samba - Mar 2014 - question : dns.keytab and named.conf.update

Hai, 
?
Just a question .
Why are the Principals in the dns.keytab?? different from what is in the
named.conf.update file.
?

ktutil:? rkt /var/lib/samba/private/dns.keytab
ktutil:? list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
?? 1??? 1 DNS/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
?? 2??? 1????????? dns-rtd-dc1 at INTERNAL.DOMAIN.TLD
?
?? 
?? 
cat /var/lib/samba/private/named.conf.update 
?

?? update-policy {
??????? grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
??????? grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
??????? grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};
?
?? 
?? 
?? in reverse 
? 
????????? update-policy {
??????????????? grant *.DOMAIN.TLD wildcard *.123.168.192.in-addr.arpa. PTR;
??????? };
?
?
?
I would expect too see in the dns.keytab also 
???????? RTD-DC1$@INTERNAL.DOMAIN.TLD

But its not there any reason for this of am i missing something. 
( this is not my expertise, but any insight in this would be nice. ) 
?
Thank! 
?
Louis
?
?

On Mon, 2014-03-10 at 11:08 +0100, L.P.H. van Belle
wrote:
> Hai, 
>  
> Just a question .
> Why are the Principals in the dns.keytab   different from what is in the
named.conf.update file.
The dns.keytab entries are the DNS server accounts, while the
named.conf.update principals are the clients permitted to make
unrestricted DNS changes.  

In the default bind9_dlz configuration, the named.conf.update is
overridden by the internal ACL processing in the DLZ module

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba