[Samba] Samba Bind DLZ and Zone signing
Sami Hulkko
sahulkko at gmail.com
Sun Dec 10 20:45:37 UTC 2023
On 10/12/2023 22.32, Andrew Bartlett wrote:
> On Sun, 2023-12-10 at 17:23 +0200, Sami Hulkko via samba wrote:
>> Hi,
>>
>> Is there any way of signing the zones with zone-signing key? How
>> would
>> one add add zone-signing key and key signing key to DLZ database?
>> The
>> Windows 11 Pro RSAT tool for nameserver do not accept key addition
>> and
>> states unauthorized.
> This is an interesting question. The only way this would work is if
> it was being transparently and dynamically added by the BIND9 side of
> things.
To my best knowledge in bind DLZ there is possibility to use DNSEC and
absolutely certain that standard BIND supports it.
The inclusion of ..../samba/bind-dns/named.conf has pre marking of:
dlz "[domain name]" {
# that after the inclusion of db is done
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";
}
Both DLZ plugin and and database where DNS information is stored are
samba products.
1. DNSSEC key saving could be supported with [samba-tool dns add....]
command and excluded from RSAT tool until it's reverse engineering is done.
2. One could have plugin for DNSSEC like the dlz_bind9_18.so is included.
3. On bind a insertion like in standard zone into above config could be
done.
SH
>
> Samba doesn't know how to generate the signing records and has
> unfortunate
> fixed limtiations in the records it knows how to store.
Fixed code?
>
> DNSSEC is a good thing, and it is sad that Samba doesn't know how to
> support it (or check it in the recursive resolver).
>
> Sorry!
>
> Andrew Bartlett
>
>
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919
More information about the samba
mailing list