[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Named updates

Subject: Re: Named updates
From: Philon Terving <email@hidden>
Date: Sun, 14 Aug 2005 13:44:42 +0200
Delivered-to: email@hidden
Delivered-to: email@hidden

Hi David!

I am just curious to know if anyone knows why these entries are appearing in my DNS configuration zone files:
$TTL 7200       ; 2 hours
_kerberos._tcp          SRV     0 0 88 server-company.org.local.
_kerberos._udp          SRV     0 0 88 server-company.org.local.

to me, these look like the auto-created entries for kerberos service announcements. .local represents the MDNS zone used by Bonjour/ Rendezvous/Zeroconf.

I have my named.conf file with the ability to update:

zone "company.org" in {
        file "company.org.zone";
        type master;
        allow-transfer { 172.16.1.5; };
        allow-update { 172.16.1/24; };

I'm not to deep into named, but why should your whole network be able to change your named settings? Does this work for clients changing their hostname and then update the DNS entry? If a DHCP server would be used, only the server normally would do this kind of updating. I think a running named is needed for sending off these updates.

bad things, I can think of the bad hacker hooking up into your LAN and switching your kerberos entries to his host, he then could possibly intercept your user passwords.

I understand on the configuration is that I do allow updates. The thing I can't figure out is why it's trying to add it's localhost name as a kerberos record. Is this normal behavior? It never occurred by default in 10.3.9 server...

it`s just the "hello, here are kerberos authentication services available" notice send off to Bonjour. But for more confusion, normally MDNS requests would be answered on 5353 by the MDNS responder. So, named possibly will never get requests for .local- requests.

As my final conclusion, it would be a good idea to simply remove .local. at the end of your entry. Named would never look into company.org zonefile when searching for company.org.local. You probably don't even have kerberos entries for company.org itself already. It might be that the .local entries belong to some older configuration, before you set up company.org!?


regards,
Philon
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

References:
	>Named updates (From: David Thompson <email@hidden>)

Prev by Date: Re : Home directory doesn't show via AFP?
Next by Date: Re: Secure AFP from DMZ
Previous by thread: Named updates
Next by thread: Sever setup help - offlist
Index(es):
- Date
- Thread

Home