THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

NIOS DNS DHCP IPAM

Reply

GSS-TSIG clarifications
aajiik
New Member
Posts: 6

Tuesday

211     0

Hello,

 

https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-enable-and-confi...


It is working but a few things need clarification:

1)

ns.contoso.com = Instance in FQDN format; this is the same as the DNS name of the NIOS appliance

In the case of multiple DNS servers for a zone this needs to be the zone primary DNS server FQDN, right?

 

2)

Do I need more than one GSS-TSIG key for the entire grid?

What if zone primary is down?

 

3)

Key rotation. Even if it is an AD service account the password still needs to be rotated from time to time.

How can I manually trigger client re-keying without a reboot?

I don't think you can install multiple GSS-TSIG keys with the same SPN in Infoblox?

 

Thanks,

AJ

 

 

 

 

Reply
0 Kudos

Re: GSS-TSIG clarifications

[ Edited ]
Raymond874Butle
New Member
Posts: 1

Wednesday - last edited Wednesday

212     0

Hi AJ,

Here are the clarifications for your questions: Yes, in the case of multiple DNS servers for a zone, ns.contoso.com should be the FQDN of the primary DNS server for that zone. You typically need only one GSS-TSIG key for the entire grid. If the primary DNS server is down, the secondary servers should still be able Mary Kay InTouch to use the same key, provided they are configured correctly. Even if it’s an AD service account, the password needs to be rotated periodically. To manually trigger client re-keying without a reboot, you can use the Infoblox Grid Manager or API to update the keytab file. You cannot install multiple GSS-TSIG keys with the same SPN in Infoblox. If you need further assistance, feel free to ask!

Best Regards,

 

Reply

Re: GSS-TSIG clarifications
aajiik
New Member
Posts: 6

Wednesday

212     0

Hello,

 

Thanks for the quick reply.

About re-keying: I meant that after I have uploaded new TSIG-KEY to Infoblox the clients still try to use the old one.

They will start using the new one after a reboot or if I wait was it 10hours by default.

Talking about Windows clients: is there a way to trigger re-keying process (GSS-TSIG reauth)?

 

Thanks,

AJ

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements