summaryrefslogtreecommitdiff
path: root/source4/setup/named.conf
blob: 18e3300cea6d20a567b68d51cbcb9405a839fb4b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# This file should be included in your main BIND configuration file
#
# For example with
# include "${PRIVATE_DIR}/named.conf";

zone "${DNSDOMAIN}." IN {
	type master;
	file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
	/*
	 * Attention: Not all BIND versions support "ms-self". The instead use
	 * of allow-update { any; }; is another, but less secure possibility.
	 */
	update-policy {
		/*
		 * A rather long description here, as the "ms-self" option does
		 * not appear in any docs yet (it can only be found in the
		 * source code).
		 *
		 * The short of it is that each host is allowed to update its
		 * own A and AAAA records, when the update request is properly
		 * signed by the host itself.
		 *
		 * The long description is (look at the
		 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
		 * its definition in lib/dns/gssapictx.c for details):
		 *
		 * A GSS-TSIG update request will be signed by a given signer
		 * (e.g. machine-name$@${REALM}).  The signer name is split into
		 * the machine component (e.g. "machine-name") and the realm
		 * component (e.g. "${REALM}").  The update is allowed if the
		 * following conditions are met:
		 *
		 * 1) The machine component of the signer name matches the first
		 * (host) component of the FQDN that is being updated.
		 *
		 * 2) The realm component of the signer name matches the realm
		 * in the grant statement below (${REALM}).
		 *
		 * 3) The domain component of the FQDN that is being updated
		 * matches the realm in the grant statement below.
		 *
		 * If the 3 conditions above are satisfied, the update succeeds.
		 */
		grant ${REALM} ms-self * A AAAA;
	};

	/* we need to use check-names ignore so _msdcs A records can be created */
	check-names ignore;
};

# The reverse zone configuration is optional.  The following example assumes a
# subnet of 192.168.123.0/24:

/*
zone "123.168.192.in-addr.arpa" in {
	type master;
	file "123.168.192.in-addr.arpa.zone";
	update-policy {
		grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
	};
};
*/

# Note that the reverse zone file is not created during the provision process.

# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates.  If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.