nsupdate -g always uses master from SOA to form SPN
Magnus Holmgren
magnus.holmgren at millnet.se
Thu Aug 26 14:32:05 UTC 2021
When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
master server specified in the SOA record, rather than the server specified
with the server command. Is that really correct behaviour, or should I report
this as a bug? I've been scouring the Internet, but couldn't find any prior
discussion about this particular situation.
The issue arises when employing a hidden primary, and the server in the SOA
record is actually a secondary, which I though was a rather common setup. In
this situation, the real primary has to be specified with the server command,
and I thought the SPN should represent the service and server being
communicated with.
I can work around the problem by adding an SPN matching the SOA primary to
Kerberos, but AFAIU, BIND can only be configured (tkey-gssapi-credential) to
use a single SPN to look up keys in the keytab, so all the SPNs involved have
to be aliases of each other, it seems.
--
Magnus Holmgren
MILLNET AB
--
Vid e-postkontakt med Millnet är det normalt att åtminstone vissa
personuppgifter sparas om dig. Du kan läsa mer om vilka uppgifter som
sparas och hur vi hanterar dem på https://www.millnet.se/integritetspolicy/
<https://www.millnet.se/integritetspolicy/>.
More information about the bind-users
mailing list