GSS-TSIG and bind 9.6
Peter Fraser
petros.fraser at gmail.com
Thu May 14 16:55:53 UTC 2009
Yes it is.
On Thu, May 14, 2009 at 11:36 AM, Doug Barton <dougb at dougbarton.us> wrote:
> Any reason you have chosen gas vs. TSIG? Is this for a windows environment?
>
>
>
> On May 14, 2009, at 7:37 AM, Peter Fraser <petros.fraser at gmail.com> wrote:
>
>> HI All
>> I have been working to get dynamic updates working with bind-9.6 and
>> FreeBSD 7 So far I have done the following:
>>
>> 1. Compiled bind with GSSAPI enabled.
>> 2. Added these to named.conf
>>
>> options {
>> ...
>> tkey-gssapi-credential "DNS/mydomain.com";
>> ...
>> };
>>
>> and
>>
>> zone "mydomain.com" {
>> type master;
>> file "master/mydomain.com";
>> update-policy {
>> grant MYDOMAIN.COM ms-subdomain * A;
>> };
>> };
>>
>> zone "1.168.192.in-addr.arpa" {
>> type master;
>> file "master/1.168.192.in-addr.arpa";
>> update-policy {
>> grant MYDOMAIN.COM ms-subdomain * PTR;
>> };
>> };
>>
>>
>> 3. Created a user in AD called binddns and set the password to never
>> expire.
>> 4. Used ktpass to create the keytab like this:
>> C:\> ktpass -out krb5.keytab -princ
>> DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
>> binddns at mydomain.com
>>
>> 5. Copied krb5.keytab to /etc
>> 6. At s point I figured I should be done. Reloaded bind but no updates.
>>
>> I now ran kinit and nsupdate -g from the box
>>
>> server server.mydomain.com
>> zone atlas.local
>> debug
>> send
>>
>> and saw the following:
>>
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2310
>> ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;atlas.local. IN SOA
>>
>> ;; ANSWER SECTION:
>> mydomain.com. 3600 IN SOA server.mydomain.com.
>> admin.mydomain.com. 715 900 600 86400 3600
>>
>> ;; ADDITIONAL SECTION:
>> server.mydomain.com. 3600 IN A 192.168.1.100
>>
>> Found zone name: mydomain.com
>> The master is: server.mydomain.com
>> start_gssrequest
>> send_gssrequest
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62457
>> ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;575112106.sig-server.mydomain.com. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
>> 1242311154 3 NOERROR 1243
>>
>> LOTS OF GIBBERISH
>>
>> dns_request_getresponse: FORMERR
>>
>> I still am not however seeing the zone files updated or any jnl files.
>> Anything else I could do to troubleshoot this?
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list