Is there a bug in the implementation of the update-policy or do I not have a grasp on how it should work?
If wanted to only allow machines in an Active Directory the ability to update their 'A' records shouldn't I be able to use a statement like this: update-policy { grant <REALM> ms-self * A; } For some reason the only thing that works is setting a grant ANY and then restricting records with a deny before the grant statement. This seems like overkill if all I want to allow is 'A' records. Also, it appears that you cannot deny 'AAAA' and allow 'A'. Any time I set a deny for 'AAAA' it also blocks 'A' records. Are these bugs or by design? _________________________________________________________ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote: > YES!!!! Brilliant!!!! Thanks Rob. > > I think it is working now. I have the update-policy setup as follows: > > grant d...@realm wildcard * ANY; > grant d...@realm wildcard * ANY; > grant dns_serv...@realm wildcard * ANY; > deny REALM ms-self * SRV; > grant REALM ms-self * ANY; > > If I understand things correctly I am allowing the DCs and DNS server to > update any record type in the domain and any subdomains. The clients are > allowed to update any of their own records except SRV, MX and NS. Do I even > need to deny NS for ms-self? > > If it is truly working correctly, I wonder why I can't deny AAAA records. > When I add AAAA to the deny statement it blocks A records as well. If try A6 > it still allows AAAA records to be set by client machines. > _________________________________________________________ > Nicholas Miller, ITS, University of Colorado at Boulder > > > > On Oct 1, 2010, at 12:12 PM, Rob Austein wrote: > >> If you're trying to grant update rights to a specific machine (rather >> than every machine in the realm), something like: >> >> grant d...@realm. subdomain dnsname.; >> >> might work better, where "d...@realm" is (eg) the Kerberos principle >> corresponding to your DC and "dnsname" is the tree to which you want >> to grant rights. The "$" is a Microsoft-ism. > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users