TSIG DDNS and windows clients

Ben Croswell ben.croswell at gmail.com
Tue May 12 12:50:39 UTC 2020


Is it possible the clients are trying to do kerberos  GSS-TSIG updates?

On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users <
bind-users at lists.isc.org> wrote:

> All
>
> I've inherited a BIND environment and i'm trying to understand a few
> things as currently we are experiences an issue related to DDNS.
>
> we have
>
> site 1
> hostA
>
> site 2
> hostB
>
> We have a HArecord, and we want HostA or HostB to be able to update the
> HArecord (i.e. failover cluster type configuration)
>
> config:
> Zone file:
>
> zone "TEST" {
>     check-names ignore;
>     type master;
>     file "/var/named/dynamic/TEST";
>     allow-update {
>         auth-dns;
>         dynamic-TEST;
>     };
> };
>
> lists.conf
>
> acl dynamic-update-ads {
>    192.168.2.1 // hostA
>    192.168.5.1 // hostB
>    dynamic-TEST-tsig;
> };
>
> acl dynamic-TEST-tsig {
>    // any host which is not..
>    !{
>       // not in the new acls
>       !dynamic-test-site1;
>       !dynamic-test-site2;
>       any;
>    };
>    // but has the key
>    key TEST-key;
> };
>
>
> acl !dynamic-test-site1 {
> 192.168.2.1/32; // HostA
> };
>
> acl !dynamic-test-site2 {
> 192.168.5.1/32; // HostB
> };
>
> however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
>
> happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
>
> Regards
>
> Cade
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200512/c5356c35/attachment.htm>


More information about the bind-users mailing list