At Mon, 22 Sep 2008 17:37:35 -0400, Kevin Darcy wrote: > > I'm not aware of any version of nsupdate (with the possible exception of > the BIND 9.5.x version, which I haven't looked at yet), that has > GSS-TSIG -- as opposed to regular TSIG -- capability, which as far as I > know is a prerequisite to performing secure Dynamic Updates to Microsoft > DNS.
BIND 9.5 includes GSS-TSIG support both in named and in nsupdate. The main effort was on getting named to work in the server role in environments like Active Directory that require GSS-TSIG support; nsupdate also works when talking to named, because it would be silly for it not to. named works as the nameserver in an active directory environment with this configuration, Windows clients can update their data using an Active Directory Kerberos principal and GSS-TSIG to authenticate, Unix clients can use nsupdate in the same way, it all works fine. Convincing a Microsoft DNS server that any particular Kerberos principal is authorized to perform an update is another matter: it's probably some undocumented configuration setting somewhere in the Active Directory LDAP database (because just about everything is), but we don't know the specifics, and it's Microsoft code that's making the access control decision in this setup, so there's not much BIND can do besides presenting valid protocol and hoping for the best.
