<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">

Hello,

<div class=""><br class="">

</div>

<div class="">Hope everyone is fine on this quarantine timeframe.<br class="">

<div class=""><br class="">

</div>

<div class="">So here is the issue: I’ve an Active Directory domain on Windows Server 2019 (upgraded since 2012 R2 days) that uses BIND9 as DNS service. This domain never had Windows DNS Server.

<div class=""><br class="">

</div>

<div class="">Everything works as expected, except for the GSS-TSIG updates, I’m scratching my head trying to solve this but nothing works and the debug messages does not says anything, which is extremely frustrating.</div>

<div class=""><br class="">

</div>

<div class="">The scenario is the following:</div>

<div class=""><br class="">

</div>

<div class="">192.168.1.2: BIND9 Master (RHEL8)</div>

<div class="">192.168.1.3: BIND9 Slave #1 <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">(RHEL8)</span></div>

<div class="">192.168.1.4: BIND9 Slave #2 <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">(RHEL8)</span></div>

<div class="">192.168.1.5: DC #1 (Server 2019)</div>

<div class="">192.168.1.6: DC #2 <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">(Server 2019)</span></div>

<div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br class="">

</span></div>

<div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">BIND 9 version:</span></div>

<div class=""><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class="">bind-9.11.13-3.el8.x86_64<br class="">

bind-license-9.11.13-3.el8.noarch<br class="">

bind-libs-9.11.13-3.el8.x86_64<br class="">

bind-export-libs-9.11.13-3.el8.x86_64<br class="">

bind-utils-9.11.13-3.el8.x86_64<br class="">

bind-libs-lite-9.11.13-3.el8.x86_64</span></font></div>

<div class=""><br class="">

</div>

<div class="">All machines are configured pointing to 192.168.1.2 and 192.168.1.3 for DNS service. Those slaves are pretty simple, they run just a catalog zone to fetch everything from master:</div>

<div class=""><br class="">

</div>

<div class="">// Catalog Zone<br class="">

zone “<a href="http://catalog.local.example.com" class="">catalog.local.example.com</a>" {<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>type slave;<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>file "slaves/catalog.local.example.com.db";<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>masters { 192.168.1.2; };<br class="">

};</div>

<div class=""><br class="">

</div>

</div>

<div class="">On the master, is where anything else is configured:</div>

<div class=""><br class="">

</div>

<div class="">// Options</div>

<div class="">options {</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>…</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>// Recursion and caching disable</div>

        recursion no;<br class="">

        additional-from-auth no;<br class="">

        additional-from-cache no;<br class="">

<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>// Keys<br class="">

        managed-keys-directory "/var/named/dynamic”;<br class="">

<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>// Signed kerberos updates<br class="">

        tkey-gssapi-keytab “/etc/krb5.keytab";<br class="">

        tkey-gssapi-credential “<a href="mailto:DNS/ns.local.example.com@LOCAL.EXAMPLE.COM" class="">DNS/ns.local.example.com@LOCAL.EXAMPLE.COM</a>";<br class="">

        tkey-domain "<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><a href="http://LOCAL.EXAMPLE.COM" class="">LOCAL.EXAMPLE.COM</a></span>”;<br class="">

<br class="">

<span class="Apple-tab-span" style="white-space:pre"></span>// Catalog zones support<br class="">

        server-id "authoritative";<br class="">

        allow-new-zones yes;<br class="">

};

<div class=""><br class="">

</div>

<div class="">// Catalog Zone<br class="">

zone "<a href="http://catalog.local.example.com" class="">catalog.local.example.com</a>" {<br class="">

        type master;<br class="">

        file "/var/named/static/catalog.local.example.com.db";<br class="">

        also-notify { 192.168.1.3; 192.168.1.4; };<br class="">

        notify explicit;<br class="">

};<br class="">

<br class="">

// Start of AD authoritative dynamic zones<br class="">

<br class="">

zone "local.example.com" {<br class="">

        type master;<br class="">

        file "/var/named/dynamic/local.example.com.db";<br class="">

        notify yes;<br class="">

        check-names ignore;<br class="">

        allow-transfer { intnameservers; };<br class="">

#       allow-update {<br class="">

#               domaincontrollers;<br class="">

#       };<br class="">

        update-policy {<br class="">

#               grant * krb5-subdomain local.example.com. ANY;<br class="">

#               grant * ms-subdomain local.example.com. ANY;<br class="">

                grant * subdomain local.example.com. ANY;<br class="">

        };<br class="">

};</div>

<div class=""><br class="">

</div>

<div class="">I’ve tried a lot of combination in update policy, nothing really works: krb5-self, ms-selfsub and etc.</div>

<div class=""><br class="">

</div>

<div class="">The other files and settings on the system appears to be right:</div>

<div class=""><br class="">

</div>

[root@ns named]# file /etc/krb5.keytab <br class="">

/etc/krb5.keytab: Kerberos Keytab file, realm=<a href="http://LOCAL.EXAMPLE.COM" class="">LOCAL.EXAMPLE.COM</a>, principal=DNS/<a href="http://ns.local.example.com" class="">ns.local.example.com</a>, type=1, date=Sat May 23 07:40:19 2020, kvno=17<br class="">

<br class="">

[root@ns named]# klist -ke<br class="">

Keytab name: FILE:/etc/krb5.keytab<br class="">

KVNO Principal<br class="">

---- --------------------------------------------------------------------------<br class="">

  17 <a href="mailto:DNS/ns.local.example.com@LOCAL.EXAMPLE.COM" class="">DNS/ns.local.example.com@LOCAL.EXAMPLE.COM</a> (aes256-cts-hmac-sha1-96) <br class="">

<br class="">

[root@pallet named]# cat /etc/krb5.conf<br class="">

# To opt out of the system crypto-policies configuration of krb5, remove the<br class="">

# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.<br class="">

includedir /etc/krb5.conf.d/<br class="">

<br class="">

[logging]<br class="">

    default = FILE:/var/log/krb5libs.log<br class="">

    kdc = FILE:/var/log/krb5kdc.log<br class="">

    admin_server = FILE:/var/log/kadmind.log<br class="">

<br class="">

[libdefaults]<br class="">

    dns_lookup_realm = false<br class="">

    ticket_lifetime = 24h<br class="">

    renew_lifetime = 7d<br class="">

    forwardable = true<br class="">

    rdns = false<br class="">

    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt<br class="">

    spake_preauth_groups = edwards25519<br class="">

#    default_realm = <a href="http://EXAMPLE.COM" class="">EXAMPLE.COM</a><br class="">

    default_realm = <a href="http://LOCAL.EXAMPLE.COM" class="">LOCAL.EXAMPLE.COM</a><br class="">

    default_ccache_name = KEYRING:persistent:%{uid}<br class="">

<br class="">

[realms]<br class="">

# <a href="http://EXAMPLE.COM" class="">EXAMPLE.COM</a> = {<br class="">

#     kdc = <a href="http://kerberos.example.com" class="">kerberos.example.com</a><br class="">

#     admin_server = <a href="http://kerberos.example.com" class="">kerberos.example.com</a><br class="">

# }<br class="">

<br class="">

[domain_realm]<br class="">

# .<a href="http://example.com" class="">example.com</a> = <a href="http://EXAMPLE.COM" class="">

EXAMPLE.COM</a><br class="">

# <a href="http://example.com" class="">example.com</a> = <a href="http://EXAMPLE.COM" class="">

EXAMPLE.COM</a><br class="">

<div class=""><br class="">

</div>

<div class="">[root@ns named]# hostname<br class="">

<a href="http://ns.example.com" class="">ns.example.com</a></div>

<div class=""><br class="">

</div>

<div class="">So that’s is it, on the logs I only get the following, when I try to issue ipconfig /registerdns on a Windows domain-joined machine:</div>

<div class=""><br class="">

</div>

23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> prerequisites are OK<br class="">

23-May-2020 01:57:03.693 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#62276: update '<a href="http://local.example.com/IN" class="">local.example.com/IN</a>' denied<br class="">

23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> rolling back<br class="">

23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> prerequisites are OK<br class="">

23-May-2020 01:57:03.700 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#65242: update '<a href="http://local.example.com/IN" class="">local.example.com/IN</a>' denied<br class="">

23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> rolling back<br class="">

23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> prerequisites are OK<br class="">

23-May-2020 01:57:05.740 update-security: error: client @0x7fa1100a1ca0 192.168.1.15#49688: update '<a href="http://local.example.com/IN" class="">local.example.com/IN</a>' denied<br class="">

<div class="">23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone '<a href="http://local.example.com/IN':" class="">local.example.com/IN':</a> rolling back </div>

<div class=""><br class="">

</div>

<div class="">Any help on how to start debugging it is greatly appreciated.</div>

<div class=""><br class="">

</div>

<div class="">Thanks,</div>

<div class=""><br class="">

</div>

<div class="">PS: My implementation was based on this article: <a href="http://ddiguru.com/blog/configuring-gss-tsig-on-bind" class="">http://ddiguru.com/blog/configuring-gss-tsig-on-bind</a>; except for the +DesOnly option, because it’s deprecated right now.

 I’ve enabled the AES256 passwords on the BIND9 user account on AD side and set the password after it so the hashes could be generated.</div>

<div class=""><br class="">

</div>

</div>

</body>

</html>