Re: Secure Active Directory updates and allow-update-forwarding issues

Tue, 19 Jan 2021 04:48:04 -0800 

Thanks Mark.

On Tue, Jan 19, 2021 at 6:15 PM Mark Andrews <ma...@isc.org> wrote:

> Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for
> GSS-TSIG.
>
> --
> Mark Andrews
>
> On 19 Jan 2021, at 22:23, Nagesh Thati <tcpnag...@gmail.com> wrote:
>
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using
> allow-update-forwading,
> *updating zone '_msdcs.example.com/IN <http://msdcs.example.com/IN>':
> update failed: rejected by secure update (REFUSED)*
>
> example.com is a active directory enabled zone which has one master and
> one slave. Master appliance is hidden, so active directory sends updates to
> slave appliance using MNAME specified in the zone SOA section.
>
> *master(10.1.10.203) named.conf:*
>
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
> folder we have keytab file
>
> zone "_msdcs.example.com" IN {
>         type master;
>         file "/var/named/zones/masters/db._msdcs.example.com";
>         allow-transfer {10.1.10.144;};
>         also-notify {10.1.10.144;};
>         notify explicit;
>         *update-policy { grant * subdomain _msdcs.example.com
> <http://msdcs.example.com>. ANY; };*
>         check-names ignore;
>         zone-statistics yes;
> };
>
> *slave(10.1.10.144) named.conf:*
> zone "_msdcs.example.com" IN {
>         type slave;
>         file "/var/named/zones/slaves/db._msdcs.example.com";
>         allow-notify {10.1.10.203;};
>         masters {
>                 10.1.10.203;
>         };
>         check-names ignore;
>         zone-statistics yes;
>         *allow-update-forwarding{10.1.10.158;};*
> };
>
> *10.1.10.158 - AD server*
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to