Second try:
>
Is there a bug in the implementation of the update-policy or do I not have a
grasp on how it should work?
If wanted to only allow machines in an Active Directory the ability to update
their 'A' records shouldn't I be able to use a statement like this:
update-policy {
grant <REALM> ms-self * A;
}
For some reason the only thing that works is setting a grant ANY and then
restricting records with a deny before the grant statement. This seems like
overkill if all I want to allow is 'A' records.
Also, it appears that you cannot deny 'AAAA' and allow 'A'. Any time I set a
deny for 'AAAA' it also blocks 'A' records.
Are these bugs or by design?
>
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 5, 2010, at 12:45 PM, Nicholas F Miller wrote:
> On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote:
>
>> YES!!!! Brilliant!!!! Thanks Rob.
>>
>> I think it is working now. I have the update-policy setup as follows:
>>
>> grant d...@realm wildcard * ANY;
>> grant d...@realm wildcard * ANY;
>> grant dns_serv...@realm wildcard * ANY;
>> deny REALM ms-self * SRV;
>> grant REALM ms-self * ANY;
>>
>> If I understand things correctly I am allowing the DCs and DNS server to
>> update any record type in the domain and any subdomains. The clients are
>> allowed to update any of their own records except SRV, MX and NS. Do I even
>> need to deny NS for ms-self?
>>
>> If it is truly working correctly, I wonder why I can't deny AAAA records.
>> When I add AAAA to the deny statement it blocks A records as well. If try A6
>> it still allows AAAA records to be set by client machines.
>> _________________________________________________________
>> Nicholas Miller, ITS, University of Colorado at Boulder
>>
>>
>>
>> On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
>>
>>> If you're trying to grant update rights to a specific machine (rather
>>> than every machine in the realm), something like:
>>>
>>> grant d...@realm. subdomain dnsname.;
>>>
>>> might work better, where "d...@realm" is (eg) the Kerberos principle
>>> corresponding to your DC and "dnsname" is the tree to which you want
>>> to grant rights. The "$" is a Microsoft-ism.
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
