Signed updates, that is...
On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald <bmcdonal...@gmail.com> wrote: > Ok so it's not painless. Do the updates still get forwarded to the master > by the slaves or do I need to have all Windows devices needing update > capability to point at the master? > > TIA, > > Bob > > > > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <cli...@buxtonfamily.us>wrote: > >> On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonal...@gmail.com> wrote: >> >> > I agree that TSIG or SIG(0) signed updates are certainly a more >> desirable approach than allowing updates via address. My DHCP server is >> setup to sign all of it's updates this way. However, I have AD domain >> controllers in the environment that don't currently use signed updates. Is >> there a fairly painless way to convert all the AD machines to signed >> updates? >> >> You would need to set up GSS-TSIG, which is not painless. (It's certainly >> doable, but there are plenty of pitfalls to overcome.) Windows doesn't >> support TSIG, just GSS-TSIG. >> >> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on >> the master. >> >> Regards, >> Chris Buxton. > > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
