[Samba] Samba Bind DLZ and Zone signing
Sami Hulkko
sahulkko at gmail.com
Sun Dec 10 20:17:30 UTC 2023
On 10/12/2023 21.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 21:32:46 +0200
> Sami Hulkko <sahulkko at gmail.com> wrote:
>
>> Hi,
>>
>> Kerberos key is for user to host auth and verification. Id do not
>> authenticate the host origin like DNSSEC does. You really IT
>> professional or? That is basic stuff.
> Not top posting is pretty basic as well.
And this kind of comment show it?
>
>> SH
>>
>> On 10/12/2023 21.24, Rowland Penny via samba wrote:
>>> On Sun, 10 Dec 2023 21:04:08 +0200
>>> Sami Hulkko <sahulkko at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> One can use ssh verification of hosts with DNS provided HOST KEY
>>>> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for
>>>> host) that requires DNSSEC zone signing. It is recommended
>>>> practice to authenticate SSH hosts to clients and preferred over
>>>> more complex SSL Certificate method. Secure signed zone is
>>>> perquisite for SSH to approve the host ID provided by DNS.
>>>>
>>>> SH
>>>>
>>>> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>>>>> On Sun, 10 Dec 2023 17:23:19 +0200
>>>>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Is there any way of signing the zones with zone-signing key? How
>>>>>> would one add add zone-signing key and key signing key to DLZ
>>>>>> database? The Windows 11 Pro RSAT tool for nameserver do not
>>>>>> accept key addition and states unauthorized.
>>>>>>
>>>>> I think you need to explain what you are trying to achieve. As far
>>>>> as I am aware, Windows clients can update their own dns records in
>>>>> AD and Unix clients need to use kerberos. so just what are you
>>>>> trying to do and why ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>> You can also use the users kerberos key for SSH.
>>> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba
>>> uses the dns.keytab
>>>
>>> Rowland
>>>
> What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't
> use anything else, certainly not DNSSEC.
>
> Rowland
>
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919
More information about the samba
mailing list