GSS-TSIG updates with multiple KSPs on the same BIND server?
Doug Barton
dougb at dougbarton.us
Wed Jun 3 20:44:28 UTC 2015
Folks,
Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
BIND 9.8+ could be configured to use multiple KSPs. The traditional way
of configuring GSS-TSIG is the following in options{}:
tkey-domain "FOO.BAR";
tkey-gssapi-credential "DNS/dns1.foo.bar";
However that configuration restricts the server to use only that one
KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option
to specify just the keytab file. According to the 9.9.5 ARM:
tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If
this option is set and tkey-gssapi-credential is not set, then updates
will be allowed with any key matching a principal in the specified keytab.
I'm assuming that if I get the [realms] and [domain_realms] configured
correctly in my krb5.conf file that I would be good to go, but I am far
from an expert on Kerberos, and while using a single KSP works fine, I
haven't yet created a test environment for using multiple KSPs. So
before I do that I thought I would ask if what I want to do is even
possible, and if so where the landmines are.
In case it's not clear, the use case here is to be able to use the same
BIND instance as master for multiple AD realms that do not have an
existing trust relationship.
Thanks,
Doug
--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150603/e6c71e83/attachment.bin>
More information about the bind-users
mailing list