Re: GSS-TSIG updates from Windows clients

Tue, 06 May 2014 10:35:59 -0700

Thanks to both Mark and Nicholas for the help. Unfortunately, still not able to get this working (BIND 9.8.2 (RHEL 6) & AD 2008R2). It's a case of AD negotiating a TKEY (successfully), then reverting back to unsigned updates. If an update's not signed, doesn't matter what your update-policy statements look like.
We're just going to continue with unsigned updates (or manual-only updates). I'd still like to solve the problem, but probably won't go into production with it. 

Some possible insight in the comments of:

http://netlinxinc.com/netlinx-blog/45-dns/136-how-to-implement-gss-tsig-on-isc-bind.html


"Windows 7 and Windows 2008 R2 have changed their behavior in regards to 
dynamic updates and how they send signed updates to BIND DNS servers. 
These new operating systems will first send an “unsigned” update to a 
DNS server and will only revert to a “signed” update if there is 
additional information provided in the response DNS message. Earlier 
operating systems would automatically revert to signed updates as the 
next sequence in the dynamic update process. Current versions of BIND 9 
do not place the additional header information in the response package, 
so the Windows 7 and 2008 servers will not revert. There is a patch that 
you can apply (manually) and re-compile that works."



Evidently AD expects additional records in the TKEY response, otherwise 
we see the behavior I'm seeing.  I've attached a pcap of a sample TKEY 
response and a sample unsigned update rejection; if any of you have this 
working, would you mind listing your BIND and AD versions, as well as 
posting some sample packet output?  I'd be curious to see how our 
environment differs from yours.


John



On 05/06/2014 10:15 AM, Nicholas F Miller wrote:

You might try changing your update-policy from:

grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant * zonesub ANY;

to

grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant LAB.BRANDEIS.EDU zonesub ANY;

I’m not positive this is the proper syntax since we don’t use the zonesub 
option. We use the ms-subdomain and krb5-subdomain options:

grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU;
grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU;

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder




Attachment:
tkey_no_addl.pcap

Description: application/vnd.tcpdump.pcap



Attachment:
update_refused.pcap

Description: application/vnd.tcpdump.pcap


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to