Re: GSS-TSIG and Active Directory

Tue, 05 Oct 2010 11:47:47 -0700 

Is there a bug in the implementation of the update-policy or do I not have a 
grasp on how it should work?

If wanted to only allow machines in an Active Directory the ability to update 
their 'A' records shouldn't I be able to use a statement like this:

        update-policy {
                grant <REALM> ms-self * A;
        }

For some reason the only thing that works is setting a grant ANY and then 
restricting records with a deny before the grant statement. This seems like 
overkill if all I want to allow is 'A' records.

Also, it appears that you cannot deny 'AAAA' and allow 'A'. Any time I set a 
deny for 'AAAA' it also blocks 'A' records.

Are these bugs or by design?
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder



On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote:

> YES!!!! Brilliant!!!! Thanks Rob.
> 
> I think it is working now. I have the update-policy setup as follows:
> 
>                grant d...@realm wildcard * ANY;
>                grant d...@realm wildcard * ANY;
>                grant dns_serv...@realm wildcard * ANY;
>                deny REALM ms-self * SRV;
>                grant REALM ms-self * ANY;
> 
> If I understand things correctly I am allowing the DCs and DNS server to 
> update any record type in the domain and any subdomains. The clients are 
> allowed to update any of their own records except SRV, MX and NS. Do I even 
> need to deny NS for ms-self?
> 
> If it is truly working correctly, I wonder why I can't deny AAAA records. 
> When I add AAAA to the deny statement it blocks A records as well. If try A6 
> it still allows AAAA records to be set by client machines. 
> _________________________________________________________
> Nicholas Miller, ITS, University of Colorado at Boulder
> 
> 
> 
> On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
> 
>> If you're trying to grant update rights to a specific machine (rather
>> than every machine in the realm), something like:
>> 
>> grant d...@realm. subdomain dnsname.;
>> 
>> might work better, where "d...@realm" is (eg) the Kerberos principle
>> corresponding to your DC and "dnsname" is the tree to which you want
>> to grant rights.  The "$" is a Microsoft-ism.
> 
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to