GSS-TSIG updates with multiple KSPs on the same BIND server?

Doug Barton dougb at
Wed Jun 3 20:44:28 UTC 2015


Reading through manuals, HOWTOs, etc. on line it SEEMS possible that 
BIND 9.8+ could be configured to use multiple KSPs. The traditional way 
of configuring GSS-TSIG is the following in options{}:

     tkey-domain "FOO.BAR";
     tkey-gssapi-credential "DNS/";

However that configuration restricts the server to use only that one 
KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option 
to specify just the keytab file. According to the 9.9.5 ARM:

tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If 
this option is set and tkey-gssapi-credential is not set, then updates 
will be allowed with any key matching a principal in the specified keytab.

I'm assuming that if I get the [realms] and [domain_realms] configured 
correctly in my krb5.conf file that I would be good to go, but I am far 
from an expert on Kerberos, and while using a single KSP works fine, I 
haven't yet created a test environment for using multiple KSPs. So 
before I do that I thought I would ask if what I want to do is even 
possible, and if so where the landmines are.

In case it's not clear, the use case here is to be able to use the same 
BIND instance as master for multiple AD realms that do not have an 
existing trust relationship.



I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list