| 1 | # This file should be included in your main BIND configuration file
|
|---|
| 2 | #
|
|---|
| 3 | # For example with
|
|---|
| 4 | # include "${PRIVATE_DIR}/named.conf";
|
|---|
| 5 |
|
|---|
| 6 | zone "${DNSDOMAIN}." IN {
|
|---|
| 7 | type master;
|
|---|
| 8 | file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
|
|---|
| 9 | /*
|
|---|
| 10 | * Attention: Not all BIND versions support "ms-self". The instead use
|
|---|
| 11 | * of allow-update { any; }; is another, but less secure possibility.
|
|---|
| 12 | */
|
|---|
| 13 | update-policy {
|
|---|
| 14 | /*
|
|---|
| 15 | * A rather long description here, as the "ms-self" option does
|
|---|
| 16 | * not appear in any docs yet (it can only be found in the
|
|---|
| 17 | * source code).
|
|---|
| 18 | *
|
|---|
| 19 | * The short of it is that each host is allowed to update its
|
|---|
| 20 | * own A and AAAA records, when the update request is properly
|
|---|
| 21 | * signed by the host itself.
|
|---|
| 22 | *
|
|---|
| 23 | * The long description is (look at the
|
|---|
| 24 | * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
|
|---|
| 25 | * its definition in lib/dns/gssapictx.c for details):
|
|---|
| 26 | *
|
|---|
| 27 | * A GSS-TSIG update request will be signed by a given signer
|
|---|
| 28 | * (e.g. machine-name$@${REALM}). The signer name is split into
|
|---|
| 29 | * the machine component (e.g. "machine-name") and the realm
|
|---|
| 30 | * component (e.g. "${REALM}"). The update is allowed if the
|
|---|
| 31 | * following conditions are met:
|
|---|
| 32 | *
|
|---|
| 33 | * 1) The machine component of the signer name matches the first
|
|---|
| 34 | * (host) component of the FQDN that is being updated.
|
|---|
| 35 | *
|
|---|
| 36 | * 2) The realm component of the signer name matches the realm
|
|---|
| 37 | * in the grant statement below (${REALM}).
|
|---|
| 38 | *
|
|---|
| 39 | * 3) The domain component of the FQDN that is being updated
|
|---|
| 40 | * matches the realm in the grant statement below.
|
|---|
| 41 | *
|
|---|
| 42 | * If the 3 conditions above are satisfied, the update succeeds.
|
|---|
| 43 | */
|
|---|
| 44 | grant ${REALM} ms-self * A AAAA;
|
|---|
| 45 | };
|
|---|
| 46 | };
|
|---|
| 47 |
|
|---|
| 48 | # The reverse zone configuration is optional. The following example assumes a
|
|---|
| 49 | # subnet of 192.168.123.0/24:
|
|---|
| 50 |
|
|---|
| 51 | /*
|
|---|
| 52 | zone "123.168.192.in-addr.arpa" in {
|
|---|
| 53 | type master;
|
|---|
| 54 | file "123.168.192.in-addr.arpa.zone";
|
|---|
| 55 | update-policy {
|
|---|
| 56 | grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
|
|---|
| 57 | };
|
|---|
| 58 | };
|
|---|
| 59 | */
|
|---|
| 60 |
|
|---|
| 61 | # Note that the reverse zone file is not created during the provision process.
|
|---|
| 62 |
|
|---|
| 63 | # The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
|
|---|
| 64 | # updates. If you are running an earlier version of BIND, or if you do not wish
|
|---|
| 65 | # to use secure GSS-TSIG updates, you may remove the update-policy sections in
|
|---|
| 66 | # both examples above.
|
|---|
| 67 |
|
|---|
