On 06/11/10 02:51, John Marshall wrote:
BIND 9.7.1rc1
FreeBSD 8.1-PRERELEASE
I've just stepped into the world of nsupdate (instead of doing the
freeze/edit/thaw dance). I have had success using TSIG (nsupdate -k)
but I would like to use TKEY-GSS (nsupdate -g). When I try to do that,
nsupdate dumps core.
$ /usr/bin/nsupdate -g -d
> prereq nxdomain rwpc12.mby.riverwillow.net.au.
>
Reply from SOA query:
--------< snip>--------
Found zone name: mby.riverwillow.net.au
The master is: ns1.mby.riverwillow.net.au
start_gssrequest
nsupdate: Failed to generate random block
Abort trap (core dumped)
I suspect the operating system at this point but want to build BIND
against separate gssapi_krb5 and OpenSSL libraries in order to isolate
the problem.
Telling configure --with-openssl=/usr/local does the trick for OpenSSL.
Telling configure --with-gssapi=/usr/local makes all the right kind of
impressions on config.log, but the linker still ends up using the
operating system's gssapi libraries under /usr/lib. Is there something
else I need to do to nudge BIND in the direction of libgssapi_krb5 in
/usr/local ?
Until now I've never built BIND with gssapi, so I'm prepared to be told
I've missed something basic.
John,
Don't worry, you haven't. There is a thread on
freebsd-secur...@freebsd.org atm about the wacky state of our base
system kerberos, and unfortunately my understanding is that simply
installing kerberos from ports doesn't help much.
I don't want to get too deep in the weeds on FreeBSD-specific stuff
here, so you may want to follow up on -security for that stuff. I do
want to leave the door open however for anyone to comment on
BIND-specific issues with the configure script.
FYI, there is also
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests
that installing cyrus-sasl2 rather than kerberos from ports may be the
right way to go. I haven't even started evaluating that patch yet, but
perhaps someone on this list who has implemented GSS-TSIG could comment?
Personally I loathe kerberos almost as much as windows, so I haven't
exactly been eager to dive into this, but because there is user demand
for it I would like to get up to speed so this seems as good a time as any.
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
