Ok so it's not painless. Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master?
TIA, Bob On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <cli...@buxtonfamily.us>wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonal...@gmail.com> wrote: > > > I agree that TSIG or SIG(0) signed updates are certainly a more > desirable approach than allowing updates via address. My DHCP server is > setup to sign all of it's updates this way. However, I have AD domain > controllers in the environment that don't currently use signed updates. Is > there a fairly painless way to convert all the AD machines to signed > updates? > > You would need to set up GSS-TSIG, which is not painless. (It's certainly > doable, but there are plenty of pitfalls to overcome.) Windows doesn't > support TSIG, just GSS-TSIG. > > AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on > the master. > > Regards, > Chris Buxton.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users