Disclaimer: I'm new to trying gss-tsig as an update method, so it is entirely possible I'm doing something completely stupid.
I'm using bind 9.7.3 (because it ships with RedHat 6), with an Active Directory as the kerberos infrastructure. If I use the following update-policy: grant * subdomain my.dns.domain ANY; then it works (both for nsupdate -g and with a windows client using windows native methods); however this means anyone with a kerberos ticket (including a user ticket!) can register anything they like into the domain. I've tried all sorts of tests with the ms-self, ms-subdomain, krb5-self and krb5-subdomain nametypes, and they all seem to fail. I suspect this is because my.dns.domain is not the same as my kerberos realm (and I can't make it the same, as I really can't go messing with the zone which does match the realm). They all fail with REFUSED (not BADKEY, the checking of credentials all seems to work fine). The documentation for these nametypes does seem to be rather sparse, so I'm not really sure what the syntax should be. What I was hoping for is a way of having MACHINE$@KRB5.REALM able to update machine.dns.domain, and preferably also host/machine.krb5.realm@KRB5.REALM able to update machine.dns.domain, although the latter isn't vital. (I'm assuming host/machine.dns.domain@KRB5.REALM would work, but I'm not sure that is actually useful, and certainly won't work for the windows clients). Is this possible? Cheers David _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
