What is the practical difference between krb5-self and krb5-subdomain policies in BIND9 on update-policy statement while dealing with dynamic DNS updates on zones?
From the BIND9 documentation it states the following:
krb5-self: This rule takes a Kerberos machine principal (host/QDN@REALM) and allows it to update the DNS entry which corresponds to the QDN part of the Principal. The REALM to be matched must exactly match that specified in identity. See Kerberos/AD note.
krb5-subdomain: This rule takes a Kerberos machine principal (host/QDN@REALM) and allows it to update the QDN part of the Principal. The REALM to be matched must match that specified in identity or any subdomain (labels to the left) of identity. See Kerberos/AD note.
But this is extremely vague, and there's even a CVE saying that krb5-subdomain does not do what is does and there's a new player in the game: krb5-selfsub: https://kb.isc.org/docs/cve-2018-5741
