TSIG DDNS and windows clients
Ben Croswell
ben.croswell at gmail.com
Tue May 12 12:50:39 UTC 2020
Is it possible the clients are trying to do kerberos GSS-TSIG updates?
On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users <
bind-users at lists.isc.org> wrote:
> All
>
> I've inherited a BIND environment and i'm trying to understand a few
> things as currently we are experiences an issue related to DDNS.
>
> we have
>
> site 1
> hostA
>
> site 2
> hostB
>
> We have a HArecord, and we want HostA or HostB to be able to update the
> HArecord (i.e. failover cluster type configuration)
>
> config:
> Zone file:
>
> zone "TEST" {
> check-names ignore;
> type master;
> file "/var/named/dynamic/TEST";
> allow-update {
> auth-dns;
> dynamic-TEST;
> };
> };
>
> lists.conf
>
> acl dynamic-update-ads {
> 192.168.2.1 // hostA
> 192.168.5.1 // hostB
> dynamic-TEST-tsig;
> };
>
> acl dynamic-TEST-tsig {
> // any host which is not..
> !{
> // not in the new acls
> !dynamic-test-site1;
> !dynamic-test-site2;
> any;
> };
> // but has the key
> key TEST-key;
> };
>
>
> acl !dynamic-test-site1 {
> 192.168.2.1/32; // HostA
> };
>
> acl !dynamic-test-site2 {
> 192.168.5.1/32; // HostB
> };
>
> however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
>
> happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
>
> Regards
>
> Cade
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200512/c5356c35/attachment.htm>
More information about the bind-users
mailing list