GSS-TSIG update policy identity field
Nicholas F Miller
nicholas.miller at Colorado.EDU
Wed May 11 13:50:05 UTC 2011
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
> Hello,
>
> and thanx for all your answeres.
>
> I want to ask the question again in a shorter way:
>
> If I look in the log the client tells the dns-server:
> request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST
>
> when I now put in the rule:
> grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
>
> ONLY THIS client is allowed to make update. So I would have to make 50k lines - one for each client :-)
>
> So I look for a way that I can say that all clients from EXAMPLE.TEST are allowed to update their own record (or whatever).
>
> It should work like this grant *\$\@EXAMPLE.TEST subdomain example.test. ANY;
>
> I also do not know what the $-sign is for and why the syntax is so strange \...\@.
>
> In the named.conf I also use the
> tkey-gssapi-keytab "/etc/krb5.keytab";
>
> I cannot use the
> tkey-gssapi-credential "DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST";
> tkey-domain "EXAMPLE.TEST";
>
> Because I need one key for every domain and so I must join them with KTUTIL making one big keytab. And with the old sytax I only can use one credential.
>
> Any new idea?
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list