GSS-TSIG and bind 9.6
Peter Fraser
petros.fraser at gmail.com
Thu May 14 14:37:57 UTC 2009
HI All
I have been working to get dynamic updates working with bind-9.6 and
FreeBSD 7 So far I have done the following:
1. Compiled bind with GSSAPI enabled.
2. Added these to named.conf
options {
...
tkey-gssapi-credential "DNS/mydomain.com";
...
};
and
zone "mydomain.com" {
type master;
file "master/mydomain.com";
update-policy {
grant MYDOMAIN.COM ms-subdomain * A;
};
};
zone "1.168.192.in-addr.arpa" {
type master;
file "master/1.168.192.in-addr.arpa";
update-policy {
grant MYDOMAIN.COM ms-subdomain * PTR;
};
};
3. Created a user in AD called binddns and set the password to never expire.
4. Used ktpass to create the keytab like this:
C:\> ktpass -out krb5.keytab -princ
DNS/binddns.mydomain.com at MYDOMAIN.COM -pass * -mapuser
binddns at mydomain.com
5. Copied krb5.keytab to /etc
6. At s point I figured I should be done. Reloaded bind but no updates.
I now ran kinit and nsupdate -g from the box
server server.mydomain.com
zone atlas.local
debug
send
and saw the following:
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2310
;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;atlas.local. IN SOA
;; ANSWER SECTION:
mydomain.com. 3600 IN SOA server.mydomain.com.
admin.mydomain.com. 715 900 600 86400 3600
;; ADDITIONAL SECTION:
server.mydomain.com. 3600 IN A 192.168.1.100
Found zone name: mydomain.com
The master is: server.mydomain.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62457
;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;575112106.sig-server.mydomain.com. ANY TKEY
;; ADDITIONAL SECTION:
575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
1242311154 3 NOERROR 1243
LOTS OF GIBBERISH
dns_request_getresponse: FORMERR
I still am not however seeing the zone files updated or any jnl files.
Anything else I could do to troubleshoot this?
More information about the bind-users
mailing list