Re: GSS-TSIG and bind 9.6

Thu, 14 May 2009 09:39:45 -0700

Any reason you have chosen gas vs. TSIG? Is this for a windows environment? 



On May 14, 2009, at 7:37 AM, Peter Fraser <petros.fra...@gmail.com>  
wrote:



HI All
I have been working to get dynamic updates working with bind-9.6 and
FreeBSD 7 So far I have done the following:

1. Compiled bind with GSSAPI enabled.
2. Added these to named.conf

  options {
      ...
        tkey-gssapi-credential "DNS/mydomain.com";
        ...
     };

and

zone "mydomain.com" {
       type master;
       file "master/mydomain.com";
        update-policy {
                grant MYDOMAIN.COM ms-subdomain * A;
                 };
        };

zone "1.168.192.in-addr.arpa" {
        type master;
        file "master/1.168.192.in-addr.arpa";
        update-policy {
                grant MYDOMAIN.COM ms-subdomain * PTR;
                 };
        };



3. Created a user in AD called binddns and set the password to never  
expire.

4.  Used ktpass  to create the keytab like this:
      C:\> ktpass -out krb5.keytab -princ
      DNS/binddns.mydomain....@mydomain.com -pass * -mapuser
     bind...@mydomain.com

5. Copied krb5.keytab to /etc

6. At s point I figured I should be done. Reloaded bind but no  
updates.


I now ran kinit and nsupdate -g from the box

server server.mydomain.com
zone atlas.local
debug
send

and saw the following:

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2310

;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0,  
ADDITIONAL: 1

;; QUESTION SECTION:
;atlas.local.                   IN      SOA

;; ANSWER SECTION:
mydomain.com.            3600    IN      SOA     server.mydomain.com.
admin.mydomain.com. 715 900 600 86400 3600

;; ADDITIONAL SECTION:
server.mydomain.com. 3600  IN      A       192.168.1.100

Found zone name: mydomain.com
The master is: server.mydomain.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62457
;; flags: ; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;575112106.sig-server.mydomain.com.        ANY TKEY

;; ADDITIONAL SECTION:
575112106.sig-server.mydomain.com. 0 ANY TKEY gss-tsig. 1242311154
1242311154 3 NOERROR 1243

LOTS OF GIBBERISH

dns_request_getresponse: FORMERR

I still am not however seeing the zone files updated or any jnl files.
Anything else I could do to troubleshoot this?
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to