# This file should be included in your main BIND configuration file # # For example with # include "${PRIVATE_DIR}/named.conf"; zone "${DNSDOMAIN}." IN { type master; file "${PRIVATE_DIR}/${DNSDOMAIN}.zone"; /* * Attention: Not all BIND versions support "ms-self". The instead use * of allow-update { any; }; is another, but less secure possibility. */ update-policy { /* * A rather long description here, as the "ms-self" option does * not appear in any docs yet (it can only be found in the * source code). * * The short of it is that each host is allowed to update its * own A and AAAA records, when the update request is properly * signed by the host itself. * * The long description is (look at the * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and * its definition in lib/dns/gssapictx.c for details): * * A GSS-TSIG update request will be signed by a given signer * (e.g. machine-name$@${REALM}). The signer name is split into * the machine component (e.g. "machine-name") and the realm * component (e.g. "${REALM}"). The update is allowed if the * following conditions are met: * * 1) The machine component of the signer name matches the first * (host) component of the FQDN that is being updated. * * 2) The realm component of the signer name matches the realm * in the grant statement below (${REALM}). * * 3) The domain component of the FQDN that is being updated * matches the realm in the grant statement below. * * If the 3 conditions above are satisfied, the update succeeds. */ grant ${REALM} ms-self * A AAAA; }; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; }; # The reverse zone configuration is optional. The following example assumes a # subnet of 192.168.123.0/24: /* zone "123.168.192.in-addr.arpa" in { type master; file "123.168.192.in-addr.arpa.zone"; update-policy { grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR; }; }; */ # Note that the reverse zone file is not created during the provision process. # The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG # updates. If you are running an earlier version of BIND, or if you do not wish # to use secure GSS-TSIG updates, you may remove the update-policy sections in # both examples above.