Merge the two attribute syntax tables.

[tprouty/samba.git] / source4 / setup / named.conf

diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index 56bb3e0f35b7f0191e270a783ec1cd10aee5ab87..0b087069c773c8cef00b1a84c05889e9b06f79ab 100644 (file)
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -1,10 +1,67 @@
+# This file should be included in your main BIND configuration file
 #
-# Insert this snippit into your named.conf or bind.conf to configure
-# the BIND nameserver.
-#
+# For example with
+# include "${PRIVATE_DIR}/named.conf";
 
 zone "${DNSDOMAIN}." IN {
-        type master;
-        file "${DNSDOMAIN}.zone";
+       type master;
+       file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
+       /*
+        * Attention: Not all BIND versions support "ms-self". The instead use
+        * of allow-update { any; }; is another, but less secure possibility.
+        */
+       update-policy {
+               /*
+                * A rather long description here, as the "ms-self" option does
+                * not appear in any docs yet (it can only be found in the
+                * source code).
+                *
+                * The short of it is that each host is allowed to update its
+                * own A and AAAA records, when the update request is properly
+                * signed by the host itself.
+                *
+                * The long description is (look at the
+                * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
+                * its definition in lib/dns/gssapictx.c for details):
+                *
+                * A GSS-TSIG update request will be signed by a given signer
+                * (e.g. machine-name$@${REALM}).  The signer name is split into
+                * the machine component (e.g. "machine-name") and the realm
+                * component (e.g. "${REALM}").  The update is allowed if the
+                * following conditions are met:
+                *
+                * 1) The machine component of the signer name matches the first
+                * (host) component of the FQDN that is being updated.
+                *
+                * 2) The realm component of the signer name matches the realm
+                * in the grant statement below (${REALM}).
+                *
+                * 3) The domain component of the FQDN that is being updated
+                * matches the realm in the grant statement below.
+                *
+                * If the 3 conditions above are satisfied, the update succeeds.
+                */
+               grant ${REALM} ms-self * A AAAA;
+       };
+};
+
+# The reverse zone configuration is optional.  The following example assumes a
+# subnet of 192.168.123.0/24:
+
+/*
+zone "123.168.192.in-addr.arpa" in {
+       type master;
+       file "123.168.192.in-addr.arpa.zone";
+       update-policy {
+               grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
+       };
 };
+*/
+
+# Note that the reverse zone file is not created during the provision process.
+
+# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
+# updates.  If you are running an earlier version of BIND, or if you do not wish
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
+# both examples above.