This was noted in the release notes and in CHANGES.
4885. [security] update-policy rules that otherwise ignore the name
field now require that it be set to "." to ensure
that any type list present is properly interpreted.
[RT #47126]
krb5-subdomain gets the permitted names from the Kerberos credential name
(host/machine@REALM).
> On 23 Mar 2018, at 2:50 am, Nicholas Miller <nicholas.mil...@colorado.edu>
> wrote:
>
> With the latest update to bind our named.conf started reporting errors. I
> have figured it out but wanted to get clarification about the syntax.
>
> We had been using:
>
> deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>
> We are now using:
>
> deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>
> Am I to assume that the ‘.’ in the config statement behaves similarly to the
> ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>
> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer
> to all records within the zone.:
>
> deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>
> _________________________________________________________
> Nicholas Miller, OIT, University of Colorado at Boulder
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
