GSS-TSIG updates from Windows clients

John Miller johnmill at brandeis.edu
Tue May 6 17:34:52 UTC 2014 

Thanks to both Mark and Nicholas for the help.  Unfortunately, still not 
able to get this working (BIND 9.8.2 (RHEL 6) & AD 2008R2).  It's a case 
of AD negotiating a TKEY (successfully), then reverting back to unsigned 
updates.  If an update's not signed, doesn't matter what your 
update-policy statements look like.

We're just going to continue with unsigned updates (or manual-only 
updates).  I'd still like to solve the problem, but probably won't go 
into production with it.

Some possible insight in the comments of:

http://netlinxinc.com/netlinx-blog/45-dns/136-how-to-implement-gss-tsig-on-isc-bind.html

"Windows 7 and Windows 2008 R2 have changed their behavior in regards to 
dynamic updates and how they send signed updates to BIND DNS servers. 
These new operating systems will first send an “unsigned” update to a 
DNS server and will only revert to a “signed” update if there is 
additional information provided in the response DNS message. Earlier 
operating systems would automatically revert to signed updates as the 
next sequence in the dynamic update process. Current versions of BIND 9 
do not place the additional header information in the response package, 
so the Windows 7 and 2008 servers will not revert. There is a patch that 
you can apply (manually) and re-compile that works."

Evidently AD expects additional records in the TKEY response, otherwise 
we see the behavior I'm seeing.  I've attached a pcap of a sample TKEY 
response and a sample unsigned update rejection; if any of you have this 
working, would you mind listing your BIND and AD versions, as well as 
posting some sample packet output?  I'd be curious to see how our 
environment differs from yours.

John



On 05/06/2014 10:15 AM, Nicholas F Miller wrote:
> You might try changing your update-policy from:
>
> grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
> grant * zonesub ANY;
>
> to
>
> grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
> grant LAB.BRANDEIS.EDU zonesub ANY;
>
> I’m not positive this is the proper syntax since we don’t use the zonesub option. We use the ms-subdomain and krb5-subdomain options:
>
> grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU;
> grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU;
>
> _________________________________________________________
> Nicholas Miller, OIT, University of Colorado at Boulder
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tkey_no_addl.pcap
Type: application/vnd.tcpdump.pcap
Size: 388 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140506/6b5a05e0/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_refused.pcap
Type: application/vnd.tcpdump.pcap
Size: 123 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140506/6b5a05e0/attachment-0003.bin>

More information about the bind-users mailing list