First, has anyone EVER configured ISC bind 9.5.0 OR greater with support for GSS-TSIG Dynamic DNS Updates AND gotten it to work? If so, what is the configuration that was used to make that happen?
I feel close to having this working. I see that GSS cred passes w/o apparent error during the TKEY negotiation with an Active Directory DC and the BIND DNS server:
client 192.168.0.30#52314: query gss cred: "DNS/[email protected]", GSS_C_ACCEPT, 4294967256 gss-api source name (accept) is [email protected] process_gsstkey(): dns_tsigerror_noerror client 192.168.0.30#52314: send
But, when the Update is sent, it is refused:
client 192.168.0.30#58330: update client 192.168.0.30#58330: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED) client 192.168.0.30#58330: send
Does anyone have this working in the real world?
I actually managed to get dynamic updates to work using a patch provided by the samba 4 team.
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates
There seems to be issues with the version of windows running and it's method of doing dynamic updates.
If you're trying to do the same outside of a samba4 domain... your next-best-bet is to try & follow the howto here:
http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG
I'm sorry if I don't have more info on that subject.