Update Security

Chris Buxton clists at buxtonfamily.us
Sat Mar 15 00:36:57 UTC 2014

On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:

> I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address.  My DHCP server is setup to sign all of it's updates this way.  However, I have AD domain controllers in the environment that don't currently use signed updates.  Is there a fairly painless way to convert all the AD machines to signed updates?

You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG.

AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master.

Chris Buxton.

More information about the bind-users mailing list