DDNS with GSS / Kerberos

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

DDNS with GSS / Kerberos

This post has NOT been accepted by the mailing list yet.
We are trying to use PowerDNS 3.4.7 for dynamic DNS updates. Zones and DHCPD are configured with TLS keys and the update works without any issues.

However, many AD clients try to update their DNS records themselves. In order to allow that we would need to open a huge IP range for "allow-dnsupdate-from", which I don't really like to do. So I joined the linux box (CentOS 7) to our AD domain, configured kerberos and added a DNS/xx.yy.com@ADDOMAIN.YY.COM service principal.
For the affected domains I also added that principal as the GSS-ACCEPTOR-PRINCIPAL.

Now in order to allow for DDNS updates, according to the documentation, we need to also specify TSIG-ALLOW-DNSUPDATE holding the requestor principal. this is straight from the PowerDNS doc:
"If GSS-TSIG is enabled, you can put kerberos principals here as well."
"These must be set to the exact initiator principal names you intend to use. No wildcards accepted."

So my question is, if I have many clients updating their own records, how would I add them to the TSIG-ALLOW-DNSUPDATE record in the database? Do I need to add a record for EACH client? This would be highly problematic. Or can I specify the kerberos realm only, like @ADDOMAIN.YY.COM and all clients will be allowed to update?

I searched the web for this kind of setup but haven't really found anything.

Any insight would be highly appreciated.