[Samba] Samba Bind DLZ and Zone signing
Joachim Lindenberg
samba at lindenberg.one
Thu Dec 14 22:17:37 UTC 2023
I am wondering whether bind9 with DLZ supports (dynamic) signing of the zone, or whether it expects the "plugin" (i.e. samba) to sign somehow (as it is the only one that could answer negatively). The only information I found searching for is in https://serverfault.com/questions/1058501/bind9-disable-dnssec-validation-on-per-zone-basis, which suggests in "Now here is the problem", a zone served by Samba does not support DNSSEC.
Can someone please provide insights, whether and how this works? (So far I never tried to sign my internal zone, and windows clients don´t use DNSSEC anyway).
Thanks,
Joachim
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Andrew Bartlett via samba
Gesendet: Sonntag, 10. Dezember 2023 21:51
An: Sami Hulkko <sahulkko at gmail.com>; samba at lists.samba.org
Betreff: Re: [Samba] Samba Bind DLZ and Zone signing
On Sun, 2023-12-10 at 22:45 +0200, Sami Hulkko wrote:
> On 10/12/2023 22.32, Andrew Bartlett wrote:
> > On Sun, 2023-12-10 at 17:23 +0200, Sami Hulkko via samba wrote:
> > > Hi,
> > >
> > > Is there any way of signing the zones with zone-signing key? How
> > > would one add add zone-signing key and key signing key to DLZ
> > > database?
> > > The
> > > Windows 11 Pro RSAT tool for nameserver do not accept key addition
> > > and states unauthorized.
> >
> > This is an interesting question. The only way this would work is if
> > it was being transparently and dynamically added by the BIND9 side
> > of things.
>
> To my best knowledge in bind DLZ there is possibility to use DNSEC and
> absolutely certain that standard BIND supports it.
>
> The inclusion of ..../samba/bind-dns/named.conf has pre marking of:
>
> dlz "[domain name]" {
>
> # that after the inclusion of db is done
>
> database "dlopen /usr/lib/x86_64-linux-
> gnu/samba/bind9/dlz_bind9_18.so";
>
> }
>
> Both DLZ plugin and and database where DNS information is stored are
> samba products.
>
> 1. DNSSEC key saving could be supported with [samba-tool dns add....]
> command and excluded from RSAT tool until it's reverse engineering is
> done.
>
> 2. One could have plugin for DNSSEC like the dlz_bind9_18.so is
> included.
>
> 3. On bind a insertion like in standard zone into above config could
> be done.
>
> SH
>
> > Samba doesn't know how to generate the signing records and has
> > unfortunate fixed limtiations in the records it knows how to store.
>
> Fixed code?
Yes, the mapping of record types to database formatted records is via a fixed set of known mappings.
Anyway, this isn't possible with unmodified code as far as I understand the requirements, but you are welcome to attempt to develop such an extension.
It would not be a small task, but it certainly would be a valuable one.
Finding out about any DNSSEC support in the Windows DNS server would be a first thing to start with.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list