Update Security

Chris Buxton clists at buxtonfamily.us
Mon Mar 17 21:35:30 UTC 2014

On Mar 16, 2014, at 3:32 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:

> Ok so it's not painless.  Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master?
> TIA,
> Bob

I don't believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine.

Chris Buxton

> On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <clists at buxtonfamily.us> wrote:
> On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> > I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address.  My DHCP server is setup to sign all of it's updates this way.  However, I have AD domain controllers in the environment that don't currently use signed updates.  Is there a fairly painless way to convert all the AD machines to signed updates?
> You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG.
> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master.
> Regards,
> Chris Buxton.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140317/caed79fd/attachment.html>

More information about the bind-users mailing list