patches to make bind9 with TKEY/GSS updates easier to configure

Michael Graff mgraff at
Fri Dec 3 18:48:05 UTC 2010

On 11/29/10 5:22 PM, Michael Graff wrote:

>>  4) I'd like to be able to set all these options on a per-zone
>>  basis. This is really where some guidance on the approach to patching
>>  is needed. If I move all the tkey-gssapi-* options to be per-zone,
>>  then should we deprecate the global ones? Or set the defaults for the
>>  per-zone ones based on the global ones? 

I believe this has been decided as a "too hard right now" thing?

>>  5) finally, I'd like to support calling out to an external helper for
>>  making dynamic update decisions. The bind daemon just doesn't have
>>  enough information to decide if a TKEY/GSSAPI update should be
>>  allowed. The correct calculation for Samba involves quite complex
>>  ACLs, which requires examining the complete NT token in the kerberos
>>  ticket. We work around this for now by dynamically generating a list
>>  of bind9 ACLs for domain controllers and then using rndc from Samba
>>  to tell bind9 to reload whenever this changes.

This has not yet been implemented either?  We can always insert it later.

The rest of the work you have done has been submitted for another ISC
person to review.  I'm quite happy with things, but I'm a manager now so
can't code by definition.  :)


More information about the bind-workers mailing list