Update-Policy "ms-self" for reverse zone dont work - please help

Chris Buxton chris.p.buxton at gmail.com
Fri Jun 24 12:39:41 UTC 2011 

If I'm not mistaken, ms-self means that the client's hostname must match the name of the record being updated. This is not the case in the reverse space, where record names end in in-addr.arpa instead of cp.test.

Your DHCP server should own the reverse space. I don't know how else to manage this.

Regards,
Chris Buxton
BlueCat Networks

On Jun 24, 2011, at 1:13 AM, Juergen Dietl wrote:

> Hello,
> 
> I am running bind 9.8 with GSS-TSIG on a SuSE Enterprise 11 PL 1 Server.
> 
> For my forward zones I have the following rules:
> 
> zone    "cp.test" {
>                 type master;
>                 file "forward/cp.test";
>                 notify yes;
>                 update-policy {
>                         grant  MSADC40T$@CP.TEST wildcard * ANY;
>                         grant Key_TEST wildcard * ANY;
>                         grant CP.TEST ms-self * A;
>                 };
> };
> 
> 
> The last line only allows Microsoft Client to set their A-Record. Works perfect.
> 
> ---------------------------------------------------------------------------------------------------------------------
> 
> Now I try the same for the reverse zone and it should make the client only to update its PTR-Record.
> 
> Example 1:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  Key_TEST wildcard * ANY;  <---------- (Test-Local-Key works)
>                         grant  CP.TEST ms-self * PTR;         <------- DONT WORK
>                 };
>                 notify yes;
> };
> 
> Example 2:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  Key_TEST wildcard * ANY;
>                         grant  CP.TEST wildcard * PTR;         <------- DONT WORK
>                 };
>                 notify yes;
> 
> 
> Example 3:
> 
> zone    "10.in-addr.arpa" {
>                 type master;
>                 file "reverse/10.in-addr.arpa";
>                 update-policy {
>                         grant  MSADC40T$@CP.TEST ms-self * PTR; <------ DONT WORK
>                         grant  Key_TEST wildcard * ANY;
>                         grant  CP.TEST wildcard * PTR;         <------- DONT WORK
>                 };
>                 notify yes;
> };
> 
> 
> 
> Only solution that works is:
> 
> grant  MSADC40T$@CP.TEST wildcard * PTR;
> 
> So it looks like that in reverse zone its only possible to exactly name the host that should update its own record and only use it with the wildcard command.
> 
> Am i right? Or what am i doing wrong?
> 
> Thanx a lot for all your help.
> Wish you a nice weekend.
> cheers,
> Juergen
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list