Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

GSS-TSIG support in BIND 9.5

271 views
Skip to first unread message

Madhavi Phanse

unread,
Jan 3, 2008, 9:04:13 AM1/3/08
to
Hi,

I've have few queries about the GSS-TSIG support in BIND 9.5
To enable named to work with this support, is it that you need to specify the GSS key in the zone as below:

key my-gss-key
{
algorithm gss-tsig;
key sjkgoeto..;
}

example.com{
..
..
allow-update {key my-gss-key;}
}

How to generate the gss-tsig key in that case?
Is there any tool available to generate a gss-tsig key like dnssec-tsig?

Or do you specify the /etc/key.tab file in place of zone key above? How is the key expiration handled in that case?

If this is not write way to specify the GSS-TSIG algorithm, can you correct me for the same?

Thanks in advance,
Madhavi


Adam Tkac

unread,
Jan 3, 2008, 9:15:59 AM1/3/08
to

This is general procedure how get it works:

- configure kerberos KDC with named and user principals
- principal D...@fqdn.of.your.server for named
- export named principal to keytab file and put it to DNS machine
- in named.conf specify tkey-domain, tkey-gssapi-credential and
correct update-policy options (see
http://www.isc.org/index.pl?/sw/bind/arm95/ for details)

- on client machine obtain client credential via kinit
- use nsupdate -g for update

Adam

--
Adam Tkac, Red Hat, Inc.


Madhavi Phanse

unread,
Jan 24, 2008, 10:27:47 PM1/24/08
to

Is there any tool to test the secure queries with gss mechanism?

Nslookup in windows has only basic operations.
"dig" tool supports the DNSSEC but not the gss mechanism.

Thanks again,
Madhavi

>>> Adam Tkac <at...@redhat.com> 1/3/2008 7:45 PM >>>

Adam Tkac

unread,
Jan 25, 2008, 5:58:26 AM1/25/08
to
On Thu, Jan 24, 2008 at 08:27:47PM -0700, Madhavi Phanse wrote:
>
> Is there any tool to test the secure queries with gss mechanism?

I'm not sure what you mean with "query". As far as I know bind
supports only DDNS updates secured by GSS mechanism, not queries.

>
> Nslookup in windows has only basic operations.
> "dig" tool supports the DNSSEC but not the gss mechanism.

You will capture network traces with tcpdump for example and see what
is sent or increase logging and see logs.

Danny Mayer

unread,
Jan 26, 2008, 9:31:46 PM1/26/08
to
Adam Tkac wrote:
> On Thu, Jan 24, 2008 at 08:27:47PM -0700, Madhavi Phanse wrote:
>> Is there any tool to test the secure queries with gss mechanism?
>
> I'm not sure what you mean with "query". As far as I know bind
> supports only DDNS updates secured by GSS mechanism, not queries.
>

Try nsupdate.

Danny


0 new messages