tkey-gssapi-credential

[Rob Austein]

At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote:
> 
> I was wondering if it is possible to use the tkey-gssapi-credential
> and update-policy on a Windows install of bind. It strikes me that
> running bind on a Windows server, snapped into the AD it will serve
> DNS to, should be the easiest way of getting DDNS with update-policy
> control working.

It would be, except for one small problem: the Windows native Kerberos
doesn't support GSS-API (or didn't, when last I checked), instead it
supports some similar-but-different Microsoft proprietary API whose
name has temporarily escaped my memory.  So either we would have to
hack Windows-specific code here to use Microsoft's API, or we would
have to get a Unix-style Kerberos library working on Windows.

We spent an insane amount of time banging our head against the latter
approach, but never got it to work, for reasons that never made a lot
of sense (eg, linking against precompiled MIT Kerberos binaries
resulted in binaries that worked fine for everything but GSS-TSIG but
failed silently for that, attempting to build MIT Kerberos for Windows
from source resulted in Kerberos code that couldn't even kinit, and
nobody on the MIT Kerberos project could tell us why).  We eventually
gave up, because we had deadlines to meet and this configuration
(BIND9 running GSS-TSIG on Windows) wasn't on our critical feature
list.

> Am I nuts? Should I just install it on a Linux box and be done?

Yes, unless you (or some other brave soul) have the time and energy to
get this working on Windows, in which case please tell us what you did
(and i will stand you a beer if we ever meet...).