GSS-TSIG update policy identity field
Juergen Dietl
isclists01 at googlemail.com
Wed May 11 08:01:03 UTC 2011
Hello,
i run GSS-TSIG on a SuSE Enterprise 11 Server using bind 9.8 latest version.
I have 3 domains:
example1.test
example2.test
example3.test
I created 3 keys and merge them with ktutil.
Now I want to use update policy:
For this I have the follwoing rule:
update-policy {
grant * subdomain example1.test. ANY;
}
Works perfect. But the asterix stands for the identity field.
The rule is:
(grant | deny) identity nametype [name] [types]
Works also perfect but if i do a wildcard as identity then multiple
identities are allowed to do dns-update.
>> The goal is that only the client itsself is allowed to update its own
address.<<
So I must put in some other content instead of the asterix. And there I need
your help.
I use GSS-TSIG and the handbook says that in gss-tsig the content of the
identity field ist the common secret which is the kerberos principal.
So I tried about 100 combiniations like:
grant DNS/user.example1.test at EXAMPLE1.TEST subdomain example1.test ANY
I always get a refuse. What should I put in as the identity field?
thanx for all your help,
cheers,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110511/a13b527d/attachment.html>
More information about the bind-users
mailing list