Windows 2003 AD

Elzey, Blaine A (Blaine) belzey at lucent.com
Mon Sep 13 20:50:01 UTC 2004


I believe you can use keys, but you have to statically configure the keys and servers/clients in order to use this type of restriction. See the BIND9 documentation on allow-update and address_match_list_element. (The last post is correct in that you do not specify a key file, but a key name (that has been defined elsewhere in the named.conf with a key statement.) If you want to allow secure dynamic updates with GSS-TSIG (from MS clients), you will need MS-DNS or Lucent DNS.

rndc is just Remote Name Daemon Control (hence the acronym), and your rndc.conf or rndc.key file is just used for communication from the rndc client to BIND9 name server.  The rndc key is just a base64 encoded string.  You configure your named.conf with the "secret" in the controls statement, and supply the same "secret" in your rndc.conf or rndc.key file for your rndc client.

Blaine

-----Original Message-----
From: Vinny Abello [mailto:vinny at tellurian.com]
Sent: Monday, September 13, 2004 3:17 PM
To: Norman Zhang; bind-users at isc.org
Subject: Re: Windows 2003 AD


You're better off asking in a Windows 2003 group, but I can tell you the 
reason is because your Windows machine is trying to do a secure dynamic 
update and BIND doesn't understand it. This has nothing to do with rndc.

allow-update should have IP addresses in it, not a key file.

At 03:02 PM 9/13/2004, Norman Zhang wrote:
>Hi,
>
>I'm trying to setup Windows 2003 AD with Bind 9.2.3-6mdk running on
>Mandrake 10.0. But I get the following error message during setup for AD,
>
>The primary DNS server tested was: ns.hq.arkonnetworks.com (10.1.1.1)
>
>The zone was: hq.arkonnetworks.com
>
>The test fro dynamic DNS update support returned: "DNS bad key." (error
>code 0x00002339 RCODE_BADKEY)
>
>In named.conf, I have
>
>zone "hq.arkonnetworks.com" {
>    type master;
>    file "db.hq.arkonnetworks.com";
>    allow-update {key rndc.key; };
>};
>
>Does this mean rndc.key is not recognized in Windows 20003? Is there a
>way I can fix this?
>
>Regards,
>Norman


Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



More information about the bind-users mailing list