TSIG DDNS and windows clients

Bob Harold rharolde at umich.edu
Wed May 13 12:29:54 UTC 2020 

On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2010 at googlemail.com> wrote:

> Bob
> thanks for the reply and the correction ( the acl dones't have a ! it was
> a cut and paste error when i was trying to remove some information.
>
> the TSIG works when from other linux machine via nsupdate etc, however i'm
> trying to figure out how to get the windows machines to do the same and was
> trying to follow this
>
> http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
> allow-update
>
> Regards
>
> Pete
>


Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not
regular TSIG.  Not sure how or if that can be solved.

-- 
Bob Harold



> On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde at umich.edu> wrote:
>
>>
>> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
>> bind-users at lists.isc.org> wrote:
>>
>>> All
>>>
>>> I've inherited a BIND environment and i'm trying to understand a few
>>> things as currently we are experiences an issue related to DDNS.
>>>
>>> we have
>>>
>>> site 1
>>> hostA
>>>
>>> site 2
>>> hostB
>>>
>>> We have a HArecord, and we want HostA or HostB to be able to update the
>>> HArecord (i.e. failover cluster type configuration)
>>>
>>> config:
>>> Zone file:
>>>
>>> zone "TEST" {
>>>     check-names ignore;
>>>     type master;
>>>     file "/var/named/dynamic/TEST";
>>>     allow-update {
>>>         auth-dns;
>>>         dynamic-TEST;
>>>     };
>>> };
>>>
>>> lists.conf
>>>
>>> acl dynamic-update-ads {
>>>    192.168.2.1 // hostA
>>>    192.168.5.1 // hostB
>>>    dynamic-TEST-tsig;
>>> };
>>>
>>> acl dynamic-TEST-tsig {
>>>    // any host which is not..
>>>    !{
>>>       // not in the new acls
>>>       !dynamic-test-site1;
>>>       !dynamic-test-site2;
>>>       any;
>>>    };
>>>    // but has the key
>>>    key TEST-key;
>>> };
>>>
>>
>> For testing purposes, start with a simpler acl, like:
>>
>> acl dynamic-TEST-tsig {
>>    key TEST-key;
>> };
>>
>> And see if that works.
>>
>>
>>>
>>> acl !dynamic-test-site1 {
>>> 192.168.2.1/32; // HostA
>>> };
>>>
>>> acl !dynamic-test-site2 {
>>> 192.168.5.1/32; // HostB
>>> };
>>>
>>>
>> "acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does
>> it mean?
>>
>> --
>> Bob Harold
>>
>>
>>> however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
>>>
>>> happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
>>>
>>> Regards
>>>
>>> Cade
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200513/66a567b9/attachment.htm>

More information about the bind-users mailing list