Re: Secure Dynamic Update with TSIG on Windows clients?
Ralf Durkee wrote:
> You may be stuck since MS signature's not TSIG compatible.[/color]
Getting Windows itself to do it is a lost cause, of course.
I can do it via scripting a call to a win32 build of nsupdate and
wrapping it as a service, but was hoping someone already had built an
equivalent solution that wouldn't be as hacky.
> It sounds like you want to allow dynamic updates to your DNS from
> sources that you don't control, and allow them to updating names to
> IP addresses of their choice. Sounds like things would be pretty
> open to allow unwanted updates. You might want to think this
> through, even if the TSIG signature worked, you'd be trusting a lot.[/color]
I'm setting it up so that there is a key per subdomain in the dynamic
zone so a given client has control over A and TXT records of their own
personal subdomain but nothing else, so it's not open for abuse. It
works happily on Linux via dhclient's support for Secure Dynamic update