Secure DDNS update against Windows Server by NSUPDATE

Kevin Darcy kcd at chrysler.com
Mon Sep 22 21:37:35 UTC 2008 

I'm not aware of any version of nsupdate (with the possible exception of 
the BIND 9.5.x version, which I haven't looked at yet), that has 
GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I 
know is a prerequisite to performing secure Dynamic Updates to Microsoft 
DNS.

                                                                         
- Kevin

arpad bind wrote:
> Hi Mark!
>
> Thank you for your answer. 
>
> By default authenticated users (domain members) are able to update their records if the zone allows "secure only"  DNS updates on a Windows DNS server. So this is fine...
>
> I'm wondering if someone could have ever sent a successful secure DNS update via NSUPDATE against a Windows Server.
>
> Thanks in advance.
>
> Best Regards,
>
> Arpad
>
>
> Mark Andrews <Mark_Andrews at isc.org> írta: 
>
>
>   
>> In message <freemail.20080818134351.72676 at fm17.freemail.hu>, arpad bind writes
>> :
>>     
>>> Hello,
>>>
>>>
>>> I have a problem with secure update via BIND 9.5 against Windows 2003 SP2 Dy
>>> namic DNS service. DNS server is rejecting the updates. (Secure Updates from
>>> MS clients works fine.)
>>>
>>>
>>>
>>> I did these steps:
>>>
>>> * GSS support was compiled (compiler gcc)
>>>
>>> * linked against AIX 5.3 Kerberos libaries and MIT Kerberos 1.6.3 (with none
>>> of them it works)
>>>
>>> - update is tried as domain admin, and option '-o' activates the Microsoft i
>>> mplementation of GSS protocol
>>>
>>> #> kinit
>>>
>>> #> nsupdate -o
>>>
>>>       
>>>> update add test123.test.hu 86400 A 10.144.164.100
>>>>         
>>>> send
>>>>         
>>> - DNS server replies with:
>>>
>>> ; TSIG error with server: tsig verify failure
>>>
>>> update failed: REFUSED
>>>
>>> In the network trace I see that the TKEY is negotiated successfully but the 
>>> update will be refused.
>>>
>>> Could someone help me please how to set up secure DDNS against Windows DNS v
>>> ia NSUPDATE?
>>>
>>> Thanks in advance.
>>>
>>> Best Regards,
>>>
>>> Arpad
>>>       
>> That's a matter of finding the right Windows documentation
>> which describes how to allow a particular principal to update
>> the DNS. When you find it please let us know.
>>
>> Mark
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>>
>>     
>
> ______________________________________________________________________
> Vujity Tvrtko: „Én már tudom melyik nyelviskolába érdemes beiratkozni!” 
> Katedra Nyelviskola -  felnõtteknek, gyerekeknek garantált minõség 37 városban
> www.katedra.hu
>
>
>
>
>
>
>

More information about the bind-users mailing list