GSS-TSIG and update-policy vs allow-update any

ivan jr sy ivan_jr at yahoo.com
Fri Aug 28 14:31:04 UTC 2009


To BIND-USERS:

I'm not sure if I got GSS-TSIG working correctly 'yet'... however it will work if i use "allow-update { any; };"

and logs shows "28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#62729: request has valid signature"

The difference...

THIS WORKS FOR ME:

        tkey-gssapi-credential "DNS/bindserver.adsauth.net";
        tkey-domain "ADSAUTH.NET";
...
zone "gss.org" {
        type master;
        file "master/gss.org";
	allow-update { any; };   };

THIS DOES NOT WORK:

        tkey-gssapi-credential "DNS/bindserver.adsauth.net";
        tkey-domain "ADSAUTH.NET";
...
zone "gss.org" {
        type master;
        file "master/gss.org";
        update-policy { grant ADSAUTH.NET. subdomain gss.org. ANY; };
};


----
The UNIX (FreeBSD 7.0) client was able to acquire its own ticket and the service ticket from a Windows 2003 Active Directory Domain Controller, the same principal listed in the keytab file (krb5.keytab) which is used by the BIND9 server  BIND 9.6.1-P1

the "ADSAUTH.NET" is the Active Directory domain, while "gss.org" is just another domain which i wish to be updated if you have a valid GSS-TSIG key of that from adsauth.net. I hope that's feasible? The ADSAUTH.NET is on Windows DNS server while in the target BIND9 there's a forwarder adsauth.net zone.

I have'nt tried Windows (member of the AD domain) yet.

my best guess is there's something wrong with my update-policy config and not the GSS-TSIG setup.. here's a log of a client REFUSED to update

nsupdate -g
>update add node.gss.org. 300 IN A 192.168.1.1
>send

28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#62729: request has valid signature
28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#62729: recursion available
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#62729: update
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: next
28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#55924: request failed: end of file
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: endrequest
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: closetcp
28-Aug-2009 21:20:46.813 client: debug 3: client @0x801d33800: accept
28-Aug-2009 21:20:46.813 client: debug 3: client @0x802262000: accept
28-Aug-2009 21:20:46.813 update: info: client 172.17.1.2#62729: updating zone 'gss.org/IN': update failed: rejected by secure update (REFUSED)



while if i use the allow-update { any; }; and restart BIND

nsupdate -g
>update add node.gss.org. 300 IN A 192.168.1.1
>send

28-Aug-2009 21:23:12.145 security: debug 3: client 172.17.1.2#50684: request has valid signature
28-Aug-2009 21:23:12.145 security: debug 3: client 172.17.1.2#50684: recursion available
28-Aug-2009 21:23:12.145 client: debug 3: client 172.17.1.2#50684: update
28-Aug-2009 21:23:12.145 client: debug 3: client @0x801d33800: accept
28-Aug-2009 21:23:12.145 update-security: info: client 172.17.1.2#50684: signer "aduser\@ADSAUTH.NET" approved
28-Aug-2009 21:23:12.145 update-security: debug 3: client 172.17.1.2#50684: update 'gss.org/IN' approved
28-Aug-2009 21:23:12.145 update: info: client 172.17.1.2#50684: updating zone 'gss.org/IN': adding an RR at 'node.gss.org' A
28-Aug-2009 21:23:12.146 general: debug 3: writing to journal

Also, on a side note: if I use allow-update { any; }; on the zone
and change the tkey-domain to:
 
             tkey-domain "BLAHBLAH.NET";

The update WILL STILL WORK.

I would like to know if there's an update-policy statement that allows update on any part of the domain with ANY RR type for as long as its a valid GSS-TSIG key based on tkey-domain.

any tips on where to look? I've read ARM.


Thanks!


      



More information about the bind-users mailing list