DHCP Server updating Windows DNS - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Summary of the process in which a DHCP Server updates a Windows DNS server.

Configuring a managed DHCP Server to update Windows DNS servers requires configuration on both the Windows server and on Address Manager:
With GSS-TSIG, Kerberos authentication and TSIG keys are used to establish secure DDNS updates between the Windows DNS server and the DHCP Server. The DHCP Server must have a Kerberos service principal (a user account) defined in the Windows Kerberos database in order to use GSS-TSIG. The following diagram illustrates the way in which DDNS updates are secured using GSS-TSIG:

  1. The DHCP client requests an IP address.
  2. The DHCP Server negotiates a security context with the Kerberos server. During this negotiation, Kerberos performs the following steps:
    • receives and verifies client request
    • grants a ticket-granting ticket (TGT)
    • grants a service ticket
  3. The DHCP Server sends DDNS updates signed with GSS-TSIG to the Microsoft Windows DNS server. The updates contain the following records:
    • Forward zone:
      • A—Address record
      • TXT—Text record
    • Reverse zone:
      • PTR—Pointer record
  4. The Windows DNS server verifies the DDNS update and allows it to complete.
  5. The Windows DNS server sends GSS-TSIG signed response to the DHCP Server confirming the update.
  6. The DHCP Server assigns IP address.