GSS-TSIG updates with multiple KSPs on the same BIND server?

Vinícius Ferrão ferrao at
Thu Jun 4 23:04:10 UTC 2015


I always make my own krb5.conf file. Which krb bits on DNS you're talking about?

Sent from my iPhone

> On 04/06/2015, at 19:50, John Marshall <john.marshall at> wrote:
> Chiming in to provide moral support due to lack of replies...
>> On 04/06/2015 06:44, Doug Barton wrote:
>> Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
>> BIND 9.8+ could be configured to use multiple KSPs.
> No experience to share with multiple KSP's/REALMS. Sorry :-(
>> What I'd like to do instead is to use the tkey-gssapi-keytab option
>> to specify just the keytab file.
> but I can confirm that this works. I like to use service-specific
> keytabs, so I have the following as the ONLY 'tkey' statement in our
> master server's named.conf (currently BIND 9.10.2).
>  options {
>    ...
>    tkey-gssapi-keytab "/path/to/bind.keytab";
>  };
> and then work happily with 'nsupdate -g' from a client with an
> authorized UPN in the ACL for relevant zones.
> No krb5.conf on the server in this case: just all the right krb bits in DNS.
> I don't have time to mess with setting up and testing a second realm but
> I just tried adding an alias (AAAA) record for the master server in a
> different domain (same realm) and adding a DNS/ service principal for
> that name to the KDC and to BIND's keytab on the server. I specified
>> server
> in nsupdate but the client still picked up the original service
> principal (even after restarting BIND). I haven't looked at the code but
> I'm guessing the service principal selected may be tied to the server
> name 'options {hostname}' or something similar. Perhaps same domain
> names in different realms might work?
> -- 
> John Marshall
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list