patches to make bind9 with TKEY/GSS updates easier to configure

tridge at tridge at
Tue Nov 30 13:09:55 UTC 2010

Hi Michael,

I've put my first set of patches against 9.7.2-P2 here:

They are also in git here:;a=summary

The patches implement the tkey-gssapi-keytab option. When
tkey-gssapi-keytab is set, then you don't need to set
tkey-gssapi-credential or tkey-domain, and named will accept any
principal in the specified keytab.

If you don't specify a tkey-gssapi-keytab then the previous behaviour
will be kept, and you will need both tkey-gssapi-credential and
tkey-domain for TSIG-GSS to work.

There is also a patch to disable the GSS_C_DELEG_FLAG flag to
gss_init_sec_context() which causes problems unless you specifically
ask for a non-forwadable ticket at kinit time (I'll leave it up to
Andrew and Love to explain the details of that one if you want more

I've also added docs, and a simple tsiggss testsuite. The testsuite
uses prebuilt credential cache files to avoid the need for a KDC to be
running during the test. I've setup the ccache files to have a very
long lifetime, expiring in April 2036, which I hope is long enough for
bind9 testing. I tried for 100 years, but was bitten by the 32 bit
time_t problem.

There is one problem I haven't solved yet. The test triggers a assert
in named if I leave in the "-T clienttest" option in I'm
guessing this is some kind of memory tracer?

   01-Dec-2010 00:05:24.681 mem.c:1074: INSIST((((ctx->debuglist[i]).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed, back trace

valgrind doesn't show any problems, but perhaps I've leaked some
memory somewhere?

If you have any suggestions on finding this bug that would be

Cheers, Tridge

More information about the bind-workers mailing list