DNS can be a subdomain

Grant Taylor gtaylor at tnetconsulting.net
Wed Jun 27 04:35:22 UTC 2018

On 06/26/2018 10:21 PM, Mark Andrews wrote:
> And if you are not using AD you can use SIG(0) and KEY records to allow 
> hosts to authenticate updates to the DNS for their own records.

I'm not quite following.  Do you mean that you can allow hosts to update 
their own RRs without requiring AD and using SIG(0) as an alternative?

Or are you saying forego AD (and Kerberos) and use SIG(0) instead?


> Instead of registering a host with AD you add a KEY record into the DNS 
> which has the public key of the host which is to be used to sign the 
> UPDATE requests.

If you're using AD for (presumably) Windows networking (and all that 
entails) you very likely want the workstations to be registered with AD. 
  The machine trust accounts are pertinent to AD's operation and the 
workstation's ability to access AD resources when users aren't logged in.


> Unfortunately OS developers have been asleep at the wheel by not adding 
> support for this to their products.

I'm seeing more and more references to SIG(0) in the last couple of 
weeks.  I think I need to refresh myself on it.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180626/cb2c37b6/attachment.bin>

More information about the bind-users mailing list