gss-tsig updates where realm != zone

David Monro davidm at
Tue May 29 13:32:51 UTC 2012

Disclaimer: I'm new to trying gss-tsig as an update method, so it is
entirely possible I'm doing something completely stupid.

I'm using bind 9.7.3 (because it ships with RedHat 6), with an Active
Directory as the kerberos infrastructure.

If I use the following update-policy:

grant * subdomain my.dns.domain ANY;

then it works (both for nsupdate -g and with a windows client using
windows native methods); however this means anyone with a kerberos
ticket (including a user ticket!) can register anything they like into
the domain.

I've tried all sorts of tests with the ms-self, ms-subdomain,
krb5-self and krb5-subdomain nametypes, and they all seem to fail. I
suspect this is because  my.dns.domain is not the same as my kerberos
realm (and I can't make it the same, as I really can't go messing with
the zone which does match the realm). They all fail with REFUSED (not
BADKEY, the checking of credentials all seems to work fine).

The documentation for these nametypes does seem to be rather sparse,
so I'm not really sure what the syntax should be. What I was hoping
for is a way of having MACHINE$@KRB5.REALM able to update
machine.dns.domain, and preferably also
host/machine.krb5.realm at KRB5.REALM able to update machine.dns.domain,
although the latter isn't vital. (I'm assuming
host/machine.dns.domain at KRB5.REALM would work, but I'm not sure that
is actually useful, and certainly won't work for the windows clients).

Is this possible?



More information about the bind-users mailing list