GSS-TSIG update-policy clarification

Nicholas Miller Nicholas.Miller at Colorado.EDU
Fri Mar 23 20:15:54 UTC 2018 

Thats well and good for an organization that controls ALL of the end points. In a university that isn’t possible. 
_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder

> On Mar 23, 2018, at 2:04 PM, Mark Andrews <marka at isc.org> wrote:
> 
> If you don’t want 6to4 addresses stop the machine configuring them. 
> 
> Not everything should be done at the DNS level.
> -- 
> Mark Andrews
> 
>> On 24 Mar 2018, at 01:07, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>> 
>> As a followup, is there a way to stop Windows systems from adding their 6-to-4 AAAA record? I see little point in adding these records to a domain.
>> _________________________________________________________
>> Nicholas Miller, OIT, University of Colorado at Boulder
>> 
>>> On Mar 22, 2018, at 12:13 PM, Mark Andrews <marka at isc.org> wrote:
>>> 
>>> This was noted in the release notes and in CHANGES.
>>> 
>>> 4885.   [security]      update-policy rules that otherwise ignore the name
>>>                      field now require that it be set to "." to ensure
>>>                      that any type list present is properly interpreted.
>>>                      [RT #47126]
>>> 
>>> krb5-subdomain gets the permitted names from the Kerberos credential name
>>> (host/machine at REALM).
>>> 
>>>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>>>> 
>>>> With the latest update to bind our named.conf started reporting errors. I have figured it out but wanted to get clarification about the syntax.
>>>> 
>>>> We had been using:
>>>> 
>>>>   deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>>>> 
>>>> We are now using:
>>>> 
>>>>   deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>>>> 
>>>> Am I to assume that the ‘.’ in the config statement behaves similarly to the ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>>>> 
>>>> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer to all records within the zone.:
>>>> 
>>>>   deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>>>> 
>>>> _________________________________________________________
>>>> Nicholas Miller, OIT, University of Colorado at Boulder
>>>> 
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>> 
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> 
>>> -- 
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>>> 
>> 
>

More information about the bind-users mailing list