BIND 9: Easier GSS-TKEY configuration

ISC has been working with Tridge from the Samba team to make it easier to configure BIND 9 to use GSS-TKEY. GSS-TKEY is used to allow Windows clients to securely update DNS zones using dynamic DNS, primarily in an Active Directory environment.

These changes may be coming as early as BIND 9.8.0, which is scheduled to be released in late January, 2011. They were proposed and written by the Samba team in order to more easily integrate BIND 9 with Samba 4.

The first change allows for automatic configuration of many GSSAPI configuration parameters which previously had to be specified in tkey-gssapi-credential and tkey-domain.

Now, all you must do is point the tkey-gssapi-keytab option to the Kerberos 5 keytab which contains the credentials the server has access to. This will cause the Kerberos 5 keytab to be searched for the appropriate match based upon the client’s request.

This change also means named does not rely on system environment settings such as KEYTAB_FILE or KRB5_KTNAME. Putting the keytab name in the configuration file makes it easier to reliably start named from system startup scripts and manually, and do so consistently.

Another upcoming change is to prevent performing tests on the Kerberos 5 KDC (key distribution center) during named startup. Doing these tests caused an artificial system startup requirement where the KDC must be running for BIND to start, but the KDC may rely on DNS queries to start.

With this change in place, BIND will only need the KDC to be operational during the authentication phase rather than at all times. This change only affects automatic configurations, so previous behavior is unchanged.


Leave a reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Protected with IP Blacklist CloudIP Blacklist Cloud

What is 14 + 6 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)