Secure DDNS update against Windows Server by NSUPDATE

[Rob Austein]

At Mon, 22 Sep 2008 17:37:35 -0400, Kevin Darcy wrote:
> 
> I'm not aware of any version of nsupdate (with the possible exception of 
> the BIND 9.5.x version, which I haven't looked at yet), that has 
> GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I 
> know is a prerequisite to performing secure Dynamic Updates to Microsoft 
> DNS.

BIND 9.5 includes GSS-TSIG support both in named and in nsupdate.  The
main effort was on getting named to work in the server role in
environments like Active Directory that require GSS-TSIG support;
nsupdate also works when talking to named, because it would be silly
for it not to.  named works as the nameserver in an active directory
environment with this configuration, Windows clients can update their
data using an Active Directory Kerberos principal and GSS-TSIG to
authenticate, Unix clients can use nsupdate in the same way, it all
works fine.

Convincing a Microsoft DNS server that any particular Kerberos
principal is authorized to perform an update is another matter: it's
probably some undocumented configuration setting somewhere in the
Active Directory LDAP database (because just about everything is), but
we don't know the specifics, and it's Microsoft code that's making the
access control decision in this setup, so there's not much BIND can do
besides presenting valid protocol and hoping for the best.