Project

General

Profile

Actions

Feature #1685

closed

Windows DNS: Secure connection using GSS-TSIG

Added by Oliver Weinmann over 12 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
DNS
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Hi,

we are using foreman in our heterogenous windows / linux environment. Our Master DNS servers are running on Windows / Active Directory. It is a big security issue to leave the dynamic updates on "Nonsecure and secure". I know that foreman is using nsupdate to update dns records. This supports GSS-TSIG to securely communicate with Windows DNS servers. I have tested this on a Ubuntu 12.04 machine and I can manipulate Windows DNS servers using nsupdate with GSS-TSIG just fine.

The following blog post put me in the right direction: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

Basically all that is needed is a keytab file, so a valid username and password that can connect to AD:

keytab can be generated using
$ ktutil
ktutil: addent -password -p -k 1 -e aes256-cts-hmac-sha1-96
Password for :
ktutil: wkt dnsuser.keytab
ktutil: quit

With the keytab created, nsupdate can be run with the "-g" switch to enable secure GSS-TSIG communication.

My ruby skills are absolutely zero and I only have a stable foreman environment setup here at work. I'm happy to setup a new foreman dev environment and to test. :)

Regards,
Oliver


Related issues 2 (0 open2 closed)

Related to Smart Proxy - Feature #1809: Smart-Proxy control of IPA ServerClosedStephen Benjamin08/06/2012Actions
Has duplicate Smart Proxy - Feature #61: Add Microsoft DNS SupportResolvedPaul Kelly11/05/2009Actions
Actions

Also available in: Atom PDF