Hello Mark,
thanx a lot for your feedback.
the rule that works at the moment for only ONE client:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
Because bind support both it should also work with:
grant ws-ybcl150...@example.test subdomain example.test. ANY;
right?
But for
Hello Mark
i am not that professional in bind. Normally I am a CISCO expert but now I
also do the bind for 6 months. I cannot imagine why this post should help
me.
What do this match-type external mean? I am not aware of running any
external daemon. Or was this just for the ACLs problem from
Hi Nicholas,
thanx for your hint but unfortunately it gets also a refuse.
cheers,
2011/5/11 Nicholas F Miller nicholas.mil...@colorado.edu
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_
Nicholas Miller, ITS, University of
On 12/05/11 09:33, Juergen Dietl wrote:
Hello Mark
i am not that professional in bind. Normally I am a CISCO expert but now
I also do the bind for 6 months. I cannot imagine why this post should
help me.
It doesn't really.
You should only need this:
grant EXAMPLE.COM ms-self * any;
What
Hello Phil, Hello Mark,
after trying a lot the last hours I came to the same result.
grant EXAMPLE.COM ms-self * any;
works. All the other things for example EXAMPLE.COM krb5-self * any;
etc. dont work.
So I will put this rule in any zone with the relating domain. The ms-self
command is not
In message BANLkTi=f=LP2WTSEck940CvqzxL=dsi...@mail.gmail.com, Juergen Dietl
writes:
--20cf30549e9f7b6a2604a30ffc67
Content-Type: text/plain; charset=ISO-8859-1
Hello Mark,
thanx a lot for your feedback.
the rule that works at the moment for only ONE client:
grant
2011/5/12 Mark Andrews ma...@isc.org
I suggest that you look at the documentation for external and use
it.
Hello Mark,
thanx a lot for your explanation. One last question.
What do you mean with your sentence above? Do you mean that?:
+++
In message banlktincegux9+9n6n0y5t-cub8vjtg...@mail.gmail.com, Juergen Dietl
writes:
--90e6ba6134ba89740204a312cb5f
Content-Type: text/plain; charset=ISO-8859-1
Hello Phil, Hello Mark,
after trying a lot the last hours I came to the same result.
grant EXAMPLE.COM ms-self * any;
Hello,
i run GSS-TSIG on a SuSE Enterprise 11 Server using bind 9.8 latest version.
I have 3 domains:
example1.test
example2.test
example3.test
I created 3 keys and merge them with ktutil.
Now I want to use update policy:
For this I have the follwoing rule:
update-policy {
grant * subdomain
Juergen,
I use GSS-TSIG and the handbook says that in gss-tsig the content of the
identity field ist the common secret which is the kerberos principal.
I believe you'll have to set `tkey-gssapi-credential' and `tkey-domain` for
this to work the way you want, though I do confess to not have a
To match machines in the EXAMPLE.COM realm you would use one of these.
Windows uses the following sort of identity for machines
machinename$@EXAMPLE.COM
grant EXAMPLE.COM ms-self * any;
grant EXAMPLE.COM ms-subdomain * any;
Kerberos uses the following identities for
On 11/05/11 12:17, Mark Andrews wrote:
{ms,krb5}-subdomain allows updates of *.machinename
One note - this isn't so handy if you have a disjoint namespace, where:
machinename.*.example.com
...is what you want. We are in this boat, and can't use the built in
ACLs for this very reason.
Hello,
and thanx for all your answeres.
I want to ask the question again in a shorter way:
If I look in the log the client tells the dns-server:
request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST
when I now put in the rule:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test.
Hello Mark,
thanx for your anwer.
Your first sentence maybe help me to understand why this is the client´s
credential that it needs in the rule:
WS-YBCL150939\$\@EXAMPLE.COM
So fist is the hostname then the slash makes the $-sign just to be a normal
letter and not variable for example, and the
So I look for a way that I can say that all clients from EXAMPLE.TEST are
allowed to update their own record (or whatever).
Sounds like a task for update-policy external [1], but note that that
requires updates to be sent via TCP and not UDP. [2]
-JP
[1]:
In message BANLkTim7k4KYxYoz=awj9mwtczvxb32...@mail.gmail.com, Juergen Dietl
writes:
Hello Mark,
thanx for your anwer.
Your first sentence maybe help me to understand why this is the client=B4s
credential that it needs in the rule:
WS-YBCL150939\$\@EXAMPLE.COM
So fist is the
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_
Nicholas Miller, ITS, University of Colorado at Boulder
On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
Hello,
and thanx for all your answeres.
I want to ask the question
On 11/05/11 14:55, Mark Andrews wrote:
In message4dca7893.5060...@imperial.ac.uk, Phil Mayers writes:
On 11/05/11 12:17, Mark Andrews wrote:
{ms,krb5}-subdomain allows updates of *.machinename
One note - this isn't so handy if you have a disjoint namespace, where:
In message 4dca7893.5060...@imperial.ac.uk, Phil Mayers writes:
On 11/05/11 12:17, Mark Andrews wrote:
{ms,krb5}-subdomain allows updates of *.machinename
One note - this isn't so handy if you have a disjoint namespace, where:
machinename.*.example.com
...is what you want. We are in
19 matches
Mail list logo
