Re: Secure DDNS update against Windows Server by NSUPDATE
arpad bind
Thank you for your answer.
By default authenticated users (domain members) are able to update their records if the zone allows "secure only" DNS updates on a Windows DNS server. So this is fine...
I'm wondering if someone could have ever sent a successful secure DNS update via NSUPDATE against a Windows Server.
Thanks in advance.
Best Regards,
Arpad
Mark Andrews <Mark_A...@isc.org> írta:
>
> In message <freemail.20080...@fm17.freemail.hu>, arpad bind writes
> :
> > Hello,
> >
> >
> > I have a problem with secure update via BIND 9.5 against Windows 2003 SP2 Dy
> > namic DNS service. DNS server is rejecting the updates. (Secure Updates from
> > MS clients works fine.)
> >
> >
> >
> > I did these steps:
> >
> > * GSS support was compiled (compiler gcc)
> >
> > * linked against AIX 5.3 Kerberos libaries and MIT Kerberos 1.6.3 (with none
> > of them it works)
> >
> > - update is tried as domain admin, and option '-o' activates the Microsoft i
> > mplementation of GSS protocol
> >
> > #> kinit
> >
> > #> nsupdate -o
> >
> > > update add test123.test.hu 86400 A 10.144.164.100
> >
> > > send
> >
> > - DNS server replies with:
> >
> > ; TSIG error with server: tsig verify failure
> >
> > update failed: REFUSED
> >
> > In the network trace I see that the TKEY is negotiated successfully but the
> > update will be refused.
> >
> > Could someone help me please how to set up secure DDNS against Windows DNS v
> > ia NSUPDATE?
> >
> > Thanks in advance.
> >
> > Best Regards,
> >
> > Arpad
>
> That's a matter of finding the right Windows documentation
> which describes how to allow a particular principal to update
> the DNS. When you find it please let us know.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
>
______________________________________________________________________
Vujity Tvrtko: „Én már tudom melyik nyelviskolába érdemes beiratkozni!”
Katedra Nyelviskola - felnőtteknek, gyerekeknek garantált minőség 37 városban
www.katedra.hu
Kevin Darcy
the BIND 9.5.x version, which I haven't looked at yet), that has
GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I
know is a prerequisite to performing secure Dynamic Updates to Microsoft
DNS.
- Kevin
Rob Austein
>
> I'm not aware of any version of nsupdate (with the possible exception of
> the BIND 9.5.x version, which I haven't looked at yet), that has
> GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I
> know is a prerequisite to performing secure Dynamic Updates to Microsoft
> DNS.
BIND 9.5 includes GSS-TSIG support both in named and in nsupdate. The
main effort was on getting named to work in the server role in
environments like Active Directory that require GSS-TSIG support;
nsupdate also works when talking to named, because it would be silly
for it not to. named works as the nameserver in an active directory
environment with this configuration, Windows clients can update their
data using an Active Directory Kerberos principal and GSS-TSIG to
authenticate, Unix clients can use nsupdate in the same way, it all
works fine.
Convincing a Microsoft DNS server that any particular Kerberos
principal is authorized to perform an update is another matter: it's
probably some undocumented configuration setting somewhere in the
Active Directory LDAP database (because just about everything is), but
we don't know the specifics, and it's Microsoft code that's making the
access control decision in this setup, so there's not much BIND can do
besides presenting valid protocol and hoping for the best.