[Samba] SAMBA4 + BIND DLZ/DNSSEC + ISCDHCP

Andrew Bartlett abartlet at samba.org
Fri Sep 18 20:06:31 UTC 2015 

On Sat, 2015-09-12 at 21:24 +0200, Jan Dušátko wrote:
> Hi,
> please, could someone make me an advice about integrating those
> together?
> 
> SAMBA4 in Active Directory server mode (this need internal LDAP)
> BIND with the DLZ, used for store DNS data, but use DNSSEC (hash
> based
> authentication for the data updates)
> ISCDHCP with DNS authentication (hash based)
> 
> For few months I trying to find solution how can complete all of
> them,
> but seems like I failed. I didn't found information how can I use
> BIND
> with DLZ and use DNSSEC (need those in configuration)
>     options {
>           ...
>           dnssec-enable yes;
>           dnssec-validation yes;
>           managed-keys-directory "/etc/named/dynamic/";
>     }
>     include "/etc/namedb/ddns.key";
>     managed-keys {
>           "." initial-key 257 3 8 "AwEAAag....1ihz0=";
>     }
>     trusted-keys {
>         // backward compatibility
>          "." 257 3 8 "AwEAAag....1ihz0=";
>     }
>     ...
> 
> The ddns.key should consist:
> key DDNS_UPDATE {
>         algorithm HMAC-???.SIG-ALG.REG.INT;
>         secret "...==";
> };
> 
> The ISC-DHCP server configuration should consist those clauses:
>     ...
>     ddns-updates on;
>     ddns-update-style interim;
>     allow unknown-clients;
>     ignore client-updates;
>     update-static-leases on;
>     one-lease-per-client true;
>     include "/etc/namedb/ddns.key";
>     ...
> 
> Coexistence of BIND DLZ and DNSSEC together with ISCDHCP works well
> as
> well as coexistence of BIND DLZ and SAMBA4. But integration all of
> them
> is too hard for me, may I overlook something
> 
> Any advice please?

The update between ISCDHCP needs to be via a GSSAPI TSIG-GSS ticket,
not via the static keys method.  (that said, patches to make this work
and do the update as 'system' or such most welcome, this really should
be easier).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list