On Sun, 10 Dec 2023 21:04:08 +0200
Sami Hulkko <sahulkko at gmail.com> wrote:
> Hi,
>
> One can use ssh verification of hosts with DNS provided HOST KEY (the
> one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that
> requires DNSSEC zone signing. It is recommended practice to
> authenticate SSH hosts to clients and preferred over more complex
> SSL Certificate method. Secure signed zone is perquisite for SSH to
> approve the host ID provided by DNS.
>
> SH
>
> On 10/12/2023 18.50, Rowland Penny via samba wrote:
> > On Sun, 10 Dec 2023 17:23:19 +0200
> > Sami Hulkko via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> Is there any way of signing the zones with? zone-signing key? How
> >> would one add? add?zone-signing key and key signing key to DLZ
> >> database? The Windows 11 Pro RSAT tool for nameserver do not
accept
> >> key addition and states unauthorized.
> >>
> > I think you need to explain what you are trying to achieve. As far
> > as I am aware, Windows clients can update their own dns records in
> > AD and Unix clients need to use kerberos. so just what are you
> > trying to do and why ?
> >
> > Rowland
> >
> >
You can also use the users kerberos key for SSH.
As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba
uses the dns.keytab
Rowland