TSIG DDNS and windows clients

[Pete Fry]

All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1

hostA

site 2

hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:

Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};


acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

[Bob Harold]

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {

   key TEST-key;
};

And see if that works.

 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 

Bob Harold

[Ben Croswell]

Is it possible the clients are trying to do kerberos  GSS-TSIG updates?

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank

Regards

Cade

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Pete Fry]

Bob

thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 

On Tue, 12 May 2020 at 13:40, Bob Harold <rhar...@umich.edu> wrote:

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {

   key TEST-key;
};

And see if that works.

 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 

Bob Harold

 

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?

[Bob Harold]

On Wed, May 13, 2020 at 3:20 AM Pete Fry <cade...@googlemail.com> wrote:

Bob

thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 

Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.  Not sure how or if that can be solved.

-- 

Bob Harold

[Grant Taylor]

On 5/13/20 6:29 AM, Bob Harold wrote:
> Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
> not regular TSIG.  Not sure how or if that can be solved.

I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/



--
Grant. . . .
unix || die

[Bob Harold]

Thanks for the link.  Lots of pieces to get working there.  Not nearly as simple as TSIG.  But good if you are already using Kerberos.

-- 

Bob Harold

 

[Paul Ebersman]

rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.

[Pete Fry]

Bob

after a few wireshark sessions etc we have identified this issue is due to NAT from one of the sites we are sorting this out now and hopefully it should fix

thanks for your help

On Wed, 13 May 2020 at 13:30, Bob Harold <rhar...@umich.edu> wrote:

On Wed, May 13, 2020 at 3:20 AM Pete Fry <cade...@googlemail.com> wrote:

Bob

thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 

Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.  Not sure how or if that can be solved.