Re: Update-Policy "ms-self" for reverse zone dont work - please help

Fri, 24 Jun 2011 06:16:59 -0700 

If I'm not mistaken, ms-self means that the client's hostname must match the 
name of the record being updated. This is not the case in the reverse space, 
where record names end in in-addr.arpa instead of cp.test.

Your DHCP server should own the reverse space. I don't know how else to manage 
this.

Regards,
Chris Buxton
BlueCat Networks

On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote:

> Hello,
> 
> I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
> 
> For my forward zones I have the following rules:
> 
> zone    "cp.test" {
>                 type master;
>                 file "forward/cp.test";
>                 notify yes;
>                 update-policy {
>                         grant  MSADC40T$@CP.TEST wildcard * ANY;
>                         grant Key_TEST wildcard * ANY;
>                         grant CP.TEST ms-self * A;
>                 };
> };
> 
> 
> The last line only allows Microsoft Client to set their A-Record. Works 
> perfect.
> 
> ---------------------------------------------------------------------------------------------------------------------
> 
> Now I try the same for the reverse zone and it should make the client only to 
> update its PTR-Record.
> 
> Example 1:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  Key_TEST wildcard * ANY;  <---------- 
> (Test-Local-Key works)
>                         grant  CP.TEST ms-self * PTR;         <------- DONT 
> WORK
>                 };
>                 notify yes;
> };
> 
> Example 2:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  Key_TEST wildcard * ANY;
>                         grant  CP.TEST wildcard * PTR;         <------- DONT 
> WORK
>                 };
>                 notify yes;
> 
> 
> Example 3:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  MSADC40T$@CP.TEST ms-self * PTR; <------ DONT 
> WORK
>                         grant  Key_TEST wildcard * ANY;
>                         grant  CP.TEST wildcard * PTR;         <------- DONT 
> WORK
>                 };
>                 notify yes;
> };
> 
> 
> 
> Only solution that works is:
> 
> grant  MSADC40T$@CP.TEST wildcard * PTR;
> 
> So it looks like that in reverse zone its only possible to exactly name the 
> host that should update its own record and only use it with the wildcard 
> command.
> 
> Am i right? Or what am i doing wrong?
> 
> Thanx a lot for all your help.
> Wish you a nice weekend.
> cheers,
> Juergen
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to