fuzzing: fix fuzz_stable_sort_r_unstable comparison

[samba.git] / source4 / setup / named.conf

diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index 0b087069c773c8cef00b1a84c05889e9b06f79ab..a36f78164160a13696cfcf427fb3b93552f54a3d 100644 (file)
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -1,48 +1,20 @@
 # This file should be included in your main BIND configuration file
 #
 # For example with
-# include "${PRIVATE_DIR}/named.conf";
+# include "${NAMED_CONF}";
 
 zone "${DNSDOMAIN}." IN {
        type master;
-       file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
+       file "${ZONE_FILE}";
        /*
-        * Attention: Not all BIND versions support "ms-self". The instead use
-        * of allow-update { any; }; is another, but less secure possibility.
+        * the list of principals and what they can change is created
+        * dynamically by Samba, based on the membership of the domain controllers
+        * group. The provision just creates this file as an empty file.
         */
-       update-policy {
-               /*
-                * A rather long description here, as the "ms-self" option does
-                * not appear in any docs yet (it can only be found in the
-                * source code).
-                *
-                * The short of it is that each host is allowed to update its
-                * own A and AAAA records, when the update request is properly
-                * signed by the host itself.
-                *
-                * The long description is (look at the
-                * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
-                * its definition in lib/dns/gssapictx.c for details):
-                *
-                * A GSS-TSIG update request will be signed by a given signer
-                * (e.g. machine-name$@${REALM}).  The signer name is split into
-                * the machine component (e.g. "machine-name") and the realm
-                * component (e.g. "${REALM}").  The update is allowed if the
-                * following conditions are met:
-                *
-                * 1) The machine component of the signer name matches the first
-                * (host) component of the FQDN that is being updated.
-                *
-                * 2) The realm component of the signer name matches the realm
-                * in the grant statement below (${REALM}).
-                *
-                * 3) The domain component of the FQDN that is being updated
-                * matches the realm in the grant statement below.
-                *
-                * If the 3 conditions above are satisfied, the update succeeds.
-                */
-               grant ${REALM} ms-self * A AAAA;
-       };
+       include "${NAMED_CONF_UPDATE}";
+
+       /* we need to use check-names ignore so _msdcs A records can be created */
+       check-names ignore;
 };
 
 # The reverse zone configuration is optional.  The following example assumes a
@@ -60,7 +32,7 @@ zone "123.168.192.in-addr.arpa" in {
 
 # Note that the reverse zone file is not created during the provision process.
 
-# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
+# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
 # updates.  If you are running an earlier version of BIND, or if you do not wish
 # to use secure GSS-TSIG updates, you may remove the update-policy sections in
 # both examples above.