TSIG DDNS and windows clients

Pete Fry cadel2010 at googlemail.com
Thu May 14 08:00:21 UTC 2020


Bob

after a few wireshark sessions etc we have identified this issue is due to
NAT from one of the sites we are sorting this out now and hopefully it
should fix

thanks for your help

On Wed, 13 May 2020 at 13:30, Bob Harold <rharolde at umich.edu> wrote:

>
> On Wed, May 13, 2020 at 3:20 AM Pete Fry <cadel2010 at googlemail.com> wrote:
>
>> Bob
>> thanks for the reply and the correction ( the acl dones't have a ! it was
>> a cut and paste error when i was trying to remove some information.
>>
>> the TSIG works when from other linux machine via nsupdate etc, however
>> i'm trying to figure out how to get the windows machines to do the same and
>> was trying to follow this
>>
>> http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
>> allow-update
>>
>> Regards
>>
>> Pete
>>
>
>
> Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
> not regular TSIG.  Not sure how or if that can be solved.
>
> --
> Bob Harold
>
>
>
>> On Tue, 12 May 2020 at 13:40, Bob Harold <rharolde at umich.edu> wrote:
>>
>>>
>>> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
>>> bind-users at lists.isc.org> wrote:
>>>
>>>> All
>>>>
>>>> I've inherited a BIND environment and i'm trying to understand a few
>>>> things as currently we are experiences an issue related to DDNS.
>>>>
>>>> we have
>>>>
>>>> site 1
>>>> hostA
>>>>
>>>> site 2
>>>> hostB
>>>>
>>>> We have a HArecord, and we want HostA or HostB to be able to update the
>>>> HArecord (i.e. failover cluster type configuration)
>>>>
>>>> config:
>>>> Zone file:
>>>>
>>>> zone "TEST" {
>>>>     check-names ignore;
>>>>     type master;
>>>>     file "/var/named/dynamic/TEST";
>>>>     allow-update {
>>>>         auth-dns;
>>>>         dynamic-TEST;
>>>>     };
>>>> };
>>>>
>>>> lists.conf
>>>>
>>>> acl dynamic-update-ads {
>>>>    192.168.2.1 // hostA
>>>>    192.168.5.1 // hostB
>>>>    dynamic-TEST-tsig;
>>>> };
>>>>
>>>> acl dynamic-TEST-tsig {
>>>>    // any host which is not..
>>>>    !{
>>>>       // not in the new acls
>>>>       !dynamic-test-site1;
>>>>       !dynamic-test-site2;
>>>>       any;
>>>>    };
>>>>    // but has the key
>>>>    key TEST-key;
>>>> };
>>>>
>>>
>>> For testing purposes, start with a simpler acl, like:
>>>
>>> acl dynamic-TEST-tsig {
>>>    key TEST-key;
>>> };
>>>
>>> And see if that works.
>>>
>>>
>>>>
>>>> acl !dynamic-test-site1 {
>>>> 192.168.2.1/32; // HostA
>>>> };
>>>>
>>>> acl !dynamic-test-site2 {
>>>> 192.168.5.1/32; // HostB
>>>> };
>>>>
>>>>
>>> "acl !" seems wrong to me.  Is that a legal syntax?  And if so, what
>>> does it mean?
>>>
>>> --
>>> Bob Harold
>>>
>>>
>>>> however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
>>>>
>>>> happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
>>>>
>>>> Regards
>>>>
>>>> Cade
>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200514/a4f00760/attachment.htm>


More information about the bind-users mailing list