Update-Policy "ms-self" for reverse zone dont work - please help
Juergen Dietl
isclists01 at googlemail.com
Fri Jun 24 08:13:16 UTC 2011
Hello,
I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
For my forward zones I have the following rules:
zone "cp.test" {
type master;
file "forward/cp.test";
notify yes;
update-policy {
grant MSADC40T$@CP.TEST wildcard * ANY;
grant Key_TEST wildcard * ANY;
grant CP.TEST ms-self * A;
};
};
The last line only allows Microsoft Client to set their A-Record. Works
perfect.
---------------------------------------------------------------------------------------------------------------------
Now I try the same for the reverse zone and it should make the client only
to update its PTR-Record.
Example 1:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant Key_TEST wildcard * ANY; <----------
(Test-Local-Key works)
grant CP.TEST ms-self * PTR; <------- DONT
WORK
};
notify yes;
};
Example 2:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant Key_TEST wildcard * ANY;
grant CP.TEST wildcard * PTR; <------- DONT
WORK
};
notify yes;
Example 3:
zone "10.in-addr.arpa" {
type master;
file "reverse/10.in-addr.arpa";
update-policy {
grant MSADC40T$@CP.TEST ms-self * PTR; <------ DONT
WORK
grant Key_TEST wildcard * ANY;
grant CP.TEST wildcard * PTR; <------- DONT
WORK
};
notify yes;
};
Only solution that works is:
grant MSADC40T$@CP.TEST wildcard * PTR;
So it looks like that in reverse zone its only possible to exactly name the
host that should update its own record and only use it with the wildcard
command.
Am i right? Or what am i doing wrong?
Thanx a lot for all your help.
Wish you a nice weekend.
cheers,
Juergen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110624/36d84ffa/attachment.html>
More information about the bind-users
mailing list