BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with GSS-TSIG

Danny Mayer mayer at gis.net
Sun Aug 19 23:26:02 UTC 2007


David Holder wrote:
> I had a little trouble getting this message onto the list - here it is at last (I hope).
> 
> 
>> Hi! I am trying to use BIND 9.5's GSS-TSIG functionality to carry out secure
>> updates to a Windows Server 2003 R2 AD domain controller.
>>
>>  
>>
>> I am using a few different Linux clients. They are all configured to use the
>> AD DC as their KDC. This works fine.
>>
>>  
>>
>> I have built and tested BIND 9.5 with GSSAPI. So far I have not been able to
>> get it to work with Windows.
>>

It doesn't work yet.

>>  
>>
>> Here is an example of the failure messages I get.
>>
>> /usr/local/bin/nsupdate -d -g -o
>>
> 
>>>> update add oak2.active.com 86400 A 192.168.100.100
>>   
>>
> 
>>>> send
>>   
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  53990
>>
>> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>>
>> ;oak2.active.com.               IN      SOA
>>
>>  
>>
>> ;; AUTHORITY SECTION:
>>
>> active.com.             3600    IN      SOA     w2003r2.active.com.
>> hostmaster. 32 900 600 86400 3600
>>
>>  
>>
>> ;; ADDITIONAL SECTION:
>>
>> w2003r2.active.com.     3600    IN      A       192.168.100.101
>>
>>  
>>
>> Found zone name: active.com
>>
>> The master is: w2003r2.active.com
>>
>> start_gssrequest
>>
>> nsupdate.c:2192: INSIST(result == 0) failed.
>>
>> Aborted
>>
>>  
>>
>> If I do a klist I see the following.
>>
>> Ticket cache: FILE:/tmp/krb5cc_513
>>
>> Default principal: administrator at ACTIVE.COM
>>
>>  
>>
>> Valid starting     Expires            Service principal
>>
>> 08/08/07 13:06:09  08/08/07 23:07:35  krbtgt/ACTIVE.COM at ACTIVE.COM
>>
>>         renew until 08/09/07 13:06:09
>>
>> 08/08/07 13:31:26  08/08/07 23:07:35  DNS/w2003r2.active.com at ACTIVE.COM
>>
>>         renew until 08/09/07 13:06:09
>>
>>  
>>
>> I have carried out network traces and found that Windows to Windows dynamic
>> updates look different from the BIND to Windows dynamic updates. 
>>

I wouldn't be surprised.

>>  
>>
>> Has anyone tried this before? What information do you need to look at this?
>> Traces logs configuration info? And is this the correct mailing list for
>> this problem?
>>

The network traces would be useful. Is this with wireshark?

Danny



More information about the bind-users mailing list