Bind-9.5 GSS-TSIG and dynamic updates.

Sat Feb 14 05:07:12 UTC 2009

At Mon, 9 Feb 2009 20:11:20 -0500, Peter Fraser wrote:
> 
> HI All
> I have been working to get dynamic updates working with bind-9.5 and
> FreeBSD 7 So far I have done the following:
> 
> 1. COmpiled bind with GSSAPI enabled.
> 2. Added these to named.conf
> 
> options {
>        ...
>         tkey-gssapi-credential "DNS/mydomain.com";
>         ...
>      };
> 
> and
> 
> zone "mydomain.com" {
>         type master;
>         file "master/mydomain.com";
>         update-policy {
>                  grant MYDOMAIN.COM ms-subdomain * A;
>                  };
>         };
> 
> zone "1.168.192.in-addr.arpa" {
>         type master;
>         file "master/1.168.192.in-addr.arpa";
>         update-policy {
>                  grant MYDOMAIN.COM ms-subdomain * PTR;
>                  };
>         };
> 
> 
> 3. Created a user in AD called binddns and set the password to never expire.
> 4.  Used ktpass  to create the keytab like this:
> C:\> ktpass -out krb5.keytab -princ
> DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
> binddns at mydomain.com
> 
> 5. Copied krb5.keytab to /etc
> 6. At s point I figured I should be done. Reloaded bind but no updates.
> 
> When I run rndc trace, I see this in the logs for the zone
> 09-Feb-2009 07:36:30.369 dns_zone_dialup: zone atlas.local/IN: notify
> = 0, refresh = 0
> 
> Is there anything I am leaving out?

Nothing blatant, but I may have missed something.  Things to try:

1) Run named -g to get full debugging output during your tests.

2) Try running an update with GSS-TSIG from unix if that's easier than
   forcing an update from Windows:

     $ kinit
     $ nsupdate -g

   You will of course have to modify your update-policy to permit
   whatever principal you use for this test.

3) tshark is your friend.  Make sure you watch port 53 on both TCP and
   UDP, as well as port 88 (krb5) on UDP.