thr3ads.net - samba - [Samba] Samba Bind DLZ and Zone signing [Dec 2023]

If this information is useful, please help other people find it:
Share via:

Sami Hulkko

2023-Dec-10 15:23 UTC

[Samba] Samba Bind DLZ and Zone signing

Hi,

Is there any way of signing the zones with? zone-signing key? How would 
one add? add?zone-signing key and key signing key to DLZ database? The 
Windows 11 Pro RSAT tool for nameserver do not accept key addition and 
states unauthorized.

-- 
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919

Rowland Penny

2023-Dec-10 16:50 UTC

head link

[Samba] Samba Bind DLZ and Zone signing

On Sun, 10 Dec 2023 17:23:19 +0200
Sami Hulkko via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> Is there any way of signing the zones with? zone-signing key? How
> would one add? add?zone-signing key and key signing key to DLZ
> database? The Windows 11 Pro RSAT tool for nameserver do not accept
> key addition and states unauthorized.
> 
I think you need to explain what you are trying to achieve. As far as I
am aware, Windows clients can update their own dns records in AD and
Unix clients need to use kerberos. so just what are you trying to do
and why ?

Rowland

Andrew Bartlett

2023-Dec-10 20:32 UTC

head link

[Samba] Samba Bind DLZ and Zone signing

On Sun, 2023-12-10 at 17:23 +0200, Sami Hulkko via samba
wrote:> Hi,
> 
> Is there any way of signing the zones with  zone-signing key? How
> would 
> one add  add zone-signing key and key signing key to DLZ database?
> The 
> Windows 11 Pro RSAT tool for nameserver do not accept key addition
> and 
> states unauthorized.
This is an interesting question.  The only way this would work is if
it was being transparently and dynamically added by the BIND9 side of
things.

Samba doesn't know how to generate the signing records and has
unfortunate
fixed limtiations in the records it knows how to store.

DNSSEC is a good thing, and it is sad that Samba doesn't know how to
support it (or check it in the recursive resolver). 

Sorry!

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

samba - Dec 2023 - Samba Bind DLZ and Zone signing

[Samba] Samba Bind DLZ and Zone signing

[Samba] Samba Bind DLZ and Zone signing

[Samba] Samba Bind DLZ and Zone signing