Dynamic updates, bind 9.3

  • Thread starter Thread starter anonymous
  • Start date Start date
A

anonymous

I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update). I want to secure the dynamic updates. I want to
change from just allowing IPs to only allow updates with a
cert or key. Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?
 
anonymous said:
I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update).
Click to expand...

You can do that but it is swimming upstream.
I want to secure the dynamic updates.
Click to expand...

You cannot really do that (not by domain membership
and authentication at least.)

I want to
change from just allowing IPs to only allow updates with a
cert or key.
Click to expand...

That's a BIND question and you will need to pursue it through
one of the BIND lists or documentation probably.
Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?
Click to expand...

Maybe someone has done it, but you would be much
better served (<intended>) by Windows DNS to support
a Windows domain.
 
In
anonymous said:
I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update). I want to secure the dynamic updates. I want to
change from just allowing IPs to only allow updates with a
cert or key. Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?
Click to expand...

BIND only supports Secure Dynamic updates form its DHCP server, it will not
support Secure updates from a Windows client or a Windows DHCP server.
 
Herb, Thanks for all the help or late of.

I know the recommended solution is to use MS DNS, but this
is not an option. Bind 9.3 is supposed to support GSS-
TSIG, which windows 2000 uses for secure updates. I
haven't been able to find anyone using it for secure
updates from windows to bind. I know these are bind
questions but also related to windows because I would most
likely have to create a key for the windows servers to
use. Also most bind users are not using windows dynamic
updates.
 
Frankly, Do you really want to implement something that no one is doing??
As you're seeing, it limits your support options and you have no idea the
risk involved or the integration issues you will see. While windows can do
secure updates to its DNS, it doesn't look like you can readily do that to
BIND.

You might have another option. You can set up IPSEC tunnels between the
servers or do some other authentication/ encryption to control ALL traffic
between the servers. I know this isn't as elegant as you'd like, but it
should meet your requirements -- especially in the face of being restricted
to BIND.
 
Back
Top