Why are you letting the clients register their own addresses in DNS in the first place? If you want a higher level of control, move the DDNS responsibility to the DHCP server.
- Kevin -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Nicholas Miller Sent: Friday, March 23, 2018 4:16 PM To: bind-users@lists.isc.org Subject: Re: GSS-TSIG update-policy clarification Thats well and good for an organization that controls ALL of the end points. In a university that isn’t possible. _________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder > On Mar 23, 2018, at 2:04 PM, Mark Andrews <ma...@isc.org> wrote: > > If you don’t want 6to4 addresses stop the machine configuring them. > > Not everything should be done at the DNS level. > -- > Mark Andrews > >> On 24 Mar 2018, at 01:07, Nicholas Miller <nicholas.mil...@colorado.edu> >> wrote: >> >> As a followup, is there a way to stop Windows systems from adding their >> 6-to-4 AAAA record? I see little point in adding these records to a domain. >> _________________________________________________________ >> Nicholas Miller, OIT, University of Colorado at Boulder >> >>> On Mar 22, 2018, at 12:13 PM, Mark Andrews <ma...@isc.org> wrote: >>> >>> This was noted in the release notes and in CHANGES. >>> >>> 4885. [security] update-policy rules that otherwise ignore the name >>> field now require that it be set to "." to ensure >>> that any type list present is properly interpreted. >>> [RT #47126] >>> >>> krb5-subdomain gets the permitted names from the Kerberos credential >>> name (host/machine@REALM). >>> >>>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <nicholas.mil...@colorado.edu> >>>> wrote: >>>> >>>> With the latest update to bind our named.conf started reporting errors. I >>>> have figured it out but wanted to get clarification about the syntax. >>>> >>>> We had been using: >>>> >>>> deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT; >>>> >>>> We are now using: >>>> >>>> deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT; >>>> >>>> Am I to assume that the ‘.’ in the config statement behaves similarly to >>>> the ‘.’ in a zone file? It refers back to the zone the update-policy is >>>> defining? >>>> >>>> Also, what is the difference between using a ‘.’ and a ‘*’? They both >>>> refer to all records within the zone.: >>>> >>>> deny DOMAIN.EDU krb5-subdomain * MX SRV TXT; >>>> >>>> _________________________________________________________ >>>> Nicholas Miller, OIT, University of Colorado at Boulder >>>> >>>> _______________________________________________ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>>> unsubscribe from this list >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users >>> >>> -- >>> Mark Andrews, ISC >>> 1 Seymour St., Dundas Valley, NSW 2117, Australia >>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >>> >> > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users