GSS-TSIG updates with multiple KSPs on the same BIND server?
Vinícius Ferrão
ferrao at if.ufrj.br
Thu Jun 4 23:04:10 UTC 2015
John,
I always make my own krb5.conf file. Which krb bits on DNS you're talking about?
Sent from my iPhone
> On 04/06/2015, at 19:50, John Marshall <john.marshall at riverwillow.com.au> wrote:
>
> Chiming in to provide moral support due to lack of replies...
>
>> On 04/06/2015 06:44, Doug Barton wrote:
>> Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
>> BIND 9.8+ could be configured to use multiple KSPs.
>
> No experience to share with multiple KSP's/REALMS. Sorry :-(
>
>> What I'd like to do instead is to use the tkey-gssapi-keytab option
>> to specify just the keytab file.
>
> but I can confirm that this works. I like to use service-specific
> keytabs, so I have the following as the ONLY 'tkey' statement in our
> master server's named.conf (currently BIND 9.10.2).
>
> options {
> ...
> tkey-gssapi-keytab "/path/to/bind.keytab";
> };
>
> and then work happily with 'nsupdate -g' from a client with an
> authorized UPN in the ACL for relevant zones.
>
> No krb5.conf on the server in this case: just all the right krb bits in DNS.
>
> I don't have time to mess with setting up and testing a second realm but
> I just tried adding an alias (AAAA) record for the master server in a
> different domain (same realm) and adding a DNS/ service principal for
> that name to the KDC and to BIND's keytab on the server. I specified
>
>> server alias.name.
>
> in nsupdate but the client still picked up the original service
> principal (even after restarting BIND). I haven't looked at the code but
> I'm guessing the service principal selected may be tied to the server
> name 'options {hostname}' or something similar. Perhaps same domain
> names in different realms might work?
>
> --
> John Marshall
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list