On Sun, 10 Dec 2023 21:32:46 +0200
Sami Hulkko <sahulkko at gmail.com> wrote:
> Hi,
>
> Kerberos key is for user to host auth and verification. Id do not
> authenticate the host origin like DNSSEC does. You really IT
> professional or? That is basic stuff.
Not top posting is pretty basic as well.
>
> SH
>
> On 10/12/2023 21.24, Rowland Penny via samba wrote:
> > On Sun, 10 Dec 2023 21:04:08 +0200
> > Sami Hulkko <sahulkko at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> One can use ssh verification of hosts with DNS provided HOST KEY
> >> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for
> >> host) that requires DNSSEC zone signing. It is recommended
> >> practice to authenticate SSH hosts to clients and preferred over
> >> more complex SSL Certificate method. Secure signed zone is
> >> perquisite for SSH to approve the host ID provided by DNS.
> >>
> >> SH
> >>
> >> On 10/12/2023 18.50, Rowland Penny via samba wrote:
> >>> On Sun, 10 Dec 2023 17:23:19 +0200
> >>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> Is there any way of signing the zones with? zone-signing
key? How
> >>>> would one add? add?zone-signing key and key signing key to
DLZ
> >>>> database? The Windows 11 Pro RSAT tool for nameserver do
not
> >>>> accept key addition and states unauthorized.
> >>>>
> >>> I think you need to explain what you are trying to achieve. As
far
> >>> as I am aware, Windows clients can update their own dns
records in
> >>> AD and Unix clients need to use kerberos. so just what are you
> >>> trying to do and why ?
> >>>
> >>> Rowland
> >>>
> >>>
> > You can also use the users kerberos key for SSH.
> > As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba
> > uses the dns.keytab
> >
> > Rowland
> >
What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't
use anything else, certainly not DNSSEC.
Rowland