GSS-TSIG update policy identity field

Juergen Dietl isclists01 at
Wed May 11 13:08:09 UTC 2011


and thanx for all your answeres.

I want to ask the question again in a shorter way:

If I look in the log the client tells the dns-server:
request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST

when I now put in the rule:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;

ONLY THIS client is allowed to make update. So I would have to make 50k
lines - one for each client :-)

So I look for a way that I can say that all clients from EXAMPLE.TEST are
allowed to update their own record (or whatever).

It should work like this grant *\$\@EXAMPLE.TEST subdomain example.test.

I also do not know what the $-sign is for and why the syntax is so strange

In the named.conf I also use the
tkey-gssapi-keytab "/etc/krb5.keytab";

I cannot use the
tkey-gssapi-credential "DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST";
tkey-domain "EXAMPLE.TEST";

Because I need one key for every domain and so I must join them with KTUTIL
making one big keytab. And with the old sytax I only can use one credential.

Any new idea?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list