Secure DDNS update against Windows Server by NSUPDATE

Danny Mayer mayer at gis.net
Sun Oct 26 03:13:25 UTC 2008


Mark Andrews wrote:
> In message <freemail.20080818134351.72676 at fm17.freemail.hu>, arpad bind writes
> :
>> Hello,
>>  
>>
>> I have a problem with secure update via BIND 9.5 against Windows 2003 SP2 Dy
>> namic DNS service. DNS server is rejecting the updates. (Secure Updates from
>>  MS clients works fine.)
>>
>>
>>
>> I did these steps:
>>
>> * GSS support was compiled (compiler gcc)
>>
>> * linked against AIX 5.3 Kerberos libaries and MIT Kerberos 1.6.3 (with none
>>  of them it works)
>>
>> - update is tried as domain admin, and option '-o' activates the Microsoft i
>> mplementation of GSS protocol
>>
>> #> kinit
>>
>> #> nsupdate -o
>>
>>> update add test123.test.hu 86400 A 10.144.164.100
>>> send
>> - DNS server replies with:
>>
>> ; TSIG error with server: tsig verify failure
>>
>> update failed: REFUSED
>>
>> In the network trace I see that the TKEY is negotiated successfully but the 
>> update will be refused.
>>
>> Could someone help me please how to set up secure DDNS against Windows DNS v
>> ia NSUPDATE?
>>
>> Thanks in advance.
>>
>> Best Regards,
>>
>> Arpad
> 
> 	That's a matter of finding the right Windows documentation
> 	which describes how to allow a particular principal to update
> 	the DNS.  When you find it please let us know.
> 
> 	Mark

I believe that the system in question needs to be a member of the AD
Domain as a host.

Danny



More information about the bind-users mailing list