GSS-TSIG update policy identity field

Juergen Dietl isclists01 at googlemail.com
Thu May 12 08:34:13 UTC 2011 

Hi Nicholas,

thanx for your hint but unfortunately it gets also a refuse.

cheers,


2011/5/11 Nicholas F Miller <nicholas.miller at colorado.edu>

> Try:
>
> grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
> _________________________________________________________
> Nicholas Miller, ITS, University of Colorado at Boulder
>
>
>
> On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
>
> > Hello,
> >
> > and thanx for all your answeres.
> >
> > I want to ask the question again in a shorter way:
> >
> > If I look in the log the client tells the dns-server:
> > request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST
> >
> > when I now put in the rule:
> > grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
> >
> > ONLY THIS client is allowed to make update. So I would have to make 50k
> lines - one for each client :-)
> >
> > So I look for a way that I can say that all clients from EXAMPLE.TEST are
> allowed to update their own record (or whatever).
> >
> > It should work like this grant *\$\@EXAMPLE.TEST subdomain example.test.
> ANY;
> >
> > I also do not know what the $-sign is for and why the syntax is so
> strange \...\@.
> >
> > In the named.conf I also use the
> > tkey-gssapi-keytab "/etc/krb5.keytab";
> >
> > I cannot use the
> > tkey-gssapi-credential "DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST";
> > tkey-domain "EXAMPLE.TEST";
> >
> > Because I need one key for every domain and so I must join them with
> KTUTIL making one big keytab. And with the old sytax I only can use one
> credential.
> >
> > Any new idea?
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110512/13655fe7/attachment.html>

More information about the bind-users mailing list