GSS-TSIG update-policy clarification

Mark Andrews marka at isc.org
Fri Mar 23 20:04:51 UTC 2018 

If you don’t want 6to4 addresses stop the machine configuring them. 

Not everything should be done at the DNS level.
-- 
Mark Andrews

> On 24 Mar 2018, at 01:07, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
> 
> As a followup, is there a way to stop Windows systems from adding their 6-to-4 AAAA record? I see little point in adding these records to a domain.
> _________________________________________________________
> Nicholas Miller, OIT, University of Colorado at Boulder
> 
>> On Mar 22, 2018, at 12:13 PM, Mark Andrews <marka at isc.org> wrote:
>> 
>> This was noted in the release notes and in CHANGES.
>> 
>> 4885.   [security]      update-policy rules that otherwise ignore the name
>>                       field now require that it be set to "." to ensure
>>                       that any type list present is properly interpreted.
>>                       [RT #47126]
>> 
>> krb5-subdomain gets the permitted names from the Kerberos credential name
>> (host/machine at REALM).
>> 
>>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>>> 
>>> With the latest update to bind our named.conf started reporting errors. I have figured it out but wanted to get clarification about the syntax.
>>> 
>>> We had been using:
>>> 
>>>    deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>>> 
>>> We are now using:
>>> 
>>>    deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>>> 
>>> Am I to assume that the ‘.’ in the config statement behaves similarly to the ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>>> 
>>> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer to all records within the zone.:
>>> 
>>>    deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>>> 
>>> _________________________________________________________
>>> Nicholas Miller, OIT, University of Colorado at Boulder
>>> 
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>> 
>

More information about the bind-users mailing list