GSS-TSIG and bind 9.6

Doug Barton dougb at dougbarton.us
Thu May 14 16:36:31 UTC 2009 

Any reason you have chosen gas vs. TSIG? Is this for a windows  
environment?



On May 14, 2009, at 7:37 AM, Peter Fraser <petros.fraser at gmail.com>  
wrote:

> HI All
> I have been working to get dynamic updates working with bind-9.6 and
> FreeBSD 7 So far I have done the following:
>
> 1. Compiled bind with GSSAPI enabled.
> 2. Added these to named.conf
>
>   options {
>       ...
>         tkey-gssapi-credential "DNS/mydomain.com";
>         ...
>      };
>
> and
>
> zone "mydomain.com" {
>        type master;
>        file "master/mydomain.com";
>         update-policy {
>                 grant MYDOMAIN.COM ms-subdomain * A;
>                  };
>         };
>
> zone "1.168.192.in-addr.arpa" {
>         type master;
>         file "master/1.168.192.in-addr.arpa";
>         update-policy {
>                 grant MYDOMAIN.COM ms-subdomain * PTR;
>                  };
>         };
>
>
> 3. Created a user in AD called binddns and set the password to never  
> expire.
> 4.  Used ktpass  to create the keytab like this:
>       C:\> ktpass -out krb5.keytab -princ
>       DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
>      binddns at mydomain.com
>
> 5. Copied krb5.keytab to /etc
> 6. At s point I figured I should be done. Reloaded bind but no  
> updates.
>
> I now ran kinit and nsupdate -g from the box
>
> server server.mydomain.com
> zone atlas.local
> debug
> send
>
> and saw the following:
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2310
> ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0,  
> ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;atlas.local.                   IN      SOA
>
> ;; ANSWER SECTION:
> mydomain.com.            3600    IN      SOA     server.mydomain.com.
> admin.mydomain.com. 715 900 600 86400 3600
>
> ;; ADDITIONAL SECTION:
> server.mydomain.com. 3600  IN      A       192.168.1.100
>
> Found zone name: mydomain.com
> The master is: server.mydomain.com
> start_gssrequest
> send_gssrequest
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62457
> ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;575112106.sig-server.mydomain.com.        ANY TKEY
>
> ;; ADDITIONAL SECTION:
> 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
> 1242311154 3 NOERROR 1243
>
> LOTS OF GIBBERISH
>
> dns_request_getresponse: FORMERR
>
> I still am not however seeing the zone files updated or any jnl files.
> Anything else I could do to troubleshoot this?
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list