At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote: > > I was wondering if it is possible to use the tkey-gssapi-credential > and update-policy on a Windows install of bind. It strikes me that > running bind on a Windows server, snapped into the AD it will serve > DNS to, should be the easiest way of getting DDNS with update-policy > control working.
It would be, except for one small problem: the Windows native Kerberos doesn't support GSS-API (or didn't, when last I checked), instead it supports some similar-but-different Microsoft proprietary API whose name has temporarily escaped my memory. So either we would have to hack Windows-specific code here to use Microsoft's API, or we would have to get a Unix-style Kerberos library working on Windows. We spent an insane amount of time banging our head against the latter approach, but never got it to work, for reasons that never made a lot of sense (eg, linking against precompiled MIT Kerberos binaries resulted in binaries that worked fine for everything but GSS-TSIG but failed silently for that, attempting to build MIT Kerberos for Windows from source resulted in Kerberos code that couldn't even kinit, and nobody on the MIT Kerberos project could tell us why). We eventually gave up, because we had deadlines to meet and this configuration (BIND9 running GSS-TSIG on Windows) wasn't on our critical feature list. > Am I nuts? Should I just install it on a Linux box and be done? Yes, unless you (or some other brave soul) have the time and energy to get this working on Windows, in which case please tell us what you did (and i will stand you a beer if we ever meet...). _______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users