GSS-TSIG update policy identity field
Juergen Dietl
isclists01 at googlemail.com
Wed May 11 13:08:09 UTC 2011
Hello,
and thanx for all your answeres.
I want to ask the question again in a shorter way:
If I look in the log the client tells the dns-server:
request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST
when I now put in the rule:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
ONLY THIS client is allowed to make update. So I would have to make 50k
lines - one for each client :-)
So I look for a way that I can say that all clients from EXAMPLE.TEST are
allowed to update their own record (or whatever).
It should work like this grant *\$\@EXAMPLE.TEST subdomain example.test.
ANY;
I also do not know what the $-sign is for and why the syntax is so strange
\...\@.
In the named.conf I also use the
tkey-gssapi-keytab "/etc/krb5.keytab";
I cannot use the
tkey-gssapi-credential "DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST";
tkey-domain "EXAMPLE.TEST";
Because I need one key for every domain and so I must join them with KTUTIL
making one big keytab. And with the old sytax I only can use one credential.
Any new idea?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110511/b4fb21c0/attachment.html>
More information about the bind-users
mailing list