Dynamic updates, bind 9.3

[anonymous]

I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update). I want to secure the dynamic updates. I want to
change from just allowing IPs to only allow updates with a
cert or key. Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?

 

[Herb Martin]

I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update).

You can do that but it is swimming upstream.

I want to secure the dynamic updates.

You cannot really do that (not by domain membership
and authentication at least.)

I want to
change from just allowing IPs to only allow updates with a
cert or key.

That's a BIND question and you will need to pursue it through
one of the BIND lists or documentation probably.

Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?

Maybe someone has done it, but you would be much
better served (<intended>) by Windows DNS to support
a Windows domain.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I have a Windows 2000 AD domain. I'm using bind 9.3 on
Solaris for DNS. I'm also using dynamic updates (allow
update). I want to secure the dynamic updates. I want to
change from just allowing IPs to only allow updates with a
cert or key. Is there anyway to use secure updates from
the DCs and DHCP server to update bind 9.3 dns? TSIG? Has
anyone else setup something like this?

BIND only supports Secure Dynamic updates form its DHCP server, it will not
support Secure updates from a Windows client or a Windows DHCP server.

 

[Guest]

Herb, Thanks for all the help or late of.

I know the recommended solution is to use MS DNS, but this
is not an option. Bind 9.3 is supposed to support GSS-
TSIG, which windows 2000 uses for secure updates. I
haven't been able to find anyone using it for secure
updates from windows to bind. I know these are bind
questions but also related to windows because I would most
likely have to create a key for the windows servers to
use. Also most bind users are not using windows dynamic
updates.

 

[Ryan Hanisco]

Frankly, Do you really want to implement something that no one is doing??
As you're seeing, it limits your support options and you have no idea the
risk involved or the integration issues you will see. While windows can do
secure updates to its DNS, it doesn't look like you can readily do that to
BIND.

You might have another option. You can set up IPSEC tunnels between the
servers or do some other authentication/ encryption to control ALL traffic
between the servers. I know this isn't as elegant as you'd like, but it
should meet your requirements -- especially in the face of being restricted
to BIND.