GSS-TSIG and bind 9.6

Peter Fraser petros.fraser at gmail.com
Thu May 14 14:37:57 UTC 2009 

 HI All
 I have been working to get dynamic updates working with bind-9.6 and
 FreeBSD 7 So far I have done the following:

1. Compiled bind with GSSAPI enabled.
2. Added these to named.conf

   options {
       ...
         tkey-gssapi-credential "DNS/mydomain.com";
         ...
      };

 and

 zone "mydomain.com" {
        type master;
        file "master/mydomain.com";
         update-policy {
                 grant MYDOMAIN.COM ms-subdomain * A;
                  };
         };

 zone "1.168.192.in-addr.arpa" {
         type master;
         file "master/1.168.192.in-addr.arpa";
         update-policy {
                 grant MYDOMAIN.COM ms-subdomain * PTR;
                  };
         };


 3. Created a user in AD called binddns and set the password to never expire.
 4.  Used ktpass  to create the keytab like this:
       C:\> ktpass -out krb5.keytab -princ
       DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
      binddns at mydomain.com

 5. Copied krb5.keytab to /etc
 6. At s point I figured I should be done. Reloaded bind but no updates.

I now ran kinit and nsupdate -g from the box

server server.mydomain.com
 zone atlas.local
debug
send

and saw the following:

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2310
;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;atlas.local.                   IN      SOA

;; ANSWER SECTION:
mydomain.com.            3600    IN      SOA     server.mydomain.com.
admin.mydomain.com. 715 900 600 86400 3600

;; ADDITIONAL SECTION:
server.mydomain.com. 3600  IN      A       192.168.1.100

Found zone name: mydomain.com
The master is: server.mydomain.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62457
;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;575112106.sig-server.mydomain.com.        ANY TKEY

;; ADDITIONAL SECTION:
575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
1242311154 3 NOERROR 1243

LOTS OF GIBBERISH

dns_request_getresponse: FORMERR

I still am not however seeing the zone files updated or any jnl files.
Anything else I could do to troubleshoot this?

More information about the bind-users mailing list