Re: GSS-TSIG updates with multiple KSPs on the same BIND server?

Thu, 04 Jun 2015 16:07:31 -0700 

John,

I always make my own krb5.conf file. Which krb bits on DNS you're talking about?

Sent from my iPhone

> On 04/06/2015, at 19:50, John Marshall <john.marsh...@riverwillow.com.au> 
> wrote:
> 
> Chiming in to provide moral support due to lack of replies...
> 
>> On 04/06/2015 06:44, Doug Barton wrote:
>> Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
>> BIND 9.8+ could be configured to use multiple KSPs.
> 
> No experience to share with multiple KSP's/REALMS. Sorry :-(
> 
>> What I'd like to do instead is to use the tkey-gssapi-keytab option
>> to specify just the keytab file.
> 
> but I can confirm that this works. I like to use service-specific
> keytabs, so I have the following as the ONLY 'tkey' statement in our
> master server's named.conf (currently BIND 9.10.2).
> 
>  options {
>    ...
>    tkey-gssapi-keytab "/path/to/bind.keytab";
>  };
> 
> and then work happily with 'nsupdate -g' from a client with an
> authorized UPN in the ACL for relevant zones.
> 
> No krb5.conf on the server in this case: just all the right krb bits in DNS.
> 
> I don't have time to mess with setting up and testing a second realm but
> I just tried adding an alias (AAAA) record for the master server in a
> different domain (same realm) and adding a DNS/ service principal for
> that name to the KDC and to BIND's keytab on the server. I specified
> 
>> server alias.name.
> 
> in nsupdate but the client still picked up the original service
> principal (even after restarting BIND). I haven't looked at the code but
> I'm guessing the service principal selected may be tied to the server
> name 'options {hostname}' or something similar. Perhaps same domain
> names in different realms might work?
> 
> -- 
> John Marshall
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to