ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
f563cd570c8a4e24e0c6a1cf7cf6e11da1b090fb
bind9/bin/tests/system/nsupdate/ns8/named.conf.in
Petr Špaček 1746d2e84a Add tests for the "tkey-gssapi-credential" option 
Four named instances in the "nsupdate" system test have GSS-TSIG support
enabled.  All of them currently use "tkey-gssapi-keytab".  Configure two
of them with "tkey-gssapi-credential" to test that option.

As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the
same functionality, no test modifications are required.  The difference
between the two options is that the value of "tkey-gssapi-keytab" is an
explicit path to the keytab file to acquire credentials from, while the
value of "tkey-gssapi-credential" is the name of the principal whose
credentials should be used; those credentials are looked up in the
keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by
default.  The path to the default keytab file can be overridden using by
setting the KRB5_KTNAME environment variable.  Utilize that variable to
use existing keytab files with the "tkey-gssapi-credential" option.

The KRB5_KTNAME environment variable should not interfere with the
"tkey-gssapi-keytab" option.  Nevertheless, rename one of the keytab
files used with "tkey-gssapi-keytab" to something else than the contents
of the KRB5_KTNAME environment variable in order to make sure that both
"tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested.
2021-04-22 16:15:22 +02:00

49 lines
1.1 KiB
Plaintext
Raw Blame History

/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.8; };
recursion no;
notify yes;
minimal-responses no;
tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type primary;
file "in-addr.db";
update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; };
};
zone "example.com" {
type primary;
file "example.com.db";
update-policy {
grant EXAMPLE.COM krb5-selfsub . ANY;
grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
};
};
View Git Blame Copy Permalink