GSS-TSIG and bind 9.6
Doug Barton
dougb at dougbarton.us
Thu May 14 16:36:31 UTC 2009
Any reason you have chosen gas vs. TSIG? Is this for a windows
environment?
On May 14, 2009, at 7:37 AM, Peter Fraser <petros.fraser at gmail.com>
wrote:
> HI All
> I have been working to get dynamic updates working with bind-9.6 and
> FreeBSD 7 So far I have done the following:
>
> 1. Compiled bind with GSSAPI enabled.
> 2. Added these to named.conf
>
> options {
> ...
> tkey-gssapi-credential "DNS/mydomain.com";
> ...
> };
>
> and
>
> zone "mydomain.com" {
> type master;
> file "master/mydomain.com";
> update-policy {
> grant MYDOMAIN.COM ms-subdomain * A;
> };
> };
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "master/1.168.192.in-addr.arpa";
> update-policy {
> grant MYDOMAIN.COM ms-subdomain * PTR;
> };
> };
>
>
> 3. Created a user in AD called binddns and set the password to never
> expire.
> 4. Used ktpass to create the keytab like this:
> C:\> ktpass -out krb5.keytab -princ
> DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
> binddns at mydomain.com
>
> 5. Copied krb5.keytab to /etc
> 6. At s point I figured I should be done. Reloaded bind but no
> updates.
>
> I now ran kinit and nsupdate -g from the box
>
> server server.mydomain.com
> zone atlas.local
> debug
> send
>
> and saw the following:
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2310
> ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;atlas.local. IN SOA
>
> ;; ANSWER SECTION:
> mydomain.com. 3600 IN SOA server.mydomain.com.
> admin.mydomain.com. 715 900 600 86400 3600
>
> ;; ADDITIONAL SECTION:
> server.mydomain.com. 3600 IN A 192.168.1.100
>
> Found zone name: mydomain.com
> The master is: server.mydomain.com
> start_gssrequest
> send_gssrequest
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62457
> ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;575112106.sig-server.mydomain.com. ANY TKEY
>
> ;; ADDITIONAL SECTION:
> 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
> 1242311154 3 NOERROR 1243
>
> LOTS OF GIBBERISH
>
> dns_request_getresponse: FORMERR
>
> I still am not however seeing the zone files updated or any jnl files.
> Anything else I could do to troubleshoot this?
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list