Discussion:
TSIG DDNS and windows clients
(too old to reply)
Pete Fry
2020-05-12 09:57:23 UTC
Permalink
All

I've inherited a BIND environment and i'm trying to understand a few things
as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};


acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing
something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows
but i'm drawing a blank

Regards

Cade
Bob Harold
2020-05-12 12:40:15 UTC
Permalink
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
Post by Pete Fry
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.
Post by Pete Fry
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?
--
Bob Harold
Post by Pete Fry
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
Ben Croswell
2020-05-12 12:50:39 UTC
Permalink
Is it possible the clients are trying to do kerberos GSS-TSIG updates?

On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users <
Post by Pete Fry
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Pete Fry
2020-05-13 07:20:08 UTC
Permalink
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a
cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm
trying to figure out how to get the windows machines to do the same and was
trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update

Regards

Pete
Post by Bob Harold
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
Post by Pete Fry
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
acl dynamic-TEST-tsig {
key TEST-key;
};
And see if that works.
Post by Pete Fry
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?
--
Bob Harold
Post by Pete Fry
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
Bob Harold
2020-05-13 12:29:54 UTC
Permalink
Post by Pete Fry
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.
the TSIG works when from other linux machine via nsupdate etc, however i'm
trying to figure out how to get the windows machines to do the same and was
trying to follow this
http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update
Regards
Pete
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG, not
regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
Post by Pete Fry
Post by Bob Harold
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
Post by Pete Fry
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
acl dynamic-TEST-tsig {
key TEST-key;
};
And see if that works.
Post by Pete Fry
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?
--
Bob Harold
Post by Pete Fry
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
Grant Taylor
2020-05-13 19:49:36 UTC
Permalink
Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG.  Not sure how or if that can be solved.
I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/
--
Grant. . . .
unix || die
Bob Harold
2020-05-13 20:06:53 UTC
Permalink
On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <
Post by Grant Taylor
Post by Bob Harold
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.
I would bet someone a coffee and doughnut that it can.
Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/
--
Grant. . . .
unix || die
Thanks for the link. Lots of pieces to get working there. Not nearly as
simple as TSIG. But good if you are already using Kerberos.
--
Bob Harold
Paul Ebersman
2020-05-13 22:35:02 UTC
Permalink
rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.
Pete Fry
2020-05-14 08:00:21 UTC
Permalink
Bob

after a few wireshark sessions etc we have identified this issue is due to
NAT from one of the sites we are sorting this out now and hopefully it
should fix

thanks for your help
Post by Bob Harold
Post by Pete Fry
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.
the TSIG works when from other linux machine via nsupdate etc, however
i'm trying to figure out how to get the windows machines to do the same and
was trying to follow this
http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update
Regards
Pete
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
Post by Pete Fry
Post by Bob Harold
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
Post by Pete Fry
All
I've inherited a BIND environment and i'm trying to understand a few
things as currently we are experiences an issue related to DDNS.
we have
site 1
hostA
site 2
hostB
We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)
zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};
lists.conf
acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};
acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};
acl dynamic-TEST-tsig {
key TEST-key;
};
And see if that works.
Post by Pete Fry
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what
does it mean?
--
Bob Harold
Post by Pete Fry
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
Loading...