Secure Active Directory updates and allow-update-forwarding issues
Nagesh Thati
tcpnagesh at gmail.com
Tue Jan 19 11:23:07 UTC 2021
Hi,
I am getting update failed on master DNS appliance when I am using
allow-update-forwading,
*updating zone '_msdcs.example.com/IN <http://msdcs.example.com/IN>':
update failed: rejected by secure update (REFUSED)*
example.com is a active directory enabled zone which has one master and one
slave. Master appliance is hidden, so active directory sends updates to
slave appliance using MNAME specified in the zone SOA section.
*master(10.1.10.203) named.conf:*
tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
folder we have keytab file
zone "_msdcs.example.com" IN {
type master;
file "/var/named/zones/masters/db._msdcs.example.com";
allow-transfer {10.1.10.144;};
also-notify {10.1.10.144;};
notify explicit;
*update-policy { grant * subdomain _msdcs.example.com
<http://msdcs.example.com>. ANY; };*
check-names ignore;
zone-statistics yes;
};
*slave(10.1.10.144) named.conf:*
zone "_msdcs.example.com" IN {
type slave;
file "/var/named/zones/slaves/db._msdcs.example.com";
allow-notify {10.1.10.203;};
masters {
10.1.10.203;
};
check-names ignore;
zone-statistics yes;
*allow-update-forwarding{10.1.10.158;};*
};
*10.1.10.158 - AD server*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210119/263f9634/attachment.htm>
More information about the bind-users
mailing list