Windows 2003 AD

[Norman Zhang]

Elzey, Blaine A (Blaine) wrote:
> I believe you can use keys, but you have to statically configure the keys and servers/clients in order to use this type of restriction. See the BIND9 documentation on allow-update and address_match_list_element. (The last post is correct in that you do not specify a key file, but a key name (that has been defined elsewhere in the named.conf with a key statement.) If you want to allow secure dynamic updates with GSS-TSIG (from MS clients), you will need MS-DNS or Lucent DNS.

named.conf does contain rndc-key (sorry I now realized I made a typo in 
my original post "rndc.key" should be "rndc-key").

I have ISC's DHCP installed on the same box, so I guess I don't need to 
change allow-update to IP addresses?

// secret must be the same as in /etc/rndc.conf
key "rndc-key" {
   algorithm hmac-md5;
   secret "8mTgBumsU7SEaYkDvE2RvW9q1TJe6sRbBVYUtwPQCdg/CHV/vSWkJ1K2pOGM";
};

controls {
   inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
};

Regards,
Norman

> -----Original Message-----
> From: Vinny Abello
> 
> You're better off asking in a Windows 2003 group, but I can tell you the 
> reason is because your Windows machine is trying to do a secure dynamic 
> update and BIND doesn't understand it. This has nothing to do with rndc.
> 
> allow-update should have IP addresses in it, not a key file.
> 
> At 03:02 PM 9/13/2004, Norman Zhang wrote:
>>I'm trying to setup Windows 2003 AD with Bind 9.2.3-6mdk running on
>>Mandrake 10.0. But I get the following error message during setup for AD,
>>
>>The primary DNS server tested was: ns.hq.arkonnetworks.com (10.1.1.1)
>>
>>The zone was: hq.arkonnetworks.com
>>
>>The test fro dynamic DNS update support returned: "DNS bad key." (error
>>code 0x00002339 RCODE_BADKEY)
>>
>>In named.conf, I have
>>
>>zone "hq.arkonnetworks.com" {
>>   type master;
>>   file "db.hq.arkonnetworks.com";
>>   allow-update {key rndc.key; };
>>};
>>
>>Does this mean rndc.key is not recognized in Windows 20003? Is there a
>>way I can fix this?