GSS-TSIG and Active Directory

Nicholas F Miller Nicholas.Miller at Colorado.EDU
Tue Oct 5 18:45:56 UTC 2010 

Is there a bug in the implementation of the update-policy or do I not have a grasp on how it should work?

If wanted to only allow machines in an Active Directory the ability to update their 'A' records shouldn't I be able to use a statement like this:

        update-policy {
		grant <REALM> ms-self * A;
	}

For some reason the only thing that works is setting a grant ANY and then restricting records with a deny before the grant statement. This seems like overkill if all I want to allow is 'A' records.

Also, it appears that you cannot deny 'AAAA' and allow 'A'. Any time I set a deny for 'AAAA' it also blocks 'A' records.

Are these bugs or by design?
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder



On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote:

> YES!!!! Brilliant!!!! Thanks Rob.
> 
> I think it is working now. I have the update-policy setup as follows:
> 
>                grant dc1$@REALM wildcard * ANY;
>                grant dc2$@REALM wildcard * ANY;
>                grant dns_server$@REALM wildcard * ANY;
>                deny REALM ms-self * SRV;
>                grant REALM ms-self * ANY;
> 
> If I understand things correctly I am allowing the DCs and DNS server to update any record type in the domain and any subdomains. The clients are allowed to update any of their own records except SRV, MX and NS. Do I even need to deny NS for ms-self?
> 
> If it is truly working correctly, I wonder why I can't deny AAAA records. When I add AAAA to the deny statement it blocks A records as well. If try A6 it still allows AAAA records to be set by client machines. 
> _________________________________________________________
> Nicholas Miller, ITS, University of Colorado at Boulder
> 
> 
> 
> On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
> 
>> If you're trying to grant update rights to a specific machine (rather
>> than every machine in the realm), something like:
>> 
>> grant dc$@REALM. subdomain dnsname.;
>> 
>> might work better, where "dc$@REALM" is (eg) the Kerberos principle
>> corresponding to your DC and "dnsname" is the tree to which you want
>> to grant rights.  The "$" is a Microsoft-ism.
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list