ISC has been working with Tridge from the Samba team to make it easier to configure BIND 9 to use GSS-TKEY. GSS-TKEY is used to allow Windows clients to securely update DNS zones using dynamic DNS, primarily in an Active Directory environment.
These changes may be coming as early as BIND 9.8.0, which is scheduled to be released in late January, 2011. They were proposed and written by the Samba team in order to more easily integrate BIND 9 with Samba 4.
The first change allows for automatic configuration of many GSSAPI configuration parameters which previously had to be specified in
Now, all you must do is point the
tkey-gssapi-keytab option to the Kerberos 5 keytab which contains the credentials the server has access to. This will cause the Kerberos 5 keytab to be searched for the appropriate match based upon the client’s request.
This change also means named does not rely on system environment settings such as KEYTAB_FILE or KRB5_KTNAME. Putting the keytab name in the configuration file makes it easier to reliably start named from system startup scripts and manually, and do so consistently.
Another upcoming change is to prevent performing tests on the Kerberos 5 KDC (key distribution center) during named startup. Doing these tests caused an artificial system startup requirement where the KDC must be running for BIND to start, but the KDC may rely on DNS queries to start.
With this change in place, BIND will only need the KDC to be operational during the authentication phase rather than at all times. This change only affects automatic configurations, so previous behavior is unchanged.