On Sun, 10 Dec 2023 21:32:46 +0200 Sami Hulkko <sahulkko at gmail.com> wrote:> Hi, > > Kerberos key is for user to host auth and verification. Id do not > authenticate the host origin like DNSSEC does. You really IT > professional or? That is basic stuff.Not top posting is pretty basic as well.> > SH > > On 10/12/2023 21.24, Rowland Penny via samba wrote: > > On Sun, 10 Dec 2023 21:04:08 +0200 > > Sami Hulkko <sahulkko at gmail.com> wrote: > > > >> Hi, > >> > >> One can use ssh verification of hosts with DNS provided HOST KEY > >> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for > >> host) that requires DNSSEC zone signing. It is recommended > >> practice to authenticate SSH hosts to clients and preferred over > >> more complex SSL Certificate method. Secure signed zone is > >> perquisite for SSH to approve the host ID provided by DNS. > >> > >> SH > >> > >> On 10/12/2023 18.50, Rowland Penny via samba wrote: > >>> On Sun, 10 Dec 2023 17:23:19 +0200 > >>> Sami Hulkko via samba <samba at lists.samba.org> wrote: > >>> > >>>> Hi, > >>>> > >>>> Is there any way of signing the zones with? zone-signing key? How > >>>> would one add? add?zone-signing key and key signing key to DLZ > >>>> database? The Windows 11 Pro RSAT tool for nameserver do not > >>>> accept key addition and states unauthorized. > >>>> > >>> I think you need to explain what you are trying to achieve. As far > >>> as I am aware, Windows clients can update their own dns records in > >>> AD and Unix clients need to use kerberos. so just what are you > >>> trying to do and why ? > >>> > >>> Rowland > >>> > >>> > > You can also use the users kerberos key for SSH. > > As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba > > uses the dns.keytab > > > > Rowland > >What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't use anything else, certainly not DNSSEC. Rowland
On 10/12/2023 21.50, Rowland Penny via samba wrote:> On Sun, 10 Dec 2023 21:32:46 +0200 > Sami Hulkko <sahulkko at gmail.com> wrote: > >> Hi, >> >> Kerberos key is for user to host auth and verification. Id do not >> authenticate the host origin like DNSSEC does. You really IT >> professional or? That is basic stuff. > Not top posting is pretty basic as well.Picking a fight? Pick your nose. Money Penny!> >> SH >> >> On 10/12/2023 21.24, Rowland Penny via samba wrote: >>> On Sun, 10 Dec 2023 21:04:08 +0200 >>> Sami Hulkko <sahulkko at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> One can use ssh verification of hosts with DNS provided HOST KEY >>>> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for >>>> host) that requires DNSSEC zone signing. It is recommended >>>> practice to authenticate SSH hosts to clients and preferred over >>>> more complex SSL Certificate method. Secure signed zone is >>>> perquisite for SSH to approve the host ID provided by DNS. >>>> >>>> SH >>>> >>>> On 10/12/2023 18.50, Rowland Penny via samba wrote: >>>>> On Sun, 10 Dec 2023 17:23:19 +0200 >>>>> Sami Hulkko via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Is there any way of signing the zones with? zone-signing key? How >>>>>> would one add? add?zone-signing key and key signing key to DLZ >>>>>> database? The Windows 11 Pro RSAT tool for nameserver do not >>>>>> accept key addition and states unauthorized. >>>>>> >>>>> I think you need to explain what you are trying to achieve. As far >>>>> as I am aware, Windows clients can update their own dns records in >>>>> AD and Unix clients need to use kerberos. so just what are you >>>>> trying to do and why ? >>>>> >>>>> Rowland >>>>> >>>>> >>> You can also use the users kerberos key for SSH. >>> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba >>> uses the dns.keytab >>> >>> Rowland >>> > What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't > use anything else, certainly not DNSSEC. > > Rowland >-- Me worry? That's why my first CD was Peter Gabriel SO.... Sami Hulkko sahulkko at gmail.com sahulkko at icloud.com samihulkko at quantum-black-hole.com +358 45 85693 919
And there are preferences of not having to roll down the whole mail thread? and getting the info at once referencing it by one self from underneath thread of mails. SH On 10/12/2023 21.50, Rowland Penny via samba wrote:> On Sun, 10 Dec 2023 21:32:46 +0200 > Sami Hulkko <sahulkko at gmail.com> wrote: > >> Hi, >> >> Kerberos key is for user to host auth and verification. Id do not >> authenticate the host origin like DNSSEC does. You really IT >> professional or? That is basic stuff. > Not top posting is pretty basic as well. > >> SH >> >> On 10/12/2023 21.24, Rowland Penny via samba wrote: >>> On Sun, 10 Dec 2023 21:04:08 +0200 >>> Sami Hulkko <sahulkko at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> One can use ssh verification of hosts with DNS provided HOST KEY >>>> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for >>>> host) that requires DNSSEC zone signing. It is recommended >>>> practice to authenticate SSH hosts to clients and preferred over >>>> more complex SSL Certificate method. Secure signed zone is >>>> perquisite for SSH to approve the host ID provided by DNS. >>>> >>>> SH >>>> >>>> On 10/12/2023 18.50, Rowland Penny via samba wrote: >>>>> On Sun, 10 Dec 2023 17:23:19 +0200 >>>>> Sami Hulkko via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Is there any way of signing the zones with? zone-signing key? How >>>>>> would one add? add?zone-signing key and key signing key to DLZ >>>>>> database? The Windows 11 Pro RSAT tool for nameserver do not >>>>>> accept key addition and states unauthorized. >>>>>> >>>>> I think you need to explain what you are trying to achieve. As far >>>>> as I am aware, Windows clients can update their own dns records in >>>>> AD and Unix clients need to use kerberos. so just what are you >>>>> trying to do and why ? >>>>> >>>>> Rowland >>>>> >>>>> >>> You can also use the users kerberos key for SSH. >>> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba >>> uses the dns.keytab >>> >>> Rowland >>> > What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't > use anything else, certainly not DNSSEC. > > Rowland >-- Me worry? That's why my first CD was Peter Gabriel SO.... Sami Hulkko sahulkko at gmail.com sahulkko at icloud.com samihulkko at quantum-black-hole.com +358 45 85693 919
On 10/12/2023 21.50, Rowland Penny via samba wrote:> On Sun, 10 Dec 2023 21:32:46 +0200 > Sami Hulkko <sahulkko at gmail.com> wrote: > >> Hi, >> >> Kerberos key is for user to host auth and verification. Id do not >> authenticate the host origin like DNSSEC does. You really IT >> professional or? That is basic stuff. > Not top posting is pretty basic as well.And this kind of comment show it?> >> SH >> >> On 10/12/2023 21.24, Rowland Penny via samba wrote: >>> On Sun, 10 Dec 2023 21:04:08 +0200 >>> Sami Hulkko <sahulkko at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> One can use ssh verification of hosts with DNS provided HOST KEY >>>> (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for >>>> host) that requires DNSSEC zone signing. It is recommended >>>> practice to authenticate SSH hosts to clients and preferred over >>>> more complex SSL Certificate method. Secure signed zone is >>>> perquisite for SSH to approve the host ID provided by DNS. >>>> >>>> SH >>>> >>>> On 10/12/2023 18.50, Rowland Penny via samba wrote: >>>>> On Sun, 10 Dec 2023 17:23:19 +0200 >>>>> Sami Hulkko via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Is there any way of signing the zones with? zone-signing key? How >>>>>> would one add? add?zone-signing key and key signing key to DLZ >>>>>> database? The Windows 11 Pro RSAT tool for nameserver do not >>>>>> accept key addition and states unauthorized. >>>>>> >>>>> I think you need to explain what you are trying to achieve. As far >>>>> as I am aware, Windows clients can update their own dns records in >>>>> AD and Unix clients need to use kerberos. so just what are you >>>>> trying to do and why ? >>>>> >>>>> Rowland >>>>> >>>>> >>> You can also use the users kerberos key for SSH. >>> As far as I am aware, BIND9_DLZ has nothing to do with DNSSEC, Samba >>> uses the dns.keytab >>> >>> Rowland >>> > What I was trying to point out is, BIND9_DLZ uses kerberos, it doesn't > use anything else, certainly not DNSSEC. > > Rowland >-- Me worry? That's why my first CD was Peter Gabriel SO.... Sami Hulkko sahulkko at gmail.com sahulkko at icloud.com samihulkko at quantum-black-hole.com +358 45 85693 919