BIND for Active directory with secure update

Nicholas F Miller nicholas.miller at Colorado.EDU
Thu Dec 15 14:30:14 UTC 2011

You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work.

Create a user account in your AD. Then run:

ktpass -out <name_of_your_keytab>.keytab -princ DNS/<>@<DOMAIN.NAME> -pass * -mapuser <AD_user_you_created>@<>
Nicholas Miller, OIT, University of Colorado at Boulder

On Dec 9, 2011, at 12:07 PM, Vbvbrj wrote:

> Hello.
> I've setup BIND to serve the requests to lan instead of Microsoft DNS by 
> first setting bind as a secondary dns server for Microsoft DNS, copy the 
> zones, and making the BIND the master. In order for domain member hosts 
> to update the records of the their names in dns, I allow unsecure 
> updates from the lan computers. It's a security thread of poisoning the 
> dns. I would like to setup up a secure by the domain servers. On the 
> internet I read about using "allow-update" with a key file. But I didn't 
> found a page on how to get the key from the Active Directory kerberos 
> system. Could any one point on setting the secure update to bind with 
> key from the already deployed Active Directory?
> The BIND is running under the windows.
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list