Re: BIND for Active directory with secure update
On 12/14/2011 2:36 PM, Vbvbrj wrote: Hello. I've setup BIND to serve the requests to lan instead of Microsoft DNS by first setting bind as a secondary dns server for Microsoft DNS, copy the zones, and making the BIND the master. In order for domain member hosts to update the records of the their names in dns, I allow unsecure updates from the lan computers. It's a security thread of poisoning the dns. I would like to setup up a secure by the domain servers. On the internet I read about using allow-update with a key file. But I didn't found a page on how to get the key from the Active Directory kerberos system. Could any one point on setting the secure update to bind with key from the already deployed Active Directory? The BIND is running under the windows. GSS-TSIG is not implemented for BIND9 on Windows. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND for Active directory with secure update
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work. Create a user account in your AD. Then run: ktpass -out name_of_your_keytab.keytab -princ DNS/domain.name@DOMAIN.NAME -pass * -mapuser AD_user_you_created@domain.name _ Nicholas Miller, OIT, University of Colorado at Boulder On Dec 9, 2011, at 12:07 PM, Vbvbrj wrote: Hello. I've setup BIND to serve the requests to lan instead of Microsoft DNS by first setting bind as a secondary dns server for Microsoft DNS, copy the zones, and making the BIND the master. In order for domain member hosts to update the records of the their names in dns, I allow unsecure updates from the lan computers. It's a security thread of poisoning the dns. I would like to setup up a secure by the domain servers. On the internet I read about using allow-update with a key file. But I didn't found a page on how to get the key from the Active Directory kerberos system. Could any one point on setting the secure update to bind with key from the already deployed Active Directory? The BIND is running under the windows. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND for Active directory with secure update
Hello. I've setup BIND to serve the requests to lan instead of Microsoft DNS by first setting bind as a secondary dns server for Microsoft DNS, copy the zones, and making the BIND the master. In order for domain member hosts to update the records of the their names in dns, I allow unsecure updates from the lan computers. It's a security thread of poisoning the dns. I would like to setup up a secure by the domain servers. On the internet I read about using allow-update with a key file. But I didn't found a page on how to get the key from the Active Directory kerberos system. Could any one point on setting the secure update to bind with key from the already deployed Active Directory? The BIND is running under the windows. Please someone help me. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users