Update Security

Bob McDonald bmcdonaldjr at gmail.com
Sun Mar 16 10:32:40 UTC 2014

Ok so it's not painless.  Do the updates still get forwarded to the master
by the slaves or do I need to have all Windows devices needing update
capability to point at the master?



On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <clists at buxtonfamily.us>wrote:

> On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> > I agree that TSIG or SIG(0) signed updates are certainly a more
> desirable approach than allowing updates via address.  My DHCP server is
> setup to sign all of it's updates this way.  However, I have AD domain
> controllers in the environment that don't currently use signed updates.  Is
> there a fairly painless way to convert all the AD machines to signed
> updates?
> You would need to set up GSS-TSIG, which is not painless. (It's certainly
> doable, but there are plenty of pitfalls to overcome.) Windows doesn't
> support TSIG, just GSS-TSIG.
> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on
> the master.
> Regards,
> Chris Buxton.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140316/29460107/attachment.html>

More information about the bind-users mailing list