ISC Bind support for GSS-TSIG DDNS Updates


First, has anyone EVER configured ISC bind 9.5.0 OR greater with support for GSS-TSIG Dynamic DNS Updates AND gotten it to work? If so, what is the configuration that was used to make that happen?

I feel close to having this working. I see that GSS cred passes w/o apparent error during the TKEY negotiation with an Active Directory DC and the BIND DNS server:

client query
gss cred: "DNS/", GSS_C_ACCEPT, 4294967256
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client send

But, when the Update is sent, it is refused:

client update
client updating zone '': update failed: rejected by secure update (REFUSED)
client send

Does anyone have this working in the real world?

Best Answer

I actually managed to get dynamic updates to work using a patch provided by the samba 4 team.

There seems to be issues with the version of windows running and it's method of doing dynamic updates.

If you're trying to do the same outside of a samba4 domain... your next-best-bet is to try & follow the howto here:

I'm sorry if I don't have more info on that subject.

Related Topic