Secure Active Directory updates and allow-update-forwarding issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure Active Directory updates and allow-update-forwarding issues

Nagesh Thati-2
Hi,
I am getting update failed on master DNS appliance when I am using allow-update-forwading,
updating zone '_msdcs.example.com/IN': update failed: rejected by secure update (REFUSED)

example.com is a active directory enabled zone which has one master and one slave. Master appliance is hidden, so active directory sends updates to slave appliance using MNAME specified in the zone SOA section.

master(10.1.10.203) named.conf:

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc folder we have keytab file

zone "_msdcs.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._msdcs.example.com";
        allow-transfer {10.1.10.144;};
        also-notify {10.1.10.144;};
        notify explicit;
        update-policy { grant * subdomain _msdcs.example.com. ANY; };
        check-names ignore;
        zone-statistics yes;
};

slave(10.1.10.144) named.conf:
zone "_msdcs.example.com" IN {
        type slave;
        file "/var/named/zones/slaves/db._msdcs.example.com";
        allow-notify {10.1.10.203;};
        masters {
                10.1.10.203;
        };
        check-names ignore;
        zone-statistics yes;
        allow-update-forwarding{10.1.10.158;};
};

10.1.10.158 - AD server

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Active Directory updates and allow-update-forwarding issues

Mark Andrews
Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for GSS-TSIG. 

-- 
Mark Andrews

On 19 Jan 2021, at 22:23, Nagesh Thati <[hidden email]> wrote:


Hi,
I am getting update failed on master DNS appliance when I am using allow-update-forwading,
updating zone '_msdcs.example.com/IN': update failed: rejected by secure update (REFUSED)

example.com is a active directory enabled zone which has one master and one slave. Master appliance is hidden, so active directory sends updates to slave appliance using MNAME specified in the zone SOA section.

master(10.1.10.203) named.conf:

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc folder we have keytab file

zone "_msdcs.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._msdcs.example.com";
        allow-transfer {10.1.10.144;};
        also-notify {10.1.10.144;};
        notify explicit;
        update-policy { grant * subdomain _msdcs.example.com. ANY; };
        check-names ignore;
        zone-statistics yes;
};

slave(10.1.10.144) named.conf:
zone "_msdcs.example.com" IN {
        type slave;
        file "/var/named/zones/slaves/db._msdcs.example.com";
        allow-notify {10.1.10.203;};
        masters {
                10.1.10.203;
        };
        check-names ignore;
        zone-statistics yes;
        allow-update-forwarding{10.1.10.158;};
};

10.1.10.158 - AD server
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Active Directory updates and allow-update-forwarding issues

Nagesh Thati-2
Thanks Mark.

On Tue, Jan 19, 2021 at 6:15 PM Mark Andrews <[hidden email]> wrote:
Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for GSS-TSIG. 

-- 
Mark Andrews

On 19 Jan 2021, at 22:23, Nagesh Thati <[hidden email]> wrote:


Hi,
I am getting update failed on master DNS appliance when I am using allow-update-forwading,
updating zone '_msdcs.example.com/IN': update failed: rejected by secure update (REFUSED)

example.com is a active directory enabled zone which has one master and one slave. Master appliance is hidden, so active directory sends updates to slave appliance using MNAME specified in the zone SOA section.

master(10.1.10.203) named.conf:

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc folder we have keytab file

zone "_msdcs.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._msdcs.example.com";
        allow-transfer {10.1.10.144;};
        also-notify {10.1.10.144;};
        notify explicit;
        update-policy { grant * subdomain _msdcs.example.com. ANY; };
        check-names ignore;
        zone-statistics yes;
};

slave(10.1.10.144) named.conf:
zone "_msdcs.example.com" IN {
        type slave;
        file "/var/named/zones/slaves/db._msdcs.example.com";
        allow-notify {10.1.10.203;};
        masters {
                10.1.10.203;
        };
        check-names ignore;
        zone-statistics yes;
        allow-update-forwarding{10.1.10.158;};
};

10.1.10.158 - AD server
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users