7

First, has anyone EVER configured ISC bind 9.5.0 OR greater with support for GSS-TSIG Dynamic DNS Updates AND gotten it to work? If so, what is the configuration that was used to make that happen?

I feel close to having this working. I see that GSS cred passes w/o apparent error during the TKEY negotiation with an Active Directory DC and the BIND DNS server:

client 192.168.0.30#52314: query gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967256 gss-api source name (accept) is DC1$@EXAMPLE.COM process_gsstkey(): dns_tsigerror_noerror client 192.168.0.30#52314: send

But, when the Update is sent, it is refused:

client 192.168.0.30#58330: update client 192.168.0.30#58330: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED) client 192.168.0.30#58330: send

Does anyone have this working in the real world?

Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
netlinxman
  • 477
  • 1
  • 5
  • 10
  • Perhaps i should have phrased it: "Is it popular to configure ISC BIND to support GSS-TSIG Updates?" - I think I know what the answer is based upon the # of views, replies, and answers. – netlinxman Sep 09 '10 at 12:41
  • have you ever done the Part 2 of your guide? Your documentation about this issue related here is very good: http://netlinxinc.com/netlinx-blog/45-dns/136-how-to-implement-gss-tsig-on-isc-bind.html – Vinícius Ferrão Aug 06 '14 at 00:57

1 Answers1

2

I actually managed to get dynamic updates to work using a patch provided by the samba 4 team.

http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates

There seems to be issues with the version of windows running and it's method of doing dynamic updates.

If you're trying to do the same outside of a samba4 domain... your next-best-bet is to try & follow the howto here:

http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG

I'm sorry if I don't have more info on that subject.

TheCompWiz
  • 7,349
  • 16
  • 23
  • Good and interesting read on samba4 link. I will try bits from that such as the env variables for the keytab file. The wiki page of the first link is somewhat sketchy since it doesn't detail the version of BIND, and/or the Kerberos/GSSAPI bits that are required. When you set it up, which version of BIND did you use and what was the OS platform? RE: the second URL, I have read that FreeIPA site docs as well and found it somewhat useful in getting an example of the "update-policy " directive. Still stumped. And still looking for evidence. Thank you for your response. – netlinxman Sep 03 '10 at 22:17