10-22-2017 09:21 AM
Has anyone encountered the issue with WIndows 2000 server doing dynamic updates using des-mac-md5?
I ran the command as crypto all, assigned all keys for DNS dynamic updates.
I had windows 2000, 2003, 2008 and 2012 but only Windows 2000 is not able to update properly.
In the syslogs, I could see TSIG verify failure, BADSIG.
I did a traffic capture, the error shows BAD OPT version or TSIG Signature Failure.
Can anyone advise?
10-23-2017 05:10 AM
I don't think Windows 2000 is supported. What you can do is enable secure & unsecure updates on the Windows 2000 zones.
10-24-2017 08:43 PM
Thanks for the reply.
Apology if I didn't explain clearly above.
The windows 2000 is a client doing dynamic updates to Infoblox DNS servers.
Infoblox DNS has refused all windows 2000 clients despite des-mac-md5 crypto have been assigned to the DNS Master member.
Does Infoblox support windows 2000 for dynamic updates?
10-26-2017 07:15 AM
Ok, now I understand what you are trying to achieve. When exporting the keytab, the manual says
Microsoft Windows 2000 Specify /crypto DES-CBC-MD5 as the export keytab.
while other versions use:
Microsoft Windows 2008 and higher Specify /crypto RC4-HMAC-NT as the export keytab.
You mentioned des-mac-md5, not sure if they are the same as des-cbc-md5
4 weeks ago
I had just got some response from the tech support and they mentioned that it was due to some windows 2000 bug which will need to be patched in order to support the GSS-TSIG updates.
Thanks a lot for your help!