Ok so it's not painless.  Do the updates still get forwarded to the master
by the slaves or do I need to have all Windows devices needing update
capability to point at the master?

TIA,

Bob



On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <cli...@buxtonfamily.us>wrote:

> On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonal...@gmail.com> wrote:
>
> > I agree that TSIG or SIG(0) signed updates are certainly a more
> desirable approach than allowing updates via address.  My DHCP server is
> setup to sign all of it's updates this way.  However, I have AD domain
> controllers in the environment that don't currently use signed updates.  Is
> there a fairly painless way to convert all the AD machines to signed
> updates?
>
> You would need to set up GSS-TSIG, which is not painless. (It's certainly
> doable, but there are plenty of pitfalls to overcome.) Windows doesn't
> support TSIG, just GSS-TSIG.
>
> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on
> the master.
>
> Regards,
> Chris Buxton.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to