Secure Active Directory updates and allow-update-forwarding issues

Mark Andrews marka at isc.org
Tue Jan 19 12:45:26 UTC 2021 

Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for GSS-TSIG. 

-- 
Mark Andrews

> On 19 Jan 2021, at 22:23, Nagesh Thati <tcpnagesh at gmail.com> wrote:
> 
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using allow-update-forwading,
> updating zone '_msdcs.example.com/IN': update failed: rejected by secure update (REFUSED)
> 
> example.com is a active directory enabled zone which has one master and one slave. Master appliance is hidden, so active directory sends updates to slave appliance using MNAME specified in the zone SOA section.
> 
> master(10.1.10.203) named.conf:
> 
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc folder we have keytab file
> 
> zone "_msdcs.example.com" IN {
>         type master;
>         file "/var/named/zones/masters/db._msdcs.example.com";
>         allow-transfer {10.1.10.144;};
>         also-notify {10.1.10.144;};
>         notify explicit;
>         update-policy { grant * subdomain _msdcs.example.com. ANY; };
>         check-names ignore;
>         zone-statistics yes;
> };
> 
> slave(10.1.10.144) named.conf:
> zone "_msdcs.example.com" IN {
>         type slave;
>         file "/var/named/zones/slaves/db._msdcs.example.com";
>         allow-notify {10.1.10.203;};
>         masters {
>                 10.1.10.203;
>         };
>         check-names ignore;
>         zone-statistics yes;
>         allow-update-forwarding{10.1.10.158;};
> };
> 
> 10.1.10.158 - AD server
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210119/64916ed8/attachment.htm>

More information about the bind-users mailing list