On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonal...@gmail.com> wrote:
> I agree that TSIG or SIG(0) signed updates are certainly a more desirable > approach than allowing updates via address. My DHCP server is setup to sign > all of it's updates this way. However, I have AD domain controllers in the > environment that don't currently use signed updates. Is there a fairly > painless way to convert all the AD machines to signed updates? You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG. AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master. Regards, Chris Buxton. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
