patches to make bind9 with TKEY/GSS updates easier to configure
Love Hörnquist Åstrand
lha at kth.se
Fri Dec 3 22:59:18 UTC 2010
3 dec 2010 kl. 14:52 skrev Andrew Bartlett:
> On Fri, 2010-12-03 at 22:47 +0000, Love Hörnquist Åstrand wrote:
>> Hello tridge,
>>
>>>> An alternative is to use the GSS_C_DELEG_POLICY_FLAG which only
>>>> delegates if the admin of the domain have said its ok to delegate
>>>> to that host.
>>>
>>> Would you recommend that we add it?
>>>
>>> With my current patches the flags we're passing are:
>>>
>>> GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG
>>>
>>
>>
>> I would recommend what Microsoft sends + GSS_S_DELEG_POLICY_FLAG.
>
> Thanks.
>
> Tridge,
>
> I'm pretty sure we removed the ability to forward for a good reason
> however, so re-enabling this may expose other gremlins. I guess we now
> need to look into and understand that better.
Not that I didn't propose GSS_C_DELEG_FLAG, the new flag GSS_C_DELEG_POLICY_FLAG will only delegate if the admin for domain have approved delegation (ie set ok-as-delegate ticket flag).
Love
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20101203/9140a5d6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20101203/9140a5d6/attachment.bin>
More information about the bind-workers
mailing list