDATE
DeleteRRSet DNS_RECORD_UPDATE
GetRRSet DNS_RECORD_READ
PatchRRSet DNS_RECORD_UPDATE
UpdateRRSet DNS_RECORD_UPDATE
GetDNSTrafficCounts DNS_TRAFFIC_READ