kerberos dynamic DNS and the internal DNS server

Kai Blin kai at
Wed Dec 28 00:34:23 MST 2011

Hash: SHA1

On 2011-12-28 02:57, Andrew Bartlett wrote:

> I can't see any support for kerberos authentication of dynamic DNS
>  updates.  We cannot turn on the DNS server until that is sorted 
> out.

Why? I mean of course I'm planning to support kerberos authentication
for the internal DNS, but why is this a hard requirement for allowing
people to turn on this thing? BIND DLZ was activatable before it could
do GSS-TSIG. I'm not even talking about making the internal server the
default, just that if people provision the internal backend, we add
the appropriate line to smb.conf.

> Naturally, I'm happy to help or provide advise in implementing that
> against GENSEC.

I haven't actually looked into how the key negotiation works and what
keys are used.

> (I also think that once we have GSS-TSIG, we should always require 
> it and the 'allow dns updates' option you added should be 
> removed).

That sounds like the Gnome3 way of thinking, and I don't like the "we
know better than our users, let's decide for them" approach. I'm all
for having the default setting be "always require GSS-TSIG", but why
take away people's ability to completely allow or disallow updates?

Anyway, if everybody keeps telling people to not use the internal DNS
until it's tested, and does have all sorts of extra features, it'll
never get tested. I know it's still missing features, but currently
it's only me working on this thing and I do have a day job.


- -- 
Kai Blin
Worldforge developer
Wine developer
Samba team member
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list