GSS-TSIG support in BIND 9.5

Madhavi Phanse pmadhavi at novell.com
Fri Jan 25 03:27:47 UTC 2008


Is there any tool to test the secure queries with gss mechanism?

Nslookup in windows has only basic operations. 
"dig" tool supports the DNSSEC but not the gss mechanism.

Thanks again,
Madhavi

>>> Adam Tkac <atkac at redhat.com> 1/3/2008 7:45 PM >>>
On Thu, Jan 03, 2008 at 07:04:13AM -0700, Madhavi Phanse wrote:
> Hi,
> 
> I've have few queries about the GSS-TSIG support in BIND 9.5
> To enable named to work with this support, is it that you need to specify the GSS key in the zone as below:
> 
> key my-gss-key
> {
> algorithm gss-tsig;
> key sjkgoeto..;
> }
> 
> example.com{
>         ..
>         ..
>         allow-update {key my-gss-key;}
> }
> 
> How to generate the gss-tsig key in that case? 
> Is there any tool available to generate a gss-tsig key like dnssec-tsig?
> 
> Or do you specify the /etc/key.tab file in place of zone key above? How is the key expiration handled in that case?
> 
> If this is not write way to specify the GSS-TSIG algorithm, can you correct me for the same?
> 

This is general procedure how get it works:

- configure kerberos KDC with named and user principals
  - principal DNS at fqdn.of.your.server for named
  - export named principal to keytab file and put it to DNS machine
  - in named.conf specify tkey-domain, tkey-gssapi-credential and
    correct update-policy options (see
    http://www.isc.org/index.pl?/sw/bind/arm95/ for details)

- on client machine obtain client credential via kinit
- use nsupdate -g for update

Adam

-- 
Adam Tkac, Red Hat, Inc.





More information about the bind-users mailing list