Update-Policy "ms-self" for reverse zone dont work - please help
Chris Buxton
chris.p.buxton at gmail.com
Fri Jun 24 12:39:41 UTC 2011
If I'm not mistaken, ms-self means that the client's hostname must match the name of the record being updated. This is not the case in the reverse space, where record names end in in-addr.arpa instead of cp.test.
Your DHCP server should own the reverse space. I don't know how else to manage this.
Regards,
Chris Buxton
BlueCat Networks
On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote:
> Hello,
>
> I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
>
> For my forward zones I have the following rules:
>
> zone "cp.test" {
> type master;
> file "forward/cp.test";
> notify yes;
> update-policy {
> grant MSADC40T$@CP.TEST wildcard * ANY;
> grant Key_TEST wildcard * ANY;
> grant CP.TEST ms-self * A;
> };
> };
>
>
> The last line only allows Microsoft Client to set their A-Record. Works perfect.
>
> ---------------------------------------------------------------------------------------------------------------------
>
> Now I try the same for the reverse zone and it should make the client only to update its PTR-Record.
>
> Example 1:
>
> zone "10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant Key_TEST wildcard * ANY; <---------- (Test-Local-Key works)
> grant CP.TEST ms-self * PTR; <------- DONT WORK
> };
> notify yes;
> };
>
> Example 2:
>
> zone "10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant Key_TEST wildcard * ANY;
> grant CP.TEST wildcard * PTR; <------- DONT WORK
> };
> notify yes;
>
>
> Example 3:
>
> zone "10.in-addr.arpa" {
> type master;
> file "reverse/10.in-addr.arpa";
> update-policy {
> grant MSADC40T$@CP.TEST ms-self * PTR; <------ DONT WORK
> grant Key_TEST wildcard * ANY;
> grant CP.TEST wildcard * PTR; <------- DONT WORK
> };
> notify yes;
> };
>
>
>
> Only solution that works is:
>
> grant MSADC40T$@CP.TEST wildcard * PTR;
>
> So it looks like that in reverse zone its only possible to exactly name the host that should update its own record and only use it with the wildcard command.
>
> Am i right? Or what am i doing wrong?
>
> Thanx a lot for all your help.
> Wish you a nice weekend.
> cheers,
> Juergen
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list