Bind-9.5 GSS-TSIG and dynamic updates.

Tue Feb 10 01:11:20 UTC 2009

HI All
I have been working to get dynamic updates working with bind-9.5 and
FreeBSD 7 So far I have done the following:

1. COmpiled bind with GSSAPI enabled.
2. Added these to named.conf

options {
       ...
        tkey-gssapi-credential "DNS/mydomain.com";
        ...
     };

and

zone "mydomain.com" {
        type master;
        file "master/mydomain.com";
        update-policy {
                 grant MYDOMAIN.COM ms-subdomain * A;
                 };
        };

zone "1.168.192.in-addr.arpa" {
        type master;
        file "master/1.168.192.in-addr.arpa";
        update-policy {
                 grant MYDOMAIN.COM ms-subdomain * PTR;
                 };
        };

3. Created a user in AD called binddns and set the password to never expire.
4.  Used ktpass  to create the keytab like this:
C:\> ktpass -out krb5.keytab -princ
DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
binddns at mydomain.com

5. Copied krb5.keytab to /etc
6. At s point I figured I should be done. Reloaded bind but no updates.

When I run rndc trace, I see this in the logs for the zone
09-Feb-2009 07:36:30.369 dns_zone_dialup: zone atlas.local/IN: notify
= 0, refresh = 0

Is there anything I am leaving out?