Re: Secure Active Directory updates and allow-update-forwarding issues

Tue, 19 Jan 2021 04:46:06 -0800 

Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for 
GSS-TSIG. 

-- 
Mark Andrews

> On 19 Jan 2021, at 22:23, Nagesh Thati <tcpnag...@gmail.com> wrote:
> 
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using 
> allow-update-forwading,
> updating zone '_msdcs.example.com/IN': update failed: rejected by secure 
> update (REFUSED)
> 
> example.com is a active directory enabled zone which has one master and one 
> slave. Master appliance is hidden, so active directory sends updates to slave 
> appliance using MNAME specified in the zone SOA section.
> 
> master(10.1.10.203) named.conf:
> 
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc 
> folder we have keytab file
> 
> zone "_msdcs.example.com" IN {
>         type master;
>         file "/var/named/zones/masters/db._msdcs.example.com";
>         allow-transfer {10.1.10.144;};
>         also-notify {10.1.10.144;};
>         notify explicit;
>         update-policy { grant * subdomain _msdcs.example.com. ANY; };
>         check-names ignore;
>         zone-statistics yes;
> };
> 
> slave(10.1.10.144) named.conf:
> zone "_msdcs.example.com" IN {
>         type slave;
>         file "/var/named/zones/slaves/db._msdcs.example.com";
>         allow-notify {10.1.10.203;};
>         masters {
>                 10.1.10.203;
>         };
>         check-names ignore;
>         zone-statistics yes;
>         allow-update-forwarding{10.1.10.158;};
> };
> 
> 10.1.10.158 - AD server
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to