samba - Dec 2023 - Samba Bind DLZ and Zone signing

On Sun, 10 Dec 2023 17:23:19 +0200
Sami Hulkko via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> Is there any way of signing the zones with? zone-signing key? How
> would one add? add?zone-signing key and key signing key to DLZ
> database? The Windows 11 Pro RSAT tool for nameserver do not accept
> key addition and states unauthorized.
> 
I think you need to explain what you are trying to achieve. As far as I
am aware, Windows clients can update their own dns records in AD and
Unix clients need to use kerberos. so just what are you trying to do
and why ?

Rowland

Hi,

One can use ssh verification of hosts with DNS provided HOST KEY (the 
one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that 
requires DNSSEC zone signing. It is recommended practice to authenticate 
SSH hosts to clients and preferred over more complex? SSL Certificate 
method. Secure signed zone is perquisite for SSH to approve the host ID 
provided by DNS.

SH

On 10/12/2023 18.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 17:23:19 +0200
> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Is there any way of signing the zones with? zone-signing key? How
>> would one add? add?zone-signing key and key signing key to DLZ
>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>> key addition and states unauthorized.
>>
> I think you need to explain what you are trying to achieve. As far as I
> am aware, Windows clients can update their own dns records in AD and
> Unix clients need to use kerberos. so just what are you trying to do
> and why ?
>
> Rowland
>
>
-- 
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919