Summary of the process in which a DHCP Server updates a Windows DNS server.
Configuring a managed DHCP Server to update Windows DNS servers requires configuration on
both the Windows server and on Address Manager:
With GSS-TSIG, Kerberos authentication and TSIG keys are used to establish secure DDNS
updates between the Windows DNS server and the DHCP Server. The DHCP Server must have a
Kerberos service principal (a user account) defined in the Windows Kerberos database in
order to use GSS-TSIG. The following diagram illustrates the way in which DDNS updates
are secured using GSS-TSIG:
- The DHCP client requests an IP address.
- The DHCP Server negotiates a security context with the Kerberos server. During this
negotiation, Kerberos performs the following steps:
- receives and verifies client request
- grants a ticket-granting ticket (TGT)
- grants a service ticket
- The DHCP Server sends DDNS updates signed with GSS-TSIG to the Microsoft Windows DNS
server. The updates contain the following records:
- Forward zone:
- A—Address record
- TXT—Text record
- Reverse zone:
- PTR—Pointer record
- Forward zone:
- The Windows DNS server verifies the DDNS update and allows it to complete.
- The Windows DNS server sends GSS-TSIG signed response to the DHCP Server confirming the update.
- The DHCP Server assigns IP address.