What is the practical difference between krb5-self and krb5-subdomain in BIND9 update-policy statement?

by Vinícius Ferrão   Last Updated May 23, 2020 00:00 AM - source

What is the practical difference between krb5-self and krb5-subdomain policies in BIND9 on update-policy statement while dealing with dynamic DNS updates on zones?

From the BIND9 documentation it states the following:

krb5-self: This rule takes a Kerberos machine principal (host/[email protected]) and allows it to update the DNS entry which corresponds to the QDN part of the Principal. The REALM to be matched must exactly match that specified in identity. See Kerberos/AD note.

krb5-subdomain: This rule takes a Kerberos machine principal (host/[email protected]) and allows it to update the QDN part of the Principal. The REALM to be matched must match that specified in identity or any subdomain (labels to the left) of identity. See Kerberos/AD note.

But this is extremely vague, and there's even a CVE saying that krb5-subdomain does not do what is does and there's a new player in the game: krb5-selfsub: https://kb.isc.org/docs/cve-2018-5741



Related Questions




List dynamically added DNS records

Updated October 30, 2018 13:00 PM

Access to BIND 9 DNS view by authenticated user?

Updated November 20, 2017 03:00 AM