Hello,<br><br>I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.<br><br>For my forward zones I have the following rules:<br><br>zone "cp.test" {<br> type master;<br> file "forward/cp.test";<br>
notify yes;<br> update-policy {<br> grant MSADC40T$@CP.TEST wildcard * ANY;<br> grant Key_TEST wildcard * ANY;<br> grant CP.TEST ms-self * A;<br>
};<br>};<br><br><br>The last line only allows Microsoft Client to set their A-Record. Works perfect.<br><br>---------------------------------------------------------------------------------------------------------------------<br>
<br>Now I try the same for the reverse zone and it should make the client only to update its PTR-Record.<br><br>Example 1:<br><br>zone "10.in-addr.arpa" {<br> type master;<br> file "reverse/10.in-addr.arpa";<br>
update-policy {<br> grant Key_TEST wildcard * ANY; <---------- (Test-Local-Key works)<br> grant CP.TEST ms-self * PTR; <------- DONT WORK<br> };<br>
notify yes;<br>};<br><br>Example 2:<br><br>zone "10.in-addr.arpa" {<br>
type master;<br>
file "reverse/10.in-addr.arpa";<br>
update-policy {<br>
grant Key_TEST wildcard * ANY;<br>
grant CP.TEST wildcard * PTR; <------- DONT WORK<br>
};<br>
notify yes;<br>
<br><br>Example 3:<br><br>zone "10.in-addr.arpa" {<br>
type master;<br>
file "reverse/10.in-addr.arpa";<br>
update-policy {<br> grant MSADC40T$@CP.TEST ms-self * PTR; <------ DONT WORK<br>
grant Key_TEST wildcard * ANY;<br>
grant CP.TEST wildcard * PTR; <------- DONT WORK<br>
};<br>
notify yes;<br>
};<br><br><br><br>Only solution that works is:<br><br>grant MSADC40T$@CP.TEST wildcard * PTR;<br><br>So it looks like that in reverse zone its only possible to exactly name the host that should update its own record and only use it with the wildcard command.<br>
<br>Am i right? Or what am i doing wrong?<br><br>Thanx a lot for all your help.<br>Wish you a nice weekend.<br>cheers,<br>Juergen<br>