Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 18, 2014 6:25 AM
I have one clarification on the GSS-TSIG supported zone transfer in MS-DNS.
I tried the following scenario in zone transfer,
- Configure my DNS server(supports GSS-TSIG algorithm for Zone transfer) as primary for a zone ‘test.com’
- Configure MS-DNS as secondary server for the zone ‘test.com’.
Question : I could not find any provisioning MS-DNS to configure the Secondary zone in secure way in GSS-TSIG.
My clarification ,
- Is MS-DNS supports GSS-TSIG supported Zone transfer ?
- If MS-DNS does not supports GSS-TSIG for Zone transfer then how I can do secure Zone transfer to MS-DNS ?
- If MS-DNS supports GSS-TSIG for Zone transfer, What are steps to be followed to configure a primary zone and secondary zone for GSS-TSIG?
All replies (2)
Wednesday, March 19, 2014 6:01 AM ✅Answered
Hi,
Microsoft Windows software does not support TSIG via hmac-md5, rather Microsoft has implemented a different mechanism for authenticating servers using GSS-TSIG. For this reason, it is not possible to configure a Windows Server running the Microsoft DNS service to perform zone transfers from a server running BIND DNS configured as a master authoritative server with TSIG protection on the allow-transfer directive.
Quote from:
Securing zone transfers with TSIG
http://www.netlinxinc.com/netlinx-blog/45-dns/42-securing-zone-transfers-with-tsig.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope this helps.
Tuesday, June 17, 2014 9:00 AM
Thanks for the clarification !!!
I have implemented RFC3645 in DDNS functionality for my DNS and DHCP servers. The
servers are supported in both Linux and windows platforms. This implementation
is working fine for both DNS and DHCP are in same platform, but does not work
in cross platform. <o:p></o:p>
Description:
I used the following setting<o:p></o:p>
DNS server
running in Win2008-R2 machine (RFC 3645 implements by using SSPI)<o:p></o:p>
DHCP server
running in RHL6.0 (RFC 3645 is implemented by using MIT GSS-API)<o:p></o:p>
KDC and AD
running in Win2008-r2 machine<o:p></o:p>
If I do an
DDNS update from DHCP to DNS then DDNS update will be succeeded , but the DDNS
response message validation in DHCP is failed.<o:p></o:p>
DHCP
>DDNS update>DNS (Update success)<o:p></o:p>
(update
response failed in gss_verify_mic() ) DHCP<DDNS Response <DNS<o:p></o:p>
Error
message:<o:p></o:p>
gss_verify_mic
returned: A token had an invalid Message Integrity Check (MIC)<o:p></o:p>