{Spam?} Kerberos authenticated dynamic update forwarding

Fri, 31 Jan 2020 09:20:38 -0800 

Greetings.

   I need some guidance on how configure dynamic dns updates forwarding
when using tsig-gss (kerberos) authentication.  I have successfully
setup tsig-gss authentication when updating the master directly.  I have
the need to have the client send the update to a slave that then
forwards the update to the master.

   The design is the master, slaves, and clients are all part of the
same kerberos realm.  The master has a service keytab of
DNS/<master.fqdn>@REALM defined for bind.  Each client  has the host
keytab of host/<client.fqdn>@REALM.  On the slave I have tried 3
different service keytab combinations in for bind configuration.

  * DNS/<slave.fqdn>@REALM only
  * DNS/<slave.fqdn>@REALM and DNS/<master.fqdn>@REALM
  * DNS/<master.fqdn@REALM> only

  The clients can update their own records successfully when connecting
directly with the master. With slave bind keytab only contain the its
own service keytab, the client and slave will not exchange information. 
When I added the master keytab entry on the slave, the slave attempts to
forward the request to the master.  However the  update fails.  The logs
on the slave indicate the following:

named[15934]: client <client.ip.address>#45780/key
host/client.my.zone\@REALM: signer "host/client.my.zone\@REALM" approved
named[15934]: client <client.ip.address>#45780/key
host/client.my.zone\@REALM: forwarding update for zone 'my.zone/IN'
named[15934]: zone my.zone/IN: forwarding dynamic update: unexpected
response: master <master.ip.address>#53 returned: NOTAUTH

The master logs the following:

named[17809]: client <slave.ip.addres>#48733: request has invalid
signature: TSIG 1114672902.sig-<master.fqdn>: tsig verify failure (BADKEY)


The update policy for the zone on the master is:

update-policy {
        grant REALM krb5-self * SSHFP;
};

I suspect I simply do not have the correct keytab combinations.  I am
unclear what the correct combination would be.
-- 
------------------------------------------------------------------------
*/Matthew Davis/*

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to