On Mar 16, 2014, at 3:32 AM, Bob McDonald <bmcdonal...@gmail.com> wrote:
> Ok so it's not painless. Do the updates still get forwarded to the master by > the slaves or do I need to have all Windows devices needing update capability > to point at the master? > > TIA, > > Bob I don't believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine. Regards, Chris Buxton > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <cli...@buxtonfamily.us> wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonal...@gmail.com> wrote: > > > I agree that TSIG or SIG(0) signed updates are certainly a more desirable > > approach than allowing updates via address. My DHCP server is setup to > > sign all of it's updates this way. However, I have AD domain controllers > > in the environment that don't currently use signed updates. Is there a > > fairly painless way to convert all the AD machines to signed updates? > > You would need to set up GSS-TSIG, which is not painless. (It's certainly > doable, but there are plenty of pitfalls to overcome.) Windows doesn't > support TSIG, just GSS-TSIG. > > AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the > master. > > Regards, > Chris Buxton. >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
