GSS-TSIG update policy identity field

Mark Andrews marka at isc.org
Thu May 12 13:54:21 UTC 2011 

In message <BANLkTinCeGUx9+9n6n0Y5t-cuB8vjTgwUA at mail.gmail.com>, Juergen Dietl 
writes:
> --90e6ba6134ba89740204a312cb5f
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hello Phil, Hello Mark,
> 
> after trying a lot the last hours I came to the same result.
> 
> grant EXAMPLE.COM ms-self * any;
> 
> works. All the other things for example EXAMPLE.COM krb5-self * any;
> 
> etc. dont work.
> 
> So I will put this rule in any zone with the relating domain. The ms-self
> command is not documented in the bind manual just short mentioned in the
> command list (1 word)
> I also have to try what all can I use instead of "ANY". The client should
> only to be able to do the A and PTR-Record. I read that there are some
> limitations ....
> 
> Do you have an idea how I can test that I am 100 % sure that the client
> really only can update itsself?
> Do you have a link where I can read more about the ms-self feature?
> 
> thanx a lot
> cheers,

This may help.

Index: doc/arm/Bv9ARM-book.xml
===================================================================
RCS file: /proj/cvs/prod/bind9/doc/arm/Bv9ARM-book.xml,v
retrieving revision 1.489
diff -u -r1.489 Bv9ARM-book.xml
--- doc/arm/Bv9ARM-book.xml	8 May 2011 06:49:18 -0000	1.489
+++ doc/arm/Bv9ARM-book.xml	12 May 2011 13:41:34 -0000
@@ -11314,7 +11314,13 @@
 	      The <replaceable>identity</replaceable> field must
 	      contain a fully-qualified domain name.
 	    </para>
-
+	    <para>
+	      For nametypes <varname>krb5-self</varname>,
+	      <varname>ms-self</varname>, <varname>krb5-subdomain</varname>,
+              and <varname>ms-subdomain</varname> the
+	      <replaceable>identity</replaceable> field specifies
+	      the Windows or Kerberos realm of the machine belongs to.
+	    </para>
             <para>
               The <replaceable>nametype</replaceable> field has 13
               values:
@@ -11449,6 +11455,70 @@
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
+			<varname>ms-self</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule takes a Windows machine principal
+			(machine$@REALM) for machine in REALM and
+			and converts it machine.realm allowing the machine 
+                        to update machine.realm.  The REALM to be matched
+			is specified in the <replacable>identity</replacable>
+			field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>ms-subdomain</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule takes a Windows machine principal 
+			(machine$@REALM) for machine in REALM and
+			converts it to machine.realm allowing the machine
+			to update subdomains of machine.realm.  The REALM
+			to be matched is specified in the
+			<replacable>identity</replacable> field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>krb5-self</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule takes a Kerberos machine principal
+			(host/machine at REALM) for machine in REALM and
+			and converts it machine.realm allowing the machine 
+                        to update machine.realm.  The REALM to be matched
+			is specified in the <replacable>identity</replacable>
+			field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>krb5-subdomain</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule takes a Kerberos machine principal 
+			(host/machine at REALM) for machine in REALM and
+			converts it to machine.realm allowing the machine
+			to update subdomains of machine.realm.  The REALM
+			to be matched is specified in the
+			<replacable>identity</replacable> field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
 			<varname>tcp-self</varname>
 		      </para>
 		    </entry> <entry colname="2">
> 
> 2011/5/12 Phil Mayers <p.mayers at imperial.ac.uk>
> 
> > On 12/05/11 09:33, Juergen Dietl wrote:
> >
> >> Hello Mark
> >>
> >> i am not that professional in bind. Normally I am a CISCO expert but now
> >> I also do the bind for 6 months. I cannot imagine why this post should
> >> help me.
> >>
> >
> > It doesn't really.
> >
> > You should only need this:
> >
> >
> > grant EXAMPLE.COM ms-self * any;
> >
> >
> >
> >> What do this match-type "external" mean? I am not aware of running any
> >> external daemon. Or was this just for the ACLs problem from Phil?
> >>
> >
> > Just for me. Sorry for confusing you.
> >
> 
> --90e6ba6134ba89740204a312cb5f
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> Hello Phil, Hello Mark,<br><br>after trying a lot the last hours I came to =
> the same result.<br><br>grant <a href=3D"http://EXAMPLE.COM">EXAMPLE.COM</a=
> > ms-self * any;<br><br>works. All the other things for example <a href=3D"=
> http://EXAMPLE.COM">EXAMPLE.COM</a> krb5-self * any;<br>
> <br>etc. dont work.<br><br>So I will put this rule in any zone with the rel=
> ating domain. The ms-self command is not documented in the bind manual just=
>  short mentioned in the command list (1 word)<br>I also have to try what al=
> l can I use instead of "ANY". The client should only to be able t=
> o do the A and PTR-Record. I read that there are some limitations ....<br>
> <br>Do you have an idea how I can test that I am 100 % sure that the client=
>  really only can update itsself?<br>Do you have a link where I can read mor=
> e about the ms-self feature?<br><br>thanx a lot<br>cheers,<br><br><div clas=
> s=3D"gmail_quote">
> 2011/5/12 Phil Mayers <span dir=3D"ltr"><<a href=3D"mailto:p.mayers at impe=
> rial.ac.uk">p.mayers at imperial.ac.uk</a>></span><br><blockquote class=3D"=
> gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-=
> left:1ex;">
> <div class=3D"im">On 12/05/11 09:33, Juergen Dietl wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex">
> Hello Mark<br>
> <br>
> i am not that professional in bind. Normally I am a CISCO expert but now<br=
> >
> I also do the bind for 6 months. I cannot imagine why this post should<br>
> help me.<br>
> </blockquote>
> <br></div>
> It doesn't really.<br>
> <br>
> You should only need this:<div class=3D"im"><br>
> <br>
> grant <a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAMPLE.COM</a> ms-s=
> elf * any;<br>
> <br>
> <br>
> </div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
> eft:1px #ccc solid;padding-left:1ex">
> <br><div class=3D"im">
> What do this match-type "external" mean? I am not aware of runnin=
> g any<br>
> external daemon. Or was this just for the ACLs problem from Phil?<br>
> </div></blockquote>
> <br>
> Just for me. Sorry for confusing you.<br>
> </blockquote></div><br>
> 
> --90e6ba6134ba89740204a312cb5f--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list