Update-Policy "ms-self" for reverse zone dont work - please help

2011-06-24 Thread Juergen Dietl 
Hello,

I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.

For my forward zones I have the following rules:

zone"cp.test" {
type master;
file "forward/cp.test";
notify yes;
update-policy {
grant  MSADC40T$@CP.TEST wildcard * ANY;
grant Key_TEST wildcard * ANY;
grant CP.TEST ms-self * A;
};
};


The last line only allows Microsoft Client to set their A-Record. Works
perfect.

-

Now I try the same for the reverse zone and it should make the client only
to update its PTR-Record.

Example 1:

zone"10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant  Key_TEST wildcard * ANY;  <--
(Test-Local-Key works)
grant  CP.TEST ms-self * PTR; <--- DONT
WORK
};
notify yes;
};

Example 2:

zone"10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant  Key_TEST wildcard * ANY;
grant  CP.TEST wildcard * PTR; <--- DONT
WORK
};
notify yes;


Example 3:

zone"10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant  MSADC40T$@CP.TEST ms-self * PTR; <-- DONT
WORK
grant  Key_TEST wildcard * ANY;
grant  CP.TEST wildcard * PTR; <--- DONT
WORK
};
notify yes;
};



Only solution that works is:

grant  MSADC40T$@CP.TEST wildcard * PTR;

So it looks like that in reverse zone its only possible to exactly name the
host that should update its own record and only use it with the wildcard
command.

Am i right? Or what am i doing wrong?

Thanx a lot for all your help.
Wish you a nice weekend.
cheers,
Juergen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update-Policy "ms-self" for reverse zone dont work - please help

2011-06-24 Thread Chris Buxton 
If I'm not mistaken, ms-self means that the client's hostname must match the 
name of the record being updated. This is not the case in the reverse space, 
where record names end in in-addr.arpa instead of cp.test.

Your DHCP server should own the reverse space. I don't know how else to manage 
this.

Regards,
Chris Buxton
BlueCat Networks

On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote:

> Hello,
> 
> I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
> 
> For my forward zones I have the following rules:
> 
> zone"cp.test" {
> type master;
> file "forward/cp.test";
> notify yes;
> update-policy {
> grant  MSADC40T$@CP.TEST wildcard * ANY;
> grant Key_TEST wildcard * ANY;
> grant CP.TEST ms-self * A;
> };
> };
> 
> 
> The last line only allows Microsoft Client to set their A-Record. Works 
> perfect.
> 
> -
> 
> Now I try the same for the reverse zone and it should make the client only to 
> update its PTR-Record.
> 
> Example 1:
> 
> zone"10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant  Key_TEST wildcard * ANY;  <-- 
> (Test-Local-Key works)
> grant  CP.TEST ms-self * PTR; <--- DONT 
> WORK
> };
> notify yes;
> };
> 
> Example 2:
> 
> zone"10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant  Key_TEST wildcard * ANY;
> grant  CP.TEST wildcard * PTR; <--- DONT 
> WORK
> };
> notify yes;
> 
> 
> Example 3:
> 
> zone"10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant  MSADC40T$@CP.TEST ms-self * PTR; <-- DONT 
> WORK
> grant  Key_TEST wildcard * ANY;
> grant  CP.TEST wildcard * PTR; <--- DONT 
> WORK
> };
> notify yes;
> };
> 
> 
> 
> Only solution that works is:
> 
> grant  MSADC40T$@CP.TEST wildcard * PTR;
> 
> So it looks like that in reverse zone its only possible to exactly name the 
> host that should update its own record and only use it with the wildcard 
> command.
> 
> Am i right? Or what am i doing wrong?
> 
> Thanx a lot for all your help.
> Wish you a nice weekend.
> cheers,
> Juergen
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users