GSS-TSIG update policy identity field

Juergen Dietl isclists01 at
Wed May 11 08:01:03 UTC 2011


i run GSS-TSIG on a SuSE Enterprise 11 Server using bind 9.8 latest version.

I have 3 domains:


I created 3 keys and merge them with ktutil.

Now I want to use update policy:

For this I have the follwoing rule:

update-policy {
grant * subdomain example1.test. ANY;

Works perfect. But the asterix stands for the identity field.

The rule is:

(grant | deny) identity nametype [name] [types]

Works also perfect but if i do a wildcard as identity then multiple
identities are allowed to do dns-update.

>> The goal is that only the client itsself is allowed to update its own

So I must put in some other content instead of the asterix. And there I need
your help.

I use GSS-TSIG and the handbook says that in gss-tsig the content of the
identity field ist the common secret which is the kerberos principal.

So I tried about 100 combiniations like:
grant DNS/user.example1.test at EXAMPLE1.TEST subdomain example1.test ANY

I always get a refuse. What should I put in as the identity field?

thanx for all your help,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list