On 06/26/2018 10:21 PM, Mark Andrews wrote:
And if you are not using AD you can use SIG(0) and KEY records to allow hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update their own RRs without requiring AD and using SIG(0) as an alternative?
Or are you saying forego AD (and Kerberos) and use SIG(0) instead? #confused
Instead of registering a host with AD you add a KEY record into the DNS which has the public key of the host which is to be used to sign the UPDATE requests.
If you're using AD for (presumably) Windows networking (and all that entails) you very likely want the workstations to be registered with AD. The machine trust accounts are pertinent to AD's operation and the workstation's ability to access AD resources when users aren't logged in.
#stillConfused
Unfortunately OS developers have been asleep at the wheel by not adding support for this to their products.
I'm seeing more and more references to SIG(0) in the last couple of weeks. I think I need to refresh myself on it.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
