GSS-TSIG update policy identity field

Mark Andrews marka at
Wed May 11 13:55:25 UTC 2011

In message <4DCA7893.5060402 at>, Phil Mayers writes:
> On 11/05/11 12:17, Mark Andrews wrote:
> > {ms,krb5}-subdomain allows updates of *.machinename
> One note - this isn't so handy if you have a disjoint namespace, where:
> machinename.*
> what you want. We are in this boat, and can't use the built in 
> ACLs for this very reason.

This from 9.8 should help you.

3003.   [experimental]  Added update-policy match type "external",
                        enabling named to defer the decision of whether to
                        allow a dynamic update to an external daemon.
                        (Contributed by Andrew Tridgell.) [RT #22758]

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list