Re: GSS-TSIG update-policy clarification

Fri, 23 Mar 2018 07:08:24 -0700 

As a followup, is there a way to stop Windows systems from adding their 6-to-4 
AAAA record? I see little point in adding these records to a domain.
_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder

> On Mar 22, 2018, at 12:13 PM, Mark Andrews <ma...@isc.org> wrote:
> 
> This was noted in the release notes and in CHANGES.
> 
> 4885.   [security]      update-policy rules that otherwise ignore the name
>                        field now require that it be set to "." to ensure
>                        that any type list present is properly interpreted.
>                        [RT #47126]
> 
> krb5-subdomain gets the permitted names from the Kerberos credential name
> (host/machine@REALM).
> 
>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <nicholas.mil...@colorado.edu> 
>> wrote:
>> 
>> With the latest update to bind our named.conf started reporting errors. I 
>> have figured it out but wanted to get clarification about the syntax.
>> 
>> We had been using:
>> 
>>      deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>> 
>> We are now using:
>> 
>>      deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>> 
>> Am I to assume that the ‘.’ in the config statement behaves similarly to the 
>> ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>> 
>> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer 
>> to all records within the zone.:
>> 
>>      deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>> 
>> _________________________________________________________
>> Nicholas Miller, OIT, University of Colorado at Boulder
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org
> 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to