TSIG DDNS and windows clients

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

TSIG DDNS and windows clients

Bind-Users forum mailing list
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};


acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bob Harold

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <[hidden email]> wrote:
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
   key TEST-key;
};

And see if that works.
 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 
Bob Harold
 
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Ben Croswell
In reply to this post by Bind-Users forum mailing list
Is it possible the clients are trying to do kerberos  GSS-TSIG updates?

On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users <[hidden email]> wrote:
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};


acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bind-Users forum mailing list
In reply to this post by Bob Harold
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 

On Tue, 12 May 2020 at 13:40, Bob Harold <[hidden email]> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <[hidden email]> wrote:
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
   key TEST-key;
};

And see if that works.
 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 
Bob Harold
 
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bob Harold

On Wed, May 13, 2020 at 3:20 AM Pete Fry <[hidden email]> wrote:
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 


Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.  Not sure how or if that can be solved.

-- 
Bob Harold

 
On Tue, 12 May 2020 at 13:40, Bob Harold <[hidden email]> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <[hidden email]> wrote:
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
   key TEST-key;
};

And see if that works.
 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 
Bob Harold
 
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bind-Users forum mailing list
On 5/13/20 6:29 AM, Bob Harold wrote:
> Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
> not regular TSIG.  Not sure how or if that can be solved.

I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
  -
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bob Harold

On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <[hidden email]> wrote:
On 5/13/20 6:29 AM, Bob Harold wrote:
> Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
> not regular TSIG.  Not sure how or if that can be solved.

I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
  -
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/



--
Grant. . . .
unix || die

Thanks for the link.  Lots of pieces to get working there.  Not nearly as simple as TSIG.  But good if you are already using Kerberos.

-- 
Bob Harold
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Paul Ebersman
rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TSIG DDNS and windows clients

Bind-Users forum mailing list
In reply to this post by Bob Harold
Bob

after a few wireshark sessions etc we have identified this issue is due to NAT from one of the sites we are sorting this out now and hopefully it should fix

thanks for your help

On Wed, 13 May 2020 at 13:30, Bob Harold <[hidden email]> wrote:

On Wed, May 13, 2020 at 3:20 AM Pete Fry <[hidden email]> wrote:
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm trying to figure out how to get the windows machines to do the same and was trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update 

Regards

Pete 


Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG, not regular TSIG.  Not sure how or if that can be solved.

-- 
Bob Harold

 
On Tue, 12 May 2020 at 13:40, Bob Harold <[hidden email]> wrote:

On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <[hidden email]> wrote:
All

I've inherited a BIND environment and i'm trying to understand a few things as currently we are experiences an issue related to DDNS.

we have 

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
    check-names ignore;
    type master;
    file "/var/named/dynamic/TEST";
    allow-update {
        auth-dns;
        dynamic-TEST;
    };
};

lists.conf

acl dynamic-update-ads {
   192.168.2.1 // hostA
   192.168.5.1 // hostB
   dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
   // any host which is not..
   !{
      // not in the new acls
      !dynamic-test-site1;
      !dynamic-test-site2;
      any;
   };
   // but has the key
   key TEST-key;
};

For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
   key TEST-key;
};

And see if that works.
 

acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

"acl !" seems wrong to me.  Is that a legal syntax?  And if so, what does it mean?

-- 
Bob Harold
 
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users