+# This file should be included in your main BIND configuration file
#
-# Insert these snippets into your named.conf or bind.conf to configure
-# the BIND nameserver.
-#
-
-#insert this into options {}
-tkey-gssapi-credential "DNS/${DNSDOMAIN}"
-tkey-domain "${REALM}";
+# For example with
+# include "${NAMED_CONF}";
-#the zone file
zone "${DNSDOMAIN}." IN {
- type master;
- file "${DNSDOMAIN}.zone";
+ type master;
+ file "${ZONE_FILE}";
+ /*
+ * the list of principals and what they can change is created
+ * dynamically by Samba, based on the membership of the domain controllers
+ * group. The provision just creates this file as an empty file.
+ */
+ include "${NAMED_CONF_UPDATE}";
+
+ /* we need to use check-names ignore so _msdcs A records can be created */
+ check-names ignore;
};
-# Also, you need to change your init scripts to set this environment variable
-# for named: KRB_KTNAME so that it points to the keytab generated.
-# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
-# line to the /etc/sysconfig/named file
-# export KRB_KTNAME=/etc/named.keytab
+# The reverse zone configuration is optional. The following example assumes a
+# subnet of 192.168.123.0/24:
+
+/*
+zone "123.168.192.in-addr.arpa" in {
+ type master;
+ file "123.168.192.in-addr.arpa.zone";
+ update-policy {
+ grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
+ };
+};
+*/
+
+# Note that the reverse zone file is not created during the provision process.
+
+# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
+# updates. If you are running an earlier version of BIND, or if you do not wish
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
+# both examples above.
-# *TODO*: generate and install a keytab file in /etc/named.keytab