Re: gss-tsig updates where realm != zone

2012-05-30 Thread David Monro
OK, I've built myself a bind 9.8.3 setup so I can use the 'external' update-policy. It seems there are a few details not fully described in the 9.8.3 ARM :) I did have a bit of a look at the list archives but I couldn't find anything which immediately answered my questions... * If the external da

Re: gss-tsig updates where realm != zone

2012-05-29 Thread Mark Andrews
If you need a different mapping then use "external" to do a customised mapping from kerberos identity to the dns identity. ms-* and krb5-* assume a standard mapping. >From ARM: external: This rule allows named to defer the decision of whether to allow a given update to an external daemon. The