YES!!!! Brilliant!!!! Thanks Rob.
I think it is working now. I have the update-policy setup as follows:
grant d...@realm wildcard * ANY;
grant d...@realm wildcard * ANY;
grant dns_serv...@realm wildcard * ANY;
deny REALM ms-self * SRV;
grant REALM ms-self * ANY;
If I understand things correctly I am allowing the DCs and DNS server to update
any record type in the domain and any subdomains. The clients are allowed to
update any of their own records except SRV, MX and NS. Do I even need to deny
NS for ms-self?
If it is truly working correctly, I wonder why I can't deny AAAA records. When
I add AAAA to the deny statement it blocks A records as well. If try A6 it
still allows AAAA records to be set by client machines.
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
> If you're trying to grant update rights to a specific machine (rather
> than every machine in the realm), something like:
>
> grant d...@realm. subdomain dnsname.;
>
> might work better, where "d...@realm" is (eg) the Kerberos principle
> corresponding to your DC and "dnsname" is the tree to which you want
> to grant rights. The "$" is a Microsoft-ism.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
