GSS-TSIG update policy identity field
Mark Andrews
marka at isc.org
Thu May 12 13:54:21 UTC 2011
In message <BANLkTinCeGUx9+9n6n0Y5t-cuB8vjTgwUA at mail.gmail.com>, Juergen Dietl
writes:
> --90e6ba6134ba89740204a312cb5f
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello Phil, Hello Mark,
>
> after trying a lot the last hours I came to the same result.
>
> grant EXAMPLE.COM ms-self * any;
>
> works. All the other things for example EXAMPLE.COM krb5-self * any;
>
> etc. dont work.
>
> So I will put this rule in any zone with the relating domain. The ms-self
> command is not documented in the bind manual just short mentioned in the
> command list (1 word)
> I also have to try what all can I use instead of "ANY". The client should
> only to be able to do the A and PTR-Record. I read that there are some
> limitations ....
>
> Do you have an idea how I can test that I am 100 % sure that the client
> really only can update itsself?
> Do you have a link where I can read more about the ms-self feature?
>
> thanx a lot
> cheers,
This may help.
Index: doc/arm/Bv9ARM-book.xml
===================================================================
RCS file: /proj/cvs/prod/bind9/doc/arm/Bv9ARM-book.xml,v
retrieving revision 1.489
diff -u -r1.489 Bv9ARM-book.xml
--- doc/arm/Bv9ARM-book.xml 8 May 2011 06:49:18 -0000 1.489
+++ doc/arm/Bv9ARM-book.xml 12 May 2011 13:41:34 -0000
@@ -11314,7 +11314,13 @@
The <replaceable>identity</replaceable> field must
contain a fully-qualified domain name.
</para>
-
+ <para>
+ For nametypes <varname>krb5-self</varname>,
+ <varname>ms-self</varname>, <varname>krb5-subdomain</varname>,
+ and <varname>ms-subdomain</varname> the
+ <replaceable>identity</replaceable> field specifies
+ the Windows or Kerberos realm of the machine belongs to.
+ </para>
<para>
The <replaceable>nametype</replaceable> field has 13
values:
@@ -11449,6 +11455,70 @@
<row rowsep="0">
<entry colname="1">
<para>
+ <varname>ms-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Windows machine principal
+ (machine$@REALM) for machine in REALM and
+ and converts it machine.realm allowing the machine
+ to update machine.realm. The REALM to be matched
+ is specified in the <replacable>identity</replacable>
+ field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ms-subdomain</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Windows machine principal
+ (machine$@REALM) for machine in REALM and
+ converts it to machine.realm allowing the machine
+ to update subdomains of machine.realm. The REALM
+ to be matched is specified in the
+ <replacable>identity</replacable> field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>krb5-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Kerberos machine principal
+ (host/machine at REALM) for machine in REALM and
+ and converts it machine.realm allowing the machine
+ to update machine.realm. The REALM to be matched
+ is specified in the <replacable>identity</replacable>
+ field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>krb5-subdomain</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule takes a Kerberos machine principal
+ (host/machine at REALM) for machine in REALM and
+ converts it to machine.realm allowing the machine
+ to update subdomains of machine.realm. The REALM
+ to be matched is specified in the
+ <replacable>identity</replacable> field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
<varname>tcp-self</varname>
</para>
</entry> <entry colname="2">
>
> 2011/5/12 Phil Mayers <p.mayers at imperial.ac.uk>
>
> > On 12/05/11 09:33, Juergen Dietl wrote:
> >
> >> Hello Mark
> >>
> >> i am not that professional in bind. Normally I am a CISCO expert but now
> >> I also do the bind for 6 months. I cannot imagine why this post should
> >> help me.
> >>
> >
> > It doesn't really.
> >
> > You should only need this:
> >
> >
> > grant EXAMPLE.COM ms-self * any;
> >
> >
> >
> >> What do this match-type "external" mean? I am not aware of running any
> >> external daemon. Or was this just for the ACLs problem from Phil?
> >>
> >
> > Just for me. Sorry for confusing you.
> >
>
> --90e6ba6134ba89740204a312cb5f
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Hello Phil, Hello Mark,<br><br>after trying a lot the last hours I came to =
> the same result.<br><br>grant <a href=3D"http://EXAMPLE.COM">EXAMPLE.COM</a=
> > ms-self * any;<br><br>works. All the other things for example <a href=3D"=
> http://EXAMPLE.COM">EXAMPLE.COM</a> krb5-self * any;<br>
> <br>etc. dont work.<br><br>So I will put this rule in any zone with the rel=
> ating domain. The ms-self command is not documented in the bind manual just=
> short mentioned in the command list (1 word)<br>I also have to try what al=
> l can I use instead of "ANY". The client should only to be able t=
> o do the A and PTR-Record. I read that there are some limitations ....<br>
> <br>Do you have an idea how I can test that I am 100 % sure that the client=
> really only can update itsself?<br>Do you have a link where I can read mor=
> e about the ms-self feature?<br><br>thanx a lot<br>cheers,<br><br><div clas=
> s=3D"gmail_quote">
> 2011/5/12 Phil Mayers <span dir=3D"ltr"><<a href=3D"mailto:p.mayers at impe=
> rial.ac.uk">p.mayers at imperial.ac.uk</a>></span><br><blockquote class=3D"=
> gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-=
> left:1ex;">
> <div class=3D"im">On 12/05/11 09:33, Juergen Dietl wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex">
> Hello Mark<br>
> <br>
> i am not that professional in bind. Normally I am a CISCO expert but now<br=
> >
> I also do the bind for 6 months. I cannot imagine why this post should<br>
> help me.<br>
> </blockquote>
> <br></div>
> It doesn't really.<br>
> <br>
> You should only need this:<div class=3D"im"><br>
> <br>
> grant <a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAMPLE.COM</a> ms-s=
> elf * any;<br>
> <br>
> <br>
> </div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
> eft:1px #ccc solid;padding-left:1ex">
> <br><div class=3D"im">
> What do this match-type "external" mean? I am not aware of runnin=
> g any<br>
> external daemon. Or was this just for the ACLs problem from Phil?<br>
> </div></blockquote>
> <br>
> Just for me. Sorry for confusing you.<br>
> </blockquote></div><br>
>
> --90e6ba6134ba89740204a312cb5f--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list