Update Security
Chris Buxton
clists at buxtonfamily.us
Sat Mar 15 00:36:57 UTC 2014
On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address. My DHCP server is setup to sign all of it's updates this way. However, I have AD domain controllers in the environment that don't currently use signed updates. Is there a fairly painless way to convert all the AD machines to signed updates?
You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG.
AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master.
Regards,
Chris Buxton.
More information about the bind-users
mailing list