[Samba] Samba Bind DLZ and Zone signing
Sami Hulkko
sahulkko at gmail.com
Sun Dec 10 20:02:41 UTC 2023
And there are preferences of not having to roll down the whole mail
thread and getting the info at once referencing it by one self from
underneath thread of mails.
SH
On 10/12/2023 21.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 21:32:46 +0200
> Sami Hulkko <sahulkko at gmail.com> wrote:
>
>> Hi,
>>
>> Kerberos key is for user to host auth and verification. Id do not
>> authenticate the host origin like DNSSEC does. You really IT
>> professional or? That is basic stuff.
> Not top posting is pretty basic as well.
>
>> SH
>>
>> On 10/12/2023 21.24, Rowland Penny via samba wrote:
>>> On Sun, 10 Dec 2023 21:04:08 +0200
>>> Sami Hulkko <sahulkko at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> One can use ssh verification of hosts with DNS provided HOST KEY
>>>> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for
>>>> host) that requires DNSSEC zone signing. It is recommended
>>>> practice to authenticate SSH hosts to clients and preferred over
>>>> more complex SSL Certificate method. Secure signed zone is
>>>> perquisite for SSH to approve the host ID provided by DNS.
>>>>
>>>> SH
>>>>
>>>> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>>>>> On Sun, 10 Dec 2023 17:23:19 +0200
>>>>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Is there any way of signing the zones with zone-signing key? How
>>>>>> would one add add zone-signing key and key signing key to DLZ
>>>>>> database? The Windows 11 Pro RSAT tool for nameserver do not
>>>>>> accept key addition and states unauthorized.
>>>>>>
>>>>> I think you need to explain what you are trying to achieve. As far
>>>>> as I am aware, Windows clients can update their own dns records in
>>>>> AD and Unix clients need to use kerberos. so just what are you
>>>>> trying to do and why ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>> You can also use the users kerberos key for SSH.
>>> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba
>>> uses the dns.keytab
>>>
>>> Rowland
>>>
> What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't
> use anything else, certainly not DNSSEC.
>
> Rowland
>
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919
More information about the samba
mailing list