2007-08-24 01:57:54 +00:00
#
2007-08-24 13:21:43 +00:00
# Insert these snippets into your named.conf or bind.conf to configure
2007-08-24 01:57:54 +00:00
# the BIND nameserver.
#
2007-09-22 12:57:17 +00:00
# If you have a very recent BIND, supporting GSS-TSIG,
# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
2007-09-02 23:28:00 +00:00
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
2007-08-24 13:21:43 +00:00
tkey-domain "${REALM}";
2007-09-22 12:57:17 +00:00
# You should always include the actual zone configuration reference:
2007-08-24 01:57:54 +00:00
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
2007-08-24 13:31:05 +00:00
update-policy {
/* use ANY only for Domain controllers for now */
/* for normal machines A AAAA PTR is probbaly all is needed */
grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
};
2007-08-24 01:57:54 +00:00
};
2007-08-24 13:21:43 +00:00
# Also, you need to change your init scripts to set this environment variable
2007-09-02 23:28:00 +00:00
# for named: KRB5_KTNAME so that it points to the keytab generated.
2007-08-24 13:21:43 +00:00
# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
2007-09-02 23:28:00 +00:00
# line to the /etc/sysconfig/named file:
2007-09-02 23:42:40 +00:00
# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
2007-09-02 23:28:00 +00:00
#
# Please note that most distributions have BIND configured to run under
# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as
# the user "named" once the daemon relinquishes its rights. Therefore,
2007-09-02 23:42:40 +00:00
# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
2007-09-03 02:48:50 +00:00
# permissions altered to allow the daemon to read it. In the FC6
2007-09-02 23:28:00 +00:00
# example, execute the commands:
#
2007-09-02 23:42:40 +00:00
# chgrp named ${DNS_KEYTAB_ABS}
# chmod g+r ${DNS_KEYTAB_ABS}
