GSS-TSIG support in BIND 9.5
Adam Tkac
atkac at redhat.com
Thu Jan 3 14:15:59 UTC 2008
On Thu, Jan 03, 2008 at 07:04:13AM -0700, Madhavi Phanse wrote:
> Hi,
>
> I've have few queries about the GSS-TSIG support in BIND 9.5
> To enable named to work with this support, is it that you need to specify the GSS key in the zone as below:
>
> key my-gss-key
> {
> algorithm gss-tsig;
> key sjkgoeto..;
> }
>
> example.com{
> ..
> ..
> allow-update {key my-gss-key;}
> }
>
> How to generate the gss-tsig key in that case?
> Is there any tool available to generate a gss-tsig key like dnssec-tsig?
>
> Or do you specify the /etc/key.tab file in place of zone key above? How is the key expiration handled in that case?
>
> If this is not write way to specify the GSS-TSIG algorithm, can you correct me for the same?
>
This is general procedure how get it works:
- configure kerberos KDC with named and user principals
- principal DNS at fqdn.of.your.server for named
- export named principal to keytab file and put it to DNS machine
- in named.conf specify tkey-domain, tkey-gssapi-credential and
correct update-policy options (see
http://www.isc.org/index.pl?/sw/bind/arm95/ for details)
- on client machine obtain client credential via kinit
- use nsupdate -g for update
Adam
--
Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list