How do you configure ISC Bind to support GSS-TSIG Updates?

Posted by netlinxman on Server Fault See other posts from Server Fault or by netlinxman
Published on 2010-09-03T16:08:09Z Indexed on 2012/06/30 9:17 UTC
Read the original article Hit count: 269

Filed under:
|
|

First, has anyone EVER configured ISC bind 9.5.0 OR greater with support for GSS-TSIG Dynamic DNS Updates AND gotten it to work? If so, what is the configuration that was used to make that happen?

I feel close to having this working. I see that GSS cred passes w/o apparent error during the TKEY negotiation with an Active Directory DC and the BIND DNS server:

client 192.168.0.30#52314: query gss cred: "DNS/[email protected]", GSS_C_ACCEPT, 4294967256 gss-api source name (accept) is [email protected] process_gsstkey(): dns_tsigerror_noerror client 192.168.0.30#52314: send

But, when the Update is sent, it is refused:

client 192.168.0.30#58330: update client 192.168.0.30#58330: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED) client 192.168.0.30#58330: send

Does anyone have this working in the real world?

© Server Fault or respective owner

Related posts about dns

Related posts about active-directory