blob: 025788093ef6cf5b6d342a121310ab522a1fb3b3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
#
# Insert these snippets into your named.conf or bind.conf to configure
# the BIND nameserver.
#
# If you have a very recent BIND, supporting GSS-TSIG,
# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
update-policy {
/* use ANY only for Domain controllers for now */
/* for normal machines A AAAA PTR is probbaly all is needed */
grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
};
};
# Also, you need to change your init scripts to set this environment variable
# for named: KRB5_KTNAME so that it points to the keytab generated.
# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
# line to the /etc/sysconfig/named file:
# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
#
# Please note that most distributions have BIND configured to run under
# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as
# the user "named" once the daemon relinquishes its rights. Therefore,
# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
# permissions altered to allow the daemon to read it. In the FC6
# example, execute the commands:
#
# chgrp named ${DNS_KEYTAB_ABS}
# chmod g+r ${DNS_KEYTAB_ABS}
|
