Windows 2003 AD
Norman Zhang
norman.zhang at rd.arkonnetworks.com
Mon Sep 13 21:25:31 UTC 2004
Elzey, Blaine A (Blaine) wrote:
> I believe you can use keys, but you have to statically configure the keys and servers/clients in order to use this type of restriction. See the BIND9 documentation on allow-update and address_match_list_element. (The last post is correct in that you do not specify a key file, but a key name (that has been defined elsewhere in the named.conf with a key statement.) If you want to allow secure dynamic updates with GSS-TSIG (from MS clients), you will need MS-DNS or Lucent DNS.
named.conf does contain rndc-key (sorry I now realized I made a typo in
my original post "rndc.key" should be "rndc-key").
I have ISC's DHCP installed on the same box, so I guess I don't need to
change allow-update to IP addresses?
// secret must be the same as in /etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "8mTgBumsU7SEaYkDvE2RvW9q1TJe6sRbBVYUtwPQCdg/CHV/vSWkJ1K2pOGM";
};
controls {
inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
};
Regards,
Norman
> -----Original Message-----
> From: Vinny Abello
>
> You're better off asking in a Windows 2003 group, but I can tell you the
> reason is because your Windows machine is trying to do a secure dynamic
> update and BIND doesn't understand it. This has nothing to do with rndc.
>
> allow-update should have IP addresses in it, not a key file.
>
> At 03:02 PM 9/13/2004, Norman Zhang wrote:
>>I'm trying to setup Windows 2003 AD with Bind 9.2.3-6mdk running on
>>Mandrake 10.0. But I get the following error message during setup for AD,
>>
>>The primary DNS server tested was: ns.hq.arkonnetworks.com (10.1.1.1)
>>
>>The zone was: hq.arkonnetworks.com
>>
>>The test fro dynamic DNS update support returned: "DNS bad key." (error
>>code 0x00002339 RCODE_BADKEY)
>>
>>In named.conf, I have
>>
>>zone "hq.arkonnetworks.com" {
>> type master;
>> file "db.hq.arkonnetworks.com";
>> allow-update {key rndc.key; };
>>};
>>
>>Does this mean rndc.key is not recognized in Windows 20003? Is there a
>>way I can fix this?
More information about the bind-users
mailing list