You need to be running Bind 9.7.2-P2 or higher for GSS-TSIG to work. Create a user account in your AD. Then run:
ktpass -out <name_of_your_keytab>.keytab -princ DNS/<domain.name>@<DOMAIN.NAME> -pass * -mapuser <AD_user_you_created>@<domain.name> _________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder On Dec 9, 2011, at 12:07 PM, Vbvbrj wrote: > Hello. > > I've setup BIND to serve the requests to lan instead of Microsoft DNS by > first setting bind as a secondary dns server for Microsoft DNS, copy the > zones, and making the BIND the master. In order for domain member hosts > to update the records of the their names in dns, I allow unsecure > updates from the lan computers. It's a security thread of poisoning the > dns. I would like to setup up a secure by the domain servers. On the > internet I read about using "allow-update" with a key file. But I didn't > found a page on how to get the key from the Active Directory kerberos > system. Could any one point on setting the secure update to bind with > key from the already deployed Active Directory? > > The BIND is running under the windows. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
