BIND for Active directory with secure update
Nicholas F Miller
nicholas.miller at Colorado.EDU
Thu Dec 15 14:30:14 UTC 2011
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work.
Create a user account in your AD. Then run:
ktpass -out <name_of_your_keytab>.keytab -princ DNS/<domain.name>@<DOMAIN.NAME> -pass * -mapuser <AD_user_you_created>@<domain.name>
Nicholas Miller, OIT, University of Colorado at Boulder
On Dec 9, 2011, at 12:07 PM, Vbvbrj wrote:
> I've setup BIND to serve the requests to lan instead of Microsoft DNS by
> first setting bind as a secondary dns server for Microsoft DNS, copy the
> zones, and making the BIND the master. In order for domain member hosts
> to update the records of the their names in dns, I allow unsecure
> updates from the lan computers. It's a security thread of poisoning the
> dns. I would like to setup up a secure by the domain servers. On the
> internet I read about using "allow-update" with a key file. But I didn't
> found a page on how to get the key from the Active Directory kerberos
> system. Could any one point on setting the secure update to bind with
> key from the already deployed Active Directory?
> The BIND is running under the windows.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users