Hello,
I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
For my forward zones I have the following rules:
zone "cp.test" {
type master;
file "forward/cp.test";
notify yes;
update-policy {
grant MSADC40T$@CP.TEST wildcard * ANY;
grant Key_TEST wildcard * ANY;
grant CP.TEST ms-self * A;
};
};
The last line only allows Microsoft Client to set their A-Record. Works
perfect.
---------------------------------------------------------------------------------------------------------------------
Now I try the same for the reverse zone and it should make the client only
to update its PTR-Record.
Example 1:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant Key_TEST wildcard * ANY; <----------
(Test-Local-Key works)
grant CP.TEST ms-self * PTR; <------- DONT
WORK
};
notify yes;
};
Example 2:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant Key_TEST wildcard * ANY;
grant CP.TEST wildcard * PTR; <------- DONT
WORK
};
notify yes;
Example 3:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant MSADC40T$@CP.TEST ms-self * PTR; <------ DONT
WORK
grant Key_TEST wildcard * ANY;
grant CP.TEST wildcard * PTR; <------- DONT
WORK
};
notify yes;
};
Only solution that works is:
grant MSADC40T$@CP.TEST wildcard * PTR;
So it looks like that in reverse zone its only possible to exactly name the
host that should update its own record and only use it with the wildcard
command.
Am i right? Or what am i doing wrong?
Thanx a lot for all your help.
Wish you a nice weekend.
cheers,
Juergen
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
