mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
fb3e663678
- fixes bug #4813 (simplify DNS setup)
- This reworks the named.conf to be a fully fledged include
- This also moves the documentation into named.txt
- improves bug #4900 (Group policy support in Samba)
- by creating an empty GPT.INI
- fixes bug #5582 (DNS: Enhanced zone file)
- This is now closer to the zone file AD creates
committed by Andrew Bartlett
(This used to be commit 74d684f6b3
)
68 lines
2.2 KiB
Plaintext
68 lines
2.2 KiB
Plaintext
# This file should be included in your main BIND configuration file
|
|
#
|
|
# For example with
|
|
# include "${PRIVATE_DIR}/named.conf";
|
|
|
|
zone "${DNSDOMAIN}." IN {
|
|
type master;
|
|
file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
|
|
/*
|
|
* Attention: Not all BIND versions support "ms-self". The instead use
|
|
* of allow-update { any; }; is another, but less secure possibility.
|
|
*/
|
|
update-policy {
|
|
/*
|
|
* A rather long description here, as the "ms-self" option does
|
|
* not appear in any docs yet (it can only be found in the
|
|
* source code).
|
|
*
|
|
* The short of it is that each host is allowed to update its
|
|
* own A and AAAA records, when the update request is properly
|
|
* signed by the host itself.
|
|
*
|
|
* The long description is (look at the
|
|
* dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
|
|
* its definition in lib/dns/gssapictx.c for details):
|
|
*
|
|
* A GSS-TSIG update request will be signed by a given signer
|
|
* (e.g. machine-name$@${REALM}). The signer name is split into
|
|
* the machine component (e.g. "machine-name") and the realm
|
|
* component (e.g. "${REALM}"). The update is allowed if the
|
|
* following conditions are met:
|
|
*
|
|
* 1) The machine component of the signer name matches the first
|
|
* (host) component of the FQDN that is being updated.
|
|
*
|
|
* 2) The realm component of the signer name matches the realm
|
|
* in the grant statement below (${REALM}).
|
|
*
|
|
* 3) The domain component of the FQDN that is being updated
|
|
* matches the realm in the grant statement below.
|
|
*
|
|
* If the 3 conditions above are satisfied, the update succeeds.
|
|
*/
|
|
grant ${REALM} ms-self * A AAAA;
|
|
};
|
|
};
|
|
|
|
# The reverse zone configuration is optional. The following example assumes a
|
|
# subnet of 192.168.123.0/24:
|
|
|
|
/*
|
|
zone "123.168.192.in-addr.arpa" in {
|
|
type master;
|
|
file "123.168.192.in-addr.arpa.zone";
|
|
update-policy {
|
|
grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
|
|
};
|
|
};
|
|
*/
|
|
|
|
# Note that the reverse zone file is not created during the provision process.
|
|
|
|
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
|
|
# updates. If you are running an earlier version of BIND, or if you do not wish
|
|
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
|
|
# both examples above.
|
|
|