1# This file should be included in your main BIND configuration file 2# 3# For example with 4# include "${PRIVATE_DIR}/named.conf"; 5 6zone "${DNSDOMAIN}." IN { 7 type master; 8 file "${PRIVATE_DIR}/${DNSDOMAIN}.zone"; 9 /* 10 * Attention: Not all BIND versions support "ms-self". The instead use 11 * of allow-update { any; }; is another, but less secure possibility. 12 */ 13 update-policy { 14 /* 15 * A rather long description here, as the "ms-self" option does 16 * not appear in any docs yet (it can only be found in the 17 * source code). 18 * 19 * The short of it is that each host is allowed to update its 20 * own A and AAAA records, when the update request is properly 21 * signed by the host itself. 22 * 23 * The long description is (look at the 24 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and 25 * its definition in lib/dns/gssapictx.c for details): 26 * 27 * A GSS-TSIG update request will be signed by a given signer 28 * (e.g. machine-name$@${REALM}). The signer name is split into 29 * the machine component (e.g. "machine-name") and the realm 30 * component (e.g. "${REALM}"). The update is allowed if the 31 * following conditions are met: 32 * 33 * 1) The machine component of the signer name matches the first 34 * (host) component of the FQDN that is being updated. 35 * 36 * 2) The realm component of the signer name matches the realm 37 * in the grant statement below (${REALM}). 38 * 39 * 3) The domain component of the FQDN that is being updated 40 * matches the realm in the grant statement below. 41 * 42 * If the 3 conditions above are satisfied, the update succeeds. 43 */ 44 grant ${REALM} ms-self * A AAAA; 45 }; 46}; 47 48# The reverse zone configuration is optional. The following example assumes a 49# subnet of 192.168.123.0/24: 50 51/* 52zone "123.168.192.in-addr.arpa" in { 53 type master; 54 file "123.168.192.in-addr.arpa.zone"; 55 update-policy { 56 grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR; 57 }; 58}; 59*/ 60 61# Note that the reverse zone file is not created during the provision process. 62 63# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG 64# updates. If you are running an earlier version of BIND, or if you do not wish 65# to use secure GSS-TSIG updates, you may remove the update-policy sections in 66# both examples above. 67 68