YES!!!! Brilliant!!!! Thanks Rob.

I think it is working now. I have the update-policy setup as follows:

                grant d...@realm wildcard * ANY;
                grant d...@realm wildcard * ANY;
                grant dns_serv...@realm wildcard * ANY;
                deny REALM ms-self * SRV;
                grant REALM ms-self * ANY;

If I understand things correctly I am allowing the DCs and DNS server to update 
any record type in the domain and any subdomains. The clients are allowed to 
update any of their own records except SRV, MX and NS. Do I even need to deny 
NS for ms-self?

If it is truly working correctly, I wonder why I can't deny AAAA records. When 
I add AAAA to the deny statement it blocks A records as well. If try A6 it 
still allows AAAA records to be set by client machines. 
Nicholas Miller, ITS, University of Colorado at Boulder

On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:

> If you're trying to grant update rights to a specific machine (rather
> than every machine in the realm), something like:
>  grant d...@realm. subdomain dnsname.;
> might work better, where "d...@realm" is (eg) the Kerberos principle
> corresponding to your DC and "dnsname" is the tree to which you want
> to grant rights.  The "$" is a Microsoft-ism.

bind-users mailing list

Reply via email to