Re: TSIG DDNS and windows clients

2020-05-13 Thread Paul Ebersman 
rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TSIG DDNS and windows clients

2020-05-13 Thread Bob Harold 
On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 5/13/20 6:29 AM, Bob Harold wrote:
> > Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
> > not regular TSIG.  Not sure how or if that can be solved.
>
> I would bet someone a coffee and doughnut that it can.
>
> Check out Jan-Piet Mens' article:
>
> Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
>   -
>
> https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/
>
>
>
> --
> Grant. . . .
> unix || die
>

Thanks for the link.  Lots of pieces to get working there.  Not nearly as
simple as TSIG.  But good if you are already using Kerberos.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TSIG DDNS and windows clients

2020-05-13 Thread Grant Taylor via bind-users 

On 5/13/20 6:29 AM, Bob Harold wrote:
Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, 
not regular TSIG.  Not sure how or if that can be solved.


I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
 - 
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TSIG DDNS and windows clients

2020-05-13 Thread Bob Harold 
On Wed, May 13, 2020 at 3:20 AM Pete Fry  wrote:

> Bob
> thanks for the reply and the correction ( the acl dones't have a ! it was
> a cut and paste error when i was trying to remove some information.
>
> the TSIG works when from other linux machine via nsupdate etc, however i'm
> trying to figure out how to get the windows machines to do the same and was
> trying to follow this
>
> http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
> allow-update
>
> Regards
>
> Pete
>


Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not
regular TSIG.  Not sure how or if that can be solved.

-- 
Bob Harold



> On Tue, 12 May 2020 at 13:40, Bob Harold  wrote:
>
>>
>> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
>> bind-users@lists.isc.org> wrote:
>>
>>> All
>>>
>>> I've inherited a BIND environment and i'm trying to understand a few
>>> things as currently we are experiences an issue related to DDNS.
>>>
>>> we have
>>>
>>> site 1
>>> hostA
>>>
>>> site 2
>>> hostB
>>>
>>> We have a HArecord, and we want HostA or HostB to be able to update the
>>> HArecord (i.e. failover cluster type configuration)
>>>
>>> config:
>>> Zone file:
>>>
>>> zone "TEST" {
>>> check-names ignore;
>>> type master;
>>> file "/var/named/dynamic/TEST";
>>> allow-update {
>>> auth-dns;
>>> dynamic-TEST;
>>> };
>>> };
>>>
>>> lists.conf
>>>
>>> acl dynamic-update-ads {
>>>192.168.2.1 // hostA
>>>192.168.5.1 // hostB
>>>dynamic-TEST-tsig;
>>> };
>>>
>>> acl dynamic-TEST-tsig {
>>>// any host which is not..
>>>!{
>>>   // not in the new acls
>>>   !dynamic-test-site1;
>>>   !dynamic-test-site2;
>>>   any;
>>>};
>>>// but has the key
>>>key TEST-key;
>>> };
>>>
>>
>> For testing purposes, start with a simpler acl, like:
>>
>> acl dynamic-TEST-tsig {
>>key TEST-key;
>> };
>>
>> And see if that works.
>>
>>
>>>
>>> acl !dynamic-test-site1 {
>>> 192.168.2.1/32; // HostA
>>> };
>>>
>>> acl !dynamic-test-site2 {
>>> 192.168.5.1/32; // HostB
>>> };
>>>
>>>
>> "acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does
>> it mean?
>>
>> --
>> Bob Harold
>>
>>
>>> however these windows machines keep saying bad key, I know i'm missing 
>>> something obvious but how do i get this to work?
>>>
>>> happy to be able to give the key to the windows boxes if anyone knows but 
>>> i'm drawing a blank
>>>
>>> Regards
>>>
>>> Cade
>>>
>>>
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users