[Samba] Samba Bind DLZ and Zone signing
Sami Hulkko
sahulkko at gmail.com
Sun Dec 10 19:32:46 UTC 2023
Hi,
Kerberos key is for user to host auth and verification. Id do not
authenticate the host origin like DNSSEC does. You really IT
professional or? That is basic stuff.
SH
On 10/12/2023 21.24, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 21:04:08 +0200
> Sami Hulkko <sahulkko at gmail.com> wrote:
>
>> Hi,
>>
>> One can use ssh verification of hosts with DNS provided HOST KEY (the
>> one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that
>> requires DNSSEC zone signing. It is recommended practice to
>> authenticate SSH hosts to clients and preferred over more complex
>> SSL Certificate method. Secure signed zone is perquisite for SSH to
>> approve the host ID provided by DNS.
>>
>> SH
>>
>> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>>> On Sun, 10 Dec 2023 17:23:19 +0200
>>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> Is there any way of signing the zones with zone-signing key? How
>>>> would one add add zone-signing key and key signing key to DLZ
>>>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>>>> key addition and states unauthorized.
>>>>
>>> I think you need to explain what you are trying to achieve. As far
>>> as I am aware, Windows clients can update their own dns records in
>>> AD and Unix clients need to use kerberos. so just what are you
>>> trying to do and why ?
>>>
>>> Rowland
>>>
>>>
> You can also use the users kerberos key for SSH.
> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba
> uses the dns.keytab
>
> Rowland
>
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919
More information about the samba
mailing list