Re: Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Thanks Mark.

On Tue, Jan 19, 2021 at 6:15 PM Mark Andrews  wrote:

> Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for
> GSS-TSIG.
>
> --
> Mark Andrews
>
> On 19 Jan 2021, at 22:23, Nagesh Thati  wrote:
>
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using
> allow-update-forwading,
> *updating zone '_msdcs.example.com/IN ':
> update failed: rejected by secure update (REFUSED)*
>
> example.com is a active directory enabled zone which has one master and
> one slave. Master appliance is hidden, so active directory sends updates to
> slave appliance using MNAME specified in the zone SOA section.
>
> *master(10.1.10.203) named.conf:*
>
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
> folder we have keytab file
>
> zone "_msdcs.example.com" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com";
> allow-transfer {10.1.10.144;};
> also-notify {10.1.10.144;};
> notify explicit;
> *update-policy { grant * subdomain _msdcs.example.com
> . ANY; };*
> check-names ignore;
> zone-statistics yes;
> };
>
> *slave(10.1.10.144) named.conf:*
> zone "_msdcs.example.com" IN {
> type slave;
> file "/var/named/zones/slaves/db._msdcs.example.com";
> allow-notify {10.1.10.203;};
> masters {
> 10.1.10.203;
> };
> check-names ignore;
> zone-statistics yes;
> *allow-update-forwarding{10.1.10.158;};*
> };
>
> *10.1.10.158 - AD server*
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Mark Andrews 
Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for 
GSS-TSIG. 

-- 
Mark Andrews

> On 19 Jan 2021, at 22:23, Nagesh Thati  wrote:
> 
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using 
> allow-update-forwading,
> updating zone '_msdcs.example.com/IN': update failed: rejected by secure 
> update (REFUSED)
> 
> example.com is a active directory enabled zone which has one master and one 
> slave. Master appliance is hidden, so active directory sends updates to slave 
> appliance using MNAME specified in the zone SOA section.
> 
> master(10.1.10.203) named.conf:
> 
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc 
> folder we have keytab file
> 
> zone "_msdcs.example.com" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com";
> allow-transfer {10.1.10.144;};
> also-notify {10.1.10.144;};
> notify explicit;
> update-policy { grant * subdomain _msdcs.example.com. ANY; };
> check-names ignore;
> zone-statistics yes;
> };
> 
> slave(10.1.10.144) named.conf:
> zone "_msdcs.example.com" IN {
> type slave;
> file "/var/named/zones/slaves/db._msdcs.example.com";
> allow-notify {10.1.10.203;};
> masters {
> 10.1.10.203;
> };
> check-names ignore;
> zone-statistics yes;
> allow-update-forwarding{10.1.10.158;};
> };
> 
> 10.1.10.158 - AD server
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Hi,
I am getting update failed on master DNS appliance when I am using
allow-update-forwading,
*updating zone '_msdcs.example.com/IN ':
update failed: rejected by secure update (REFUSED)*

example.com is a active directory enabled zone which has one master and one
slave. Master appliance is hidden, so active directory sends updates to
slave appliance using MNAME specified in the zone SOA section.

*master(10.1.10.203) named.conf:*

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
folder we have keytab file

zone "_msdcs.example.com" IN {
type master;
file "/var/named/zones/masters/db._msdcs.example.com";
allow-transfer {10.1.10.144;};
also-notify {10.1.10.144;};
notify explicit;
*update-policy { grant * subdomain _msdcs.example.com
. ANY; };*
check-names ignore;
zone-statistics yes;
};

*slave(10.1.10.144) named.conf:*
zone "_msdcs.example.com" IN {
type slave;
file "/var/named/zones/slaves/db._msdcs.example.com";
allow-notify {10.1.10.203;};
masters {
10.1.10.203;
};
check-names ignore;
zone-statistics yes;
*allow-update-forwarding{10.1.10.158;};*
};

*10.1.10.158 - AD server*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users