Dynamic Update Policy.....

[Gary Greene]

From: Chris Buxton [clists at buxtonfamily.us]
Sent: Saturday, March 30, 2013 08:23 PM
To: Gary Greene
Cc: bind-users at lists.isc.org
Subject: Re: Dynamic Update Policy.....

> On Mar 28, 2013, at 4:03 PM, Gary Greene wrote:
>
>> I'm trying to get bind to use ddns updates for our environment, however I'm getting errors in the logs on the
>> system that the host is being denied from making the changes.
>>
>> Currently, I'm only allowing certain hosts to update their records, as a test.
>>
>> The stanza for update-policy follows:
>>
>>     zone "minervanetworks.com" {
>>         type master;
>>         notify yes;
>>         update-policy {
>>             grant ggreene-imac$@MINERVANETWORKS.COM ms-self * A;
>>             grant cvallejo-w7-lt$@MINERVANETWORKS.COM ms-self * A;
>>             grant cvallejo-test-w7-lt$@MINERVANETWORKS.COM ms-self * A;
>>         };
>>         file "/etc/named.d/minervanetworks.zone";
>>         check-names ignore;
>>     };
>>
>> The error I see in the logs:
>> Mar 28 15:57:29 ns1 named[11482]: client 10.5.1.11#52418: view internal: update 'minervanetworks.com/IN' 
>> denied
> 
> That log message is normal.
>
> If you want to use GSS-TSIG, that's not going to work. I don't have a complete step-by-step of what's required, but 
> at a minimum:
>
> - Don't use ms-self.
> - Do create a user account in AD with a service principal name that matches the hostname of the master name 
> server as advertised in the SOA and NS records, prefixed by "DNS/". For example, 
> "DNS/ns1.minervanetworks.com at MINERVANETWORKS.COM". Without this, GSS-TSIG will not be attempted.
> - Do not be concerned by the denied update. Every attempt to update will go something like this:
>
> 1. SOA query for name to be updated, to recursion server.
> 2. Address lookup for server listed in SOA record, to recursion server.
> 3. Insecure DDNS update message to server listed in SOA record. [denied]
> 4. TKEY query to server listed in SOA record, to establish a single-use shared key.
> 5. Signed update message to server listed in SOA record. [approved or denied, according to policy]
>
>> The reverse zones work, as they are setup to allow dhcpd to make the changes (and they work correctly), 
>> however the forward zone does not.
>
> At a guess, you're not using GSS-TSIG for reverse record updates, correct?

That is correct. I'm just using normal TSIG pre-genned keys for the reverse zones handled by dhcpd.

> Is there a reason not to have DHCP update the host records as well as the reverse?

The overriding reason that we wish to use GSS-TSIG is because we have a number of devices on the network we _don't_ want in DNS (iPads, iPhones, Android devices, etc.) that all get their IP info from the same DHCP server. Internally (and externally) most devices use only the minervanetworks.com domain, with rare sub-domain exceptions. While it would likely be good to move some stuff to a sub-domain, doing so would pose significant work (moving hosts to a subdomain in AD is not trivial.)

I was hoping to get ms-self to work, as it seemed it would require the least amount of work over all....

--
Gary L. Greene, Jr.
Sr. Systems Administrator
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633