You might try changing your update-policy from: grant johnmill-dnst...@lab.brandeis.edu zonesub ANY; grant * zonesub ANY;
to grant johnmill-dnst...@lab.brandeis.edu zonesub ANY; grant LAB.BRANDEIS.EDU zonesub ANY; I’m not positive this is the proper syntax since we don’t use the zonesub option. We use the ms-subdomain and krb5-subdomain options: grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU; grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU; _________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder On May 2, 2014, at 5:16 PM, John Miller <johnm...@brandeis.edu> wrote: > Hi folks, > > I'm trying to get our AD domain controllers to update our BIND 9.8.2 > servers--specifically for the zone > > _msdcs.lab.brandeis.edu. > > I've got updates working in general: I can run kinit <username>@REALM > (johnmill-dns-t...@lab.brandeis.edu in this case), then successfully run > nsupdate -g from my desktop: > > server dns-ext-dev1.lab.brandeis.edu > zone _msdcs.lab.brandeis.edu. > update add yourmom._msdcs.lab.brandeis.edu. 300 IN A 127.0.0.1 > send > > This works fine--I grab the necessary tickets from our domain controllers, > and BIND accepts my update. > > My update-policy {} directive for the zone looks like: > > update-policy { > grant johnmill-dnst...@lab.brandeis.edu zonesub ANY; > grant * zonesub ANY; > } > > This is uber-lenient--I don't plan to leave things this way. but the wildcard > should allow anything with a pulse to update. > > When I try to use Windows (the domain controller itself) to send updates, the > update first gets sent insecurely (which fails), then Windows attempts secure > authentication (and succeeds), but doesn't actually send a secured update: > > named[13861]: client 129.64.102.112#64501: UDP request > named[13861]: client 129.64.102.112#64501: using view '_default' > named[13861]: client 129.64.102.112#64501: request is not signed > named[13861]: client 129.64.102.112#64501: recursion not available > named[13861]: client 129.64.102.112#64501: update > named[13861]: client 129.64.102.112#64501: update > '_msdcs.lab.brandeis.edu/IN' denied > named[13861]: client 129.64.102.112#64501: send > named[13861]: client 129.64.102.112#64501: sendto > named[13861]: client 129.64.102.112#64501: senddone > named[13861]: client 129.64.102.112#64501: next > named[13861]: client 129.64.102.112#64501: endrequest > named[13861]: client @0x7f75640f6980: udprecv > named[13861]: client 129.64.102.112#52448: new TCP connection > named[13861]: client 129.64.102.112#52448: replace > named[13861]: clientmgr @0x7f7564003f98: createclients > named[13861]: clientmgr @0x7f7564003f98: recycle > named[13861]: client 129.64.102.112#52448: read > named[13861]: client 129.64.102.112#52448: TCP request > named[13861]: client 129.64.102.112#52448: using view '_default' > named[13861]: client 129.64.102.112#52448: request is not signed > named[13861]: client 129.64.102.112#52448: recursion not available > named[13861]: client 129.64.102.112#52448: query > named[13861]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS > failure. Minor code may provide more information, Minor = Success. > named[13861]: gss-api source name (accept) is AD-2K8-DEV1$@LAB.BRANDEIS.EDU > named[13861]: process_gsstkey(): dns_tsigerror_noerror > named[13861]: client 129.64.102.112#52448: send > named[13861]: client 129.64.102.112#52448: sendto > named[13861]: client 129.64.102.112#52448: senddone > named[13861]: client 129.64.102.112#52448: next > named[13861]: client 129.64.102.112#52448: endrequest > named[13861]: client 129.64.102.112#52448: read > named[13861]: client @0x7f7564104b70: accept > named[13861]: client 129.64.102.112#52448: next > named[13861]: client 129.64.102.112#52448: request failed: end of file > named[13861]: client 129.64.102.112#52448: endrequest > named[13861]: client 129.64.102.112#52448: closetcp > named[13861]: client 129.64.102.112#64230: UDP request > named[13861]: client 129.64.102.112#64230: using view '_default' > named[13861]: client 129.64.102.112#64230: request is not signed > named[13861]: client 129.64.102.112#64230: recursion not available > named[13861]: client 129.64.102.112#64230: query > named[13861]: client 129.64.102.112#64230: query > '_msdcs.lab.brandeis.edu/SOA/IN' approved > named[13861]: client 129.64.102.112#64230: send > named[13861]: client 129.64.102.112#64230: sendto > named[13861]: client 129.64.102.112#64230: senddone > named[13861]: client 129.64.102.112#64230: next > named[13861]: client 129.64.102.112#64230: endrequest > named[13861]: client @0x7f75640f6980: udprecv > named[13861]: client 129.64.102.112#63381: UDP request > named[13861]: client 129.64.102.112#63381: using view '_default' > named[13861]: client 129.64.102.112#63381: request is not signed > named[13861]: client 129.64.102.112#63381: recursion not available > named[13861]: client 129.64.102.112#63381: query > named[13861]: client 129.64.102.112#63381: query (cache) > 'dns-ext-dev1.lab.brandeis.edu/A/IN' denied > named[13861]: client 129.64.102.112#63381: error > named[13861]: client 129.64.102.112#63381: send > named[13861]: client 129.64.102.112#63381: sendto > named[13861]: client 129.64.102.112#63381: senddone > named[13861]: client 129.64.102.112#63381: next > named[13861]: client 129.64.102.112#63381: endrequest > named[13861]: client @0x7f75640f6980: udprecv > named[13861]: client 129.64.99.24#21999: UDP request > named[13861]: client 129.64.99.24#21999: using view '_default' > named[13861]: client 129.64.99.24#21999: request is not signed > named[13861]: client 129.64.99.24#21999: recursion not available > named[13861]: client 129.64.99.24#21999: query > named[13861]: client 129.64.99.24#21999: query > '_kerberos._tcp.dc._msdcs.lab.brandeis.edu/SOA/IN' approved > named[13861]: client 129.64.99.24#21999: send > named[13861]: client 129.64.99.24#21999: sendto > named[13861]: client 129.64.99.24#21999: senddone > named[13861]: client 129.64.99.24#21999: next > named[13861]: client 129.64.99.24#21999: endrequest > named[13861]: client @0x7f75640f6980: udprecv > named[13861]: client 129.64.102.112#63504: UDP request > named[13861]: client 129.64.102.112#63504: using view '_default' > named[13861]: client 129.64.102.112#63504: request is not signed > named[13861]: client 129.64.102.112#63504: recursion not available > named[13861]: client 129.64.102.112#63504: update > named[13861]: client 129.64.102.112#63504: update > '_msdcs.lab.brandeis.edu/IN' denied > named[13861]: client 129.64.102.112#63504: send > named[13861]: client 129.64.102.112#63504: sendto > named[13861]: client 129.64.102.112#63504: senddone > named[13861]: client 129.64.102.112#63504: next > named[13861]: client 129.64.102.112#63504: endrequest > > Contrast this with logs from a successful update (from my desktop): > > named[12766]: client 129.64.8.232#56297: UDP request > named[12766]: client 129.64.8.232#56297: using view '_default' > named[12766]: client 129.64.8.232#56297: request is not signed > named[12766]: client 129.64.8.232#56297: recursion not available > named[12766]: client 129.64.8.232#56297: query > named[12766]: client 129.64.8.232#56297: query > '_msdcs.lab.brandeis.edu/SOA/IN' approved > named[12766]: client 129.64.8.232#56297: send > named[12766]: client 129.64.8.232#56297: sendto > named[12766]: client 129.64.8.232#56297: senddone > named[12766]: client 129.64.8.232#56297: next > named[12766]: client 129.64.8.232#56297: endrequest > named[12766]: client @0x7f51a80f6980: udprecv > named[12766]: client 129.64.8.232#34226: new TCP connection > named[12766]: client 129.64.8.232#34226: replace > named[12766]: clientmgr @0x7f51a8004f98: createclients > named[12766]: clientmgr @0x7f51a8004f98: recycle > named[12766]: client 129.64.8.232#34226: read > named[12766]: client 129.64.8.232#34226: TCP request > named[12766]: client 129.64.8.232#34226: using view '_default' > named[12766]: client 129.64.8.232#34226: request is not signed > named[12766]: client 129.64.8.232#34226: recursion not available > named[12766]: client 129.64.8.232#34226: query > named[12766]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS > failure. Minor code may provide more information, > Minor = Success. > named[12766]: gss-api source name (accept) is > johnmill-dnst...@lab.brandeis.edu > named[12766]: process_gsstkey(): dns_tsigerror_noerror > named[12766]: client 129.64.8.232#34226: send > named[12766]: client 129.64.8.232#34226: sendto > named[12766]: client 129.64.8.232#34226: senddone > named[12766]: client 129.64.8.232#34226: next > named[12766]: client 129.64.8.232#34226: endrequest > named[12766]: client 129.64.8.232#34226: read > named[12766]: client @0x7f51a847c120: accept > named[12766]: client 129.64.8.232#34226: next > named[12766]: client 129.64.8.232#34226: request failed: end of file > named[12766]: client 129.64.8.232#34226: endrequest > named[12766]: client 129.64.8.232#34226: closetcp > named[12766]: client 129.64.8.232#49802: new TCP connection > named[12766]: client 129.64.8.232#49802: replace > named[12766]: clientmgr @0x7f51a8004f98: createclients > named[12766]: clientmgr @0x7f51a8004f98: recycle > named[12766]: client 129.64.8.232#49802: read > named[12766]: client 129.64.8.232#49802: TCP request > named[12766]: client 129.64.8.232#49802: using view '_default' > named[12766]: client 129.64.8.232#49802: request has valid signature: > johnmill-dnstest\@LAB.BRANDEIS.EDU > named[12766]: client 129.64.8.232#49802: recursion not available > named[12766]: client 129.64.8.232#49802: update > named[12766]: client @0x7f51a8104b70: accept > named[12766]: client 129.64.8.232#49802: updating zone > '_msdcs.lab.brandeis.edu/IN': adding an RR at > 'yourmom._msdcs.lab.brandeis.edu' A > named[12766]: client 129.64.8.232#49802: send > named[12766]: client 129.64.8.232#49802: sendto > named[12766]: client 129.64.8.232#49802: senddone > named[12766]: client 129.64.8.232#49802: next > > Even though it sends valid TKEY credentials, why doesn't Windows actually > sign its updates or use a TCP connection for them? Any way to actually get > the Windows side of things to send signed updates? > > John > > -- > John Miller > Systems Engineer > Brandeis University > johnm...@brandeis.edu > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users