GSS-TSIG update-policy clarification
Mark Andrews
marka at isc.org
Fri Mar 23 20:04:51 UTC 2018
If you don’t want 6to4 addresses stop the machine configuring them.
Not everything should be done at the DNS level.
--
Mark Andrews
> On 24 Mar 2018, at 01:07, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>
> As a followup, is there a way to stop Windows systems from adding their 6-to-4 AAAA record? I see little point in adding these records to a domain.
> _________________________________________________________
> Nicholas Miller, OIT, University of Colorado at Boulder
>
>> On Mar 22, 2018, at 12:13 PM, Mark Andrews <marka at isc.org> wrote:
>>
>> This was noted in the release notes and in CHANGES.
>>
>> 4885. [security] update-policy rules that otherwise ignore the name
>> field now require that it be set to "." to ensure
>> that any type list present is properly interpreted.
>> [RT #47126]
>>
>> krb5-subdomain gets the permitted names from the Kerberos credential name
>> (host/machine at REALM).
>>
>>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>>>
>>> With the latest update to bind our named.conf started reporting errors. I have figured it out but wanted to get clarification about the syntax.
>>>
>>> We had been using:
>>>
>>> deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>>>
>>> We are now using:
>>>
>>> deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>>>
>>> Am I to assume that the ‘.’ in the config statement behaves similarly to the ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>>>
>>> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer to all records within the zone.:
>>>
>>> deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>>>
>>> _________________________________________________________
>>> Nicholas Miller, OIT, University of Colorado at Boulder
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>
>
More information about the bind-users
mailing list