GSS-TSIG update policy identity field

Juergen Dietl isclists01 at
Thu May 12 11:50:26 UTC 2011

Hello Phil, Hello Mark,

after trying a lot the last hours I came to the same result.

grant EXAMPLE.COM ms-self * any;

works. All the other things for example EXAMPLE.COM krb5-self * any;

etc. dont work.

So I will put this rule in any zone with the relating domain. The ms-self
command is not documented in the bind manual just short mentioned in the
command list (1 word)
I also have to try what all can I use instead of "ANY". The client should
only to be able to do the A and PTR-Record. I read that there are some
limitations ....

Do you have an idea how I can test that I am 100 % sure that the client
really only can update itsself?
Do you have a link where I can read more about the ms-self feature?

thanx a lot

2011/5/12 Phil Mayers <p.mayers at>

> On 12/05/11 09:33, Juergen Dietl wrote:
>> Hello Mark
>> i am not that professional in bind. Normally I am a CISCO expert but now
>> I also do the bind for 6 months. I cannot imagine why this post should
>> help me.
> It doesn't really.
> You should only need this:
> grant EXAMPLE.COM ms-self * any;
>> What do this match-type "external" mean? I am not aware of running any
>> external daemon. Or was this just for the ACLs problem from Phil?
> Just for me. Sorry for confusing you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list