GSS-TSIG update-policy clarification
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Fri Mar 23 20:42:17 UTC 2018
Why are you letting the clients register their own addresses in DNS in the first place? If you want a higher level of control, move the DDNS responsibility to the DHCP server.
- Kevin
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Nicholas Miller
Sent: Friday, March 23, 2018 4:16 PM
To: bind-users at lists.isc.org
Subject: Re: GSS-TSIG update-policy clarification
Thats well and good for an organization that controls ALL of the end points. In a university that isn’t possible.
_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder
> On Mar 23, 2018, at 2:04 PM, Mark Andrews <marka at isc.org> wrote:
>
> If you don’t want 6to4 addresses stop the machine configuring them.
>
> Not everything should be done at the DNS level.
> --
> Mark Andrews
>
>> On 24 Mar 2018, at 01:07, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>>
>> As a followup, is there a way to stop Windows systems from adding their 6-to-4 AAAA record? I see little point in adding these records to a domain.
>> _________________________________________________________
>> Nicholas Miller, OIT, University of Colorado at Boulder
>>
>>> On Mar 22, 2018, at 12:13 PM, Mark Andrews <marka at isc.org> wrote:
>>>
>>> This was noted in the release notes and in CHANGES.
>>>
>>> 4885. [security] update-policy rules that otherwise ignore the name
>>> field now require that it be set to "." to ensure
>>> that any type list present is properly interpreted.
>>> [RT #47126]
>>>
>>> krb5-subdomain gets the permitted names from the Kerberos credential
>>> name (host/machine at REALM).
>>>
>>>> On 23 Mar 2018, at 2:50 am, Nicholas Miller <Nicholas.Miller at Colorado.EDU> wrote:
>>>>
>>>> With the latest update to bind our named.conf started reporting errors. I have figured it out but wanted to get clarification about the syntax.
>>>>
>>>> We had been using:
>>>>
>>>> deny DOMAIN.EDU krb5-subdomain DOMAIN.EDU CNAME MX SRV TXT;
>>>>
>>>> We are now using:
>>>>
>>>> deny DOMAIN.EDU krb5-subdomain . CNAME MX SRV TXT;
>>>>
>>>> Am I to assume that the ‘.’ in the config statement behaves similarly to the ‘.’ in a zone file? It refers back to the zone the update-policy is defining?
>>>>
>>>> Also, what is the difference between using a ‘.’ and a ‘*’? They both refer to all records within the zone.:
>>>>
>>>> deny DOMAIN.EDU krb5-subdomain * MX SRV TXT;
>>>>
>>>> _________________________________________________________
>>>> Nicholas Miller, OIT, University of Colorado at Boulder
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>>
>>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list