nsupdate -g always uses master from SOA to form SPN

Magnus Holmgren magnus.holmgren at millnet.se
Thu Aug 26 14:32:05 UTC 2021

When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the 
master server specified in the SOA record, rather than the server specified 
with the server command. Is that really correct behaviour, or should I report 
this as a bug? I've been scouring the Internet, but couldn't find any prior 
discussion about this particular situation.

The issue arises when employing a hidden primary, and the server in the SOA 
record is actually a secondary, which I though was a rather common setup. In 
this situation, the real primary has to be specified with the server command, 
and I thought the SPN should represent the service and server being 
communicated with. 

I can work around the problem by adding an SPN matching the SOA primary to 
Kerberos, but AFAIU, BIND can only be configured (tkey-gssapi-credential) to 
use a single SPN to look up keys in the keytab, so all the SPNs involved have 
to be aliases of each other, it seems.

Magnus Holmgren

Vid e-postkontakt med Millnet är det normalt att åtminstone vissa 
personuppgifter sparas om dig. Du kan läsa mer om vilka uppgifter som 
sparas och hur vi hanterar dem på https://www.millnet.se/integritetspolicy/ 

More information about the bind-users mailing list