04-Nov-2020 23:36:07.223 client @0x804c11000 10.0.110.216#62340 (932-ms-7.53-192491b.2db42801-1eb9-11eb-d293-005056bddce2): query: 932-ms-7.53-192491b.2db42801-1eb9-11eb-d293-005056bddce2 IN TKEY -T (10.0.50.33) 04-Nov-2020 23:36:07.224 gss cred: "DNS/[hidden email]", GSS_C_ACCEPT, 4294967295 04-Nov-2020 23:36:07.224 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Cannot find key for DNS/[hidden email] kvno 3 in keytab (request ticket server DNS/[hidden email]). 04-Nov-2020 23:36:07.224 process_gsstkey(): dns_tsigerror_badkey
where I understood that I apply explicitly 1 'security credential' to verify GSS; Of course, update for TEST1.LOCAL is not valid for TEST.LOCAL Principal name
On my FreeBSD, I think BIND is caching Kerberos into
root@dns2:~ # ls -la /var/tmp/krb5_53.rcache2 -rw------- 1 bind wheel 13584 Nov 4 23:56 /var/tmp/krb5_0.rcache2
but log entry points to: /tmp/krb5cc_0
Making sum, my concern goes to:
is it expected to use single keytab file with multiple Principal Name authenticate clients from multiple domains? In case yes - did my I miss any configuration to be done or I hit area which is not covered
In case no, we should be clear on documentation to point to single principal name to be used
I send one more time my post as I realized that DMARC DNS record is not
friend for mailing lists
and failed to delivery for many domains.
I am trying to extend my understanding about tkey-gssapi-keytab
and possibility to use multiple principal names in single keytab file
This is the KRB5 keytab file to use for GSS-TSIG updates.
If this option is set and tkey-gssapi-credential is not set,
updates are allowed with any key matching a principal in the specified
Do I understand correctly that DNS server will allow any update after
received TKEY query matching Principal Name in my keytab file?
Is there any verification of client and client's signature?
I am not clear what would be usage if DNS server itself with not
perform any verification is GSS-TSIG signature
Below test show details that even with failed 'failed
gss_inquire_cred' - Secure updates is accepted
2. Does this support multiple Principal Names in single keytab file?
(I feel like should be the case, but I have unexpected result in my
I understand that only with this parameter DNS server will
authenticate keys exchange in handshake
Does it imply that I can use only one Prinipal Name with GSS-TSIG?
I do not see that option can be defined multiple times
I understand that this parameter is not required anyway - [RT #22629]
4. Is there additional resources explaining overal GSS-TSIG handling?
Reading C-code is not really my cup of cofee.