GSS-TSIG and bind 9.6

Peter Fraser petros.fraser at gmail.com
Thu May 14 16:55:53 UTC 2009 

Yes it is.

On Thu, May 14, 2009 at 11:36 AM, Doug Barton <dougb at dougbarton.us> wrote:
> Any reason you have chosen gas vs. TSIG? Is this for a windows environment?
>
>
>
> On May 14, 2009, at 7:37 AM, Peter Fraser <petros.fraser at gmail.com> wrote:
>
>> HI All
>> I have been working to get dynamic updates working with bind-9.6 and
>> FreeBSD 7 So far I have done the following:
>>
>> 1. Compiled bind with GSSAPI enabled.
>> 2. Added these to named.conf
>>
>>  options {
>>      ...
>>        tkey-gssapi-credential "DNS/mydomain.com";
>>        ...
>>     };
>>
>> and
>>
>> zone "mydomain.com" {
>>       type master;
>>       file "master/mydomain.com";
>>        update-policy {
>>                grant MYDOMAIN.COM ms-subdomain * A;
>>                 };
>>        };
>>
>> zone "1.168.192.in-addr.arpa" {
>>        type master;
>>        file "master/1.168.192.in-addr.arpa";
>>        update-policy {
>>                grant MYDOMAIN.COM ms-subdomain * PTR;
>>                 };
>>        };
>>
>>
>> 3. Created a user in AD called binddns and set the password to never
>> expire.
>> 4.  Used ktpass  to create the keytab like this:
>>      C:\> ktpass -out krb5.keytab -princ
>>      DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
>>     binddns at mydomain.com
>>
>> 5. Copied krb5.keytab to /etc
>> 6. At s point I figured I should be done. Reloaded bind but no updates.
>>
>> I now ran kinit and nsupdate -g from the box
>>
>> server server.mydomain.com
>> zone atlas.local
>> debug
>> send
>>
>> and saw the following:
>>
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2310
>> ;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;atlas.local.                   IN      SOA
>>
>> ;; ANSWER SECTION:
>> mydomain.com.            3600    IN      SOA     server.mydomain.com.
>> admin.mydomain.com. 715 900 600 86400 3600
>>
>> ;; ADDITIONAL SECTION:
>> server.mydomain.com. 3600  IN      A       192.168.1.100
>>
>> Found zone name: mydomain.com
>> The master is: server.mydomain.com
>> start_gssrequest
>> send_gssrequest
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62457
>> ;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;575112106.sig-server.mydomain.com.        ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
>> 1242311154 3 NOERROR 1243
>>
>> LOTS OF GIBBERISH
>>
>> dns_request_getresponse: FORMERR
>>
>> I still am not however seeing the zone files updated or any jnl files.
>> Anything else I could do to troubleshoot this?
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list