GSS-TSIG update policy identity field

Mark Andrews marka at
Wed May 11 13:32:54 UTC 2011

In message <BANLkTim7k4KYxYoz=awj9mwtCzvxB32Vog at>, Juergen Dietl 
> Hello Mark,
> thanx for your anwer.
> Your first sentence maybe help me to understand why this is the client=B4s
> credential that it needs in the rule:
> So fist is the hostname then the slash makes the $-sign just to be a normal
> letter and not variable for example, and the is the rest of ho=
> w
> windows uses the sort of identity.
> machinename$@EXAMPLE.COM <>

You don't need the backslashes in 9.8, earlier versions still need
the backslashes.  $ and @ are special characters in master files
which is why they were escaped.  We added name -> principle routines
in 9.8 which don't do unnecessary escapes.

> Is it normal that I have to put in the Windows identity in the named.conf
> and not the kerberus identity?
> So WS-YBCL150939\$\@EXAMPLE.COM and NOT host/WS-YBCL150939 at EXAMPLE.COM.

It depends on the network.

> What is host .....? I just know the principal as Service-Principal and ther=
> e
> its normally
> for example: DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST
> thanx a lot for all your help,
> cheers,

There are multiple conventions.  Windows does it one way.  MIT does
it a different way.  named has code for both.


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list