blob: 18e3300cea6d20a567b68d51cbcb9405a839fb4b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# This file should be included in your main BIND configuration file
#
# For example with
# include "${PRIVATE_DIR}/named.conf";
zone "${DNSDOMAIN}." IN {
type master;
file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
/*
* Attention: Not all BIND versions support "ms-self". The instead use
* of allow-update { any; }; is another, but less secure possibility.
*/
update-policy {
/*
* A rather long description here, as the "ms-self" option does
* not appear in any docs yet (it can only be found in the
* source code).
*
* The short of it is that each host is allowed to update its
* own A and AAAA records, when the update request is properly
* signed by the host itself.
*
* The long description is (look at the
* dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
* its definition in lib/dns/gssapictx.c for details):
*
* A GSS-TSIG update request will be signed by a given signer
* (e.g. machine-name$@${REALM}). The signer name is split into
* the machine component (e.g. "machine-name") and the realm
* component (e.g. "${REALM}"). The update is allowed if the
* following conditions are met:
*
* 1) The machine component of the signer name matches the first
* (host) component of the FQDN that is being updated.
*
* 2) The realm component of the signer name matches the realm
* in the grant statement below (${REALM}).
*
* 3) The domain component of the FQDN that is being updated
* matches the realm in the grant statement below.
*
* If the 3 conditions above are satisfied, the update succeeds.
*/
grant ${REALM} ms-self * A AAAA;
};
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
/*
zone "123.168.192.in-addr.arpa" in {
type master;
file "123.168.192.in-addr.arpa.zone";
update-policy {
grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
};
};
*/
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
|