Re: DDNS and allow-update declarations

2008-12-10 Thread Nicholas F Miller
Barry Jonathan, Thanks for the quick replies. your responses go along with my findings as well. I am trying to clean up some of our configs. The DDNS zones just didn't look right to me and I wanted to confirm what I was thinking. Jonathan, I tested things on a test DC by pointing it at

Ever growing jnl files

2009-01-07 Thread Nicholas F Miller
We have a few dynamic zones that are provisioned using Addhost. When addhost adds records to the zone every night it will run nsupdate update.file. The update.file will contain records like these: prereq yxrrset machine.colorado.edu. in a update delete machine.colorado.edu. in a prereq

Re: Ever growing jnl files

2009-01-07 Thread Nicholas F Miller
All good suggestions. We have given them both some thought. I was just wondering if there was a problem with the way we were doing things. Nicholas Miller, ITS, University of Colorado at Boulder On Jan 7, 2009, at 11:34 AM, Mike

update-policy restricting to a subnet

2009-09-30 Thread Nicholas F Miller
Is it possible to restrict user machines to only be able to update their 'A' records on a specific subnet? We would like to allow DDNS but restrict it to specific subnets and only allow the machines to update their 'A' records. Allow-updates will not get us the record restrictions we would

Re: update-policy restricting to a subnet

2009-10-05 Thread Nicholas F Miller
I take it this is not possible using update-policy? _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2009, at 11:29 AM, Nicholas F Miller wrote: Is it possible to restrict user machines to only be able to update

tkey-gssapi-credential

2010-09-17 Thread Nicholas F Miller
I was wondering if it is possible to use the tkey-gssapi-credential and update-policy on a Windows install of bind. It strikes me that running bind on a Windows server, snapped into the AD it will serve DNS to, should be the easiest way of getting DDNS with update-policy control working. Am I

Re: tkey-gssapi-credential

2010-09-17 Thread Nicholas F Miller
of Colorado at Boulder On Sep 17, 2010, at 12:54 PM, Rob Austein wrote: At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote: I was wondering if it is possible to use the tkey-gssapi-credential and update-policy on a Windows install of bind. It strikes me that running bind

Re: tkey-gssapi-credential

2010-09-27 Thread Nicholas F Miller
something obvious? _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 17, 2010, at 11:08 PM, Rob Austein wrote: At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote: Does anyone have instructions on how to setup

Re: tkey-gssapi-credential

2010-09-27 Thread Nicholas F Miller
_ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 27, 2010, at 7:54 AM, Nicholas F Miller wrote: Are you sure? ;-P I can't seem to get things working. It looks like the Windows machines are not happy with the TKEY the DCs are giving them. I can kinit a user account from

Re: tkey-gssapi-credential

2010-09-29 Thread Nicholas F Miller
_ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 27, 2010, at 10:23 AM, Nicholas F Miller wrote: A small correction: The packets captured below were between one of the DCs and the DNS server not a client. Also, I am getting

GSS-TSIG and Active Directory

2010-09-30 Thread Nicholas F Miller
Does anyone actually have GSS-TSIG working with an Active Directory? I see plenty of posts from people trying to get it to work. I have yet to see anyone who claims to actually have it working. Did MS change something in 2008r2 since GSS-TSIG was implemented in bind to make it inoperable?

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
PM, Dave Knight wrote: On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote: Does anyone actually have GSS-TSIG working with an Active Directory? I see plenty of posts from people trying to get it to work. I have yet to see anyone who claims to actually have it working. Did MS change

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
Thanks, I'll give it a try and see if things begin to work. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 10:15 AM, Tony Finch wrote: On Thu, 30 Sep 2010, Nicholas F Miller wrote: Does anyone actually

Re: tkey-gssapi-credential

2010-10-01 Thread Nicholas F Miller
. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 4:00 PM, Rob Austein wrote: Sorry, I spent most of the last two weeks locked in a conference room and mostly off net, still catching up. At Mon, 27 Sep 2010 07:54:54 -0600, Nicholas F

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
. _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 7:00 AM, Nicholas F Miller wrote: Thanks, I'll give it a try and see if things begin to work. _ Nicholas Miller, ITS, University

Re: GSS-TSIG and Active Directory

2010-10-01 Thread Nicholas F Miller
YES Brilliant Thanks Rob. I think it is working now. I have the update-policy setup as follows: grant d...@realm wildcard * ANY; grant d...@realm wildcard * ANY; grant dns_serv...@realm wildcard * ANY; deny REALM ms-self *

Re: GSS-TSIG and Active Directory

2010-10-05 Thread Nicholas F Miller
time I set a deny for '' it also blocks 'A' records. Are these bugs or by design? _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote: YES Brilliant Thanks Rob. I

Re: Debugging configuring TKEY: failure (w/samba4)

2010-11-12 Thread Nicholas F Miller
I recently went through this and have it working. Look through the archives for 'GSS-TSIG and Active Directory'. https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearchrestrict=exclude=method=andformat=shortsort=scorewords=GSS-TSIG+and+Active+Directory Things to check: 1)

Re: GSS-TSIG update policy identity field

2011-05-11 Thread Nicholas F Miller
Try: grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY; _ Nicholas Miller, ITS, University of Colorado at Boulder On May 11, 2011, at 7:08 AM, Juergen Dietl wrote: Hello, and thanx for all your answeres. I want to ask the question

Re: BIND for Active directory with secure update

2011-12-15 Thread Nicholas F Miller
You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work. Create a user account in your AD. Then run: ktpass -out name_of_your_keytab.keytab -princ DNS/domain.name@DOMAIN.NAME -pass * -mapuser AD_user_you_created@domain.name _

Re: ISC Bind in Active Directory

2012-10-19 Thread Nicholas F Miller
DDNS record scavenging is the only feature I'm aware of that MS DNS has that Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record types to a dynamic zone using GSS-TSIG as well as supports views and ACLs for recursion. Everything else should be standard DNS.

Re: ISC Bind in Active Directory

2012-10-22 Thread Nicholas F Miller
On Oct 19, 2012, at 10:46 AM, Nicholas F Miller nicholas.mil...@colorado.edu wrote: DDNS record scavenging is the only feature I'm aware of that MS DNS has that Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record types to a dynamic zone using GSS-TSIG as well

Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
I am at a loss. When doing digs using our name servers for 'ANY' records of a domain we are getting TTLs of five seconds. The TTLs will be correct if we query for the records individually just not when using 'ANY'. Ideas? dig google.com any ; DiG 9.8.3-P1 google.com any ;; global options:

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
There aren't any options set to reduce the TTLs. When you dig using a public DNS server the replies are correct. It is only when using our DNS servers. _ Nicholas Miller, OIT, University of Colorado at Boulder On Sep 10, 2013, at 10:04

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
...@dotat.at wrote: Nicholas F Miller nicholas.mil...@colorado.edu wrote: The problem is the reply will ALWAYS be five seconds when doing an 'ANY' query. It is not a matter of the TTL counting down. Is there a middlebox of some kind between you and the name server? Tony

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
...@fantomas.sk wrote: On 10.09.13 08:15, Nicholas F Miller wrote: I am at a loss. When doing digs using our name servers for 'ANY' records of a domain we are getting TTLs of five seconds. The TTLs will be correct if we query for the records individually just not when using 'ANY'. Ideas

Re: GSS-TSIG updates from Windows clients

2014-05-06 Thread Nicholas F Miller
You might try changing your update-policy from: grant johnmill-dnst...@lab.brandeis.edu zonesub ANY; grant * zonesub ANY; to grant johnmill-dnst...@lab.brandeis.edu zonesub ANY; grant LAB.BRANDEIS.EDU zonesub ANY; I’m not positive this is the proper syntax since we don’t use the zonesub

Re: Bad performance from BIND 9.10 on RHEL 6.5

2014-05-28 Thread Nicholas F Miller
Not that they are related but we had a crash of bind about seven hours after installing 9.10: named[20831]: name.c:534: REQUIREname) != ((void *)0)) (((const isc__magic_t *)(name))-magic == ((('D') 24 | ('N') 16 | ('S') 8 | ('n')) failed, back trace Back to 9.9.5 for now.

Re: Bad performance from BIND 9.10 on RHEL 6.5

2014-05-28 Thread Nicholas F Miller
check if you have the latest 9.10 version. I wasn't running 9.10-p1. Sent from my iPhone On 28/05/2014, at 10:30, Nicholas F Miller nicholas.mil...@colorado.edu wrote: Not that they are related but we had a crash of bind about seven hours after installing 9.10: named[20831

SPF RR type

2014-06-05 Thread Nicholas F Miller
Are SPF RR types finally dead or not? I’ve read through rfc7208 it appears that they are: SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only. The character content of the record is encoded as [US-ASCII]. Use of alternative DNS RR types was

Re: SPF RR type

2014-06-05 Thread Nicholas F Miller
...@cisco.com wrote: -Original Message- From: Nicholas F Miller nicholas.mil...@colorado.edu Date: Thursday, June 5, 2014 at 10:25 AM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: SPF RR type Are SPF RR types finally dead or not? I¹ve read through rfc7208

Re: SPF RR type

2014-06-05 Thread Nicholas F Miller
AM, Mike Hoskins (michoski) wrote: -Original Message- From: Nicholas F Miller nicholas.mil...@colorado.edu Date: Thursday, June 5, 2014 at 10:25 AM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: SPF RR type Are SPF RR types finally dead or not? I¹ve read through