Four things must be done to allow Bind 9 to support GSS-TKEY:
* kinit must work on the host which will run BIND 9. This means
krb5.conf must be properly configured with the realm and
locations of the Kerberos servers.
* Bind 9 must be compiled with GSSAPI enabled.
* Bind 9
At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote:
>
> Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
The error suggests that you don't really have GSSAPI enabled
(dst_gssapi_acquirecred() returns that error when called with GSSAPI
support disabled). Check your build l
At Tue, 30 Dec 2008 16:05:10 +0100, Nico De Ranter wrote:
>
> update-policy {
> grant TEST.NET krb5-subdomain * A;
> };
Microsoft invented their own naming scheme for host principals
("machi...@realm" instead of "host/mach...@realm").
Try "ms-subdomain
No obvious reason why it shouldn't work with ms-subdomain.
Next step is probably a protocol trace to see what's happening on the
wire. wireshark/tshark is pretty good for this kind of analysis.
Probably best to run named with -g while you're doing the trace and
capture the output as well (if you
At Wed, 07 Jan 2009 09:51:07 +1000, Da Rock wrote:
>
> I'm trying to find some more clarification on how to use kerberos for
> dnssec. I thought it may have been possible a while ago, was told there
> was only tsig, then found a reference to it in the Administrators guide.
>
> I've been trying to
At Thu, 8 Jan 2009 09:10:42 -0500, David Coulthart wrote:
>
> Would someone be able to provide some more details as to what
> particular configurations of BIND this affects? My interpretation is
> it only impacts recursive nameservers that have DNSSEC validation
> enabled.
And not even all
At Mon, 9 Feb 2009 20:11:20 -0500, Peter Fraser wrote:
>
> HI All
> I have been working to get dynamic updates working with bind-9.5 and
> FreeBSD 7 So far I have done the following:
>
> 1. COmpiled bind with GSSAPI enabled.
> 2. Added these to named.conf
>
> options {
>...
> tke
At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote:
>
> I was wondering if it is possible to use the tkey-gssapi-credential
> and update-policy on a Windows install of bind. It strikes me that
> running bind on a Windows server, snapped into the AD it will serve
> DNS to, should be the ea
At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote:
>
> Does anyone have instructions on how to setup a Linux bind server to
> use GSS-TSIG against an AD? I have found many articles from people
> having issues with it but none that had good instructions on how to
> get it working. Last ye
Sorry, I spent most of the last two weeks locked in a conference room
and mostly off net, still catching up.
At Mon, 27 Sep 2010 07:54:54 -0600, Nicholas F Miller wrote:
>
> DNS Standard query TKEY
> 472-ms-7.32-1772bef1.ddfb6613-c726-11df-dfa0-005056a22c3e
>Queries
>472-ms-7.32-1772
At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote:
>
> It is interesting, when I try an update from a client all I get are
> denies. When I try an update using nsupdate -g from the DNS server I
> will get a REFUSED but I will also get a DNS/h...@domain kerb ticket
> from the keytab.
It m
If you're trying to grant update rights to a specific machine (rather
than every machine in the realm), something like:
grant d...@realm. subdomain dnsname.;
might work better, where "d...@realm" is (eg) the Kerberos principle
corresponding to your DC and "dnsname" is the tree to which you want
At Tue, 5 Oct 2010 09:19:49 -0400, Atkins, Brian (GD/VA-NSOC) wrote:
>
> I asked a similar question 2 weeks ago and got a non-response (e.g., a
> response with no real information).
>
> From what I've read, everyone seems to frown on over-riding cache times,
> but I haven't seen any specifics as
At Tue, 5 Oct 2010 10:45:04 -0400, Nicholas Wheeler wrote:
>
> I think Brian's OP was about a max-ttl override ... Which is the
> opposite. The only disadvantages I see is a potential waste of
> bandwidth (and it violates the protocol).
max-ttl is (very) different from min-ttl. max-ttl might (or
At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote:
>
> It looks like I am a little dim today. Given gpg and the key, what steps
> do I do to verify a source package?
General case:
$ gpg --verify sigfile tarball
Eg:
$ gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz
At Tue, 26 May 2009 15:12:15 +0200, Adam Tkac wrote:
>
> has PGP key been changed?
Yes.
> Current ISC key located on http://oldwww.isc.org/about/openpgp/pgpkey2006.txt
> has different ID - 1BC91E6C.
>
> Would it be possible to publish updated PGP key, please?
Sigh.
The new key is in the world
At Wed, 24 Jun 2009 18:23:52 +, Evan Hunt wrote:
>
> On Wed, Jun 24, 2009 at 05:45:33PM +0200, holger.zule...@arcor.net wrote:
> > I have some issues with dnssec-signzone under BIND 9.7.0a1.
> >
> > I'm using different algorithms for key- and zone signing keys.
>
> You can use multiple algor
17 matches
Mail list logo
