Secure DDNS update against Windows Server by NSUPDATE
Kevin Darcy
kcd at chrysler.com
Mon Sep 22 21:37:35 UTC 2008
I'm not aware of any version of nsupdate (with the possible exception of
the BIND 9.5.x version, which I haven't looked at yet), that has
GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I
know is a prerequisite to performing secure Dynamic Updates to Microsoft
DNS.
- Kevin
arpad bind wrote:
> Hi Mark!
>
> Thank you for your answer.
>
> By default authenticated users (domain members) are able to update their records if the zone allows "secure only" DNS updates on a Windows DNS server. So this is fine...
>
> I'm wondering if someone could have ever sent a successful secure DNS update via NSUPDATE against a Windows Server.
>
> Thanks in advance.
>
> Best Regards,
>
> Arpad
>
>
> Mark Andrews <Mark_Andrews at isc.org> írta:
>
>
>
>> In message <freemail.20080818134351.72676 at fm17.freemail.hu>, arpad bind writes
>> :
>>
>>> Hello,
>>>
>>>
>>> I have a problem with secure update via BIND 9.5 against Windows 2003 SP2 Dy
>>> namic DNS service. DNS server is rejecting the updates. (Secure Updates from
>>> MS clients works fine.)
>>>
>>>
>>>
>>> I did these steps:
>>>
>>> * GSS support was compiled (compiler gcc)
>>>
>>> * linked against AIX 5.3 Kerberos libaries and MIT Kerberos 1.6.3 (with none
>>> of them it works)
>>>
>>> - update is tried as domain admin, and option '-o' activates the Microsoft i
>>> mplementation of GSS protocol
>>>
>>> #> kinit
>>>
>>> #> nsupdate -o
>>>
>>>
>>>> update add test123.test.hu 86400 A 10.144.164.100
>>>>
>>>> send
>>>>
>>> - DNS server replies with:
>>>
>>> ; TSIG error with server: tsig verify failure
>>>
>>> update failed: REFUSED
>>>
>>> In the network trace I see that the TKEY is negotiated successfully but the
>>> update will be refused.
>>>
>>> Could someone help me please how to set up secure DDNS against Windows DNS v
>>> ia NSUPDATE?
>>>
>>> Thanks in advance.
>>>
>>> Best Regards,
>>>
>>> Arpad
>>>
>> That's a matter of finding the right Windows documentation
>> which describes how to allow a particular principal to update
>> the DNS. When you find it please let us know.
>>
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>>
>>
>
> ______________________________________________________________________
> Vujity Tvrtko: „Én már tudom melyik nyelviskolába érdemes beiratkozni!”
> Katedra Nyelviskola - felnõtteknek, gyerekeknek garantált minõség 37 városban
> www.katedra.hu
>
>
>
>
>
>
>
More information about the bind-users
mailing list