GSS-TSIG updates from Windows clients
John Miller
johnmill at brandeis.edu
Tue May 6 17:34:52 UTC 2014
Thanks to both Mark and Nicholas for the help. Unfortunately, still not
able to get this working (BIND 9.8.2 (RHEL 6) & AD 2008R2). It's a case
of AD negotiating a TKEY (successfully), then reverting back to unsigned
updates. If an update's not signed, doesn't matter what your
update-policy statements look like.
We're just going to continue with unsigned updates (or manual-only
updates). I'd still like to solve the problem, but probably won't go
into production with it.
Some possible insight in the comments of:
http://netlinxinc.com/netlinx-blog/45-dns/136-how-to-implement-gss-tsig-on-isc-bind.html
"Windows 7 and Windows 2008 R2 have changed their behavior in regards to
dynamic updates and how they send signed updates to BIND DNS servers.
These new operating systems will first send an “unsigned” update to a
DNS server and will only revert to a “signed” update if there is
additional information provided in the response DNS message. Earlier
operating systems would automatically revert to signed updates as the
next sequence in the dynamic update process. Current versions of BIND 9
do not place the additional header information in the response package,
so the Windows 7 and 2008 servers will not revert. There is a patch that
you can apply (manually) and re-compile that works."
Evidently AD expects additional records in the TKEY response, otherwise
we see the behavior I'm seeing. I've attached a pcap of a sample TKEY
response and a sample unsigned update rejection; if any of you have this
working, would you mind listing your BIND and AD versions, as well as
posting some sample packet output? I'd be curious to see how our
environment differs from yours.
John
On 05/06/2014 10:15 AM, Nicholas F Miller wrote:
> You might try changing your update-policy from:
>
> grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
> grant * zonesub ANY;
>
> to
>
> grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
> grant LAB.BRANDEIS.EDU zonesub ANY;
>
> I’m not positive this is the proper syntax since we don’t use the zonesub option. We use the ms-subdomain and krb5-subdomain options:
>
> grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU;
> grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU;
>
> _________________________________________________________
> Nicholas Miller, OIT, University of Colorado at Boulder
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tkey_no_addl.pcap
Type: application/vnd.tcpdump.pcap
Size: 388 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140506/6b5a05e0/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_refused.pcap
Type: application/vnd.tcpdump.pcap
Size: 123 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140506/6b5a05e0/attachment-0003.bin>
More information about the bind-users
mailing list