- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
GSS-TSIG clarifications
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello,
It is working but a few things need clarification:
1)
ns.contoso.com = Instance in FQDN format; this is the same as the DNS name of the NIOS appliance
In the case of multiple DNS servers for a zone this needs to be the zone primary DNS server FQDN, right?
2)
Do I need more than one GSS-TSIG key for the entire grid?
What if zone primary is down?
3)
Key rotation. Even if it is an AD service account the password still needs to be rotated from time to time.
How can I manually trigger client re-keying without a reboot?
I don't think you can install multiple GSS-TSIG keys with the same SPN in Infoblox?
Thanks,
AJ
Re: GSS-TSIG clarifications
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hi AJ,
Here are the clarifications for your questions: Yes, in the case of multiple DNS servers for a zone, ns.contoso.com should be the FQDN of the primary DNS server for that zone. You typically need only one GSS-TSIG key for the entire grid. If the primary DNS server is down, the secondary servers should still be able Mary Kay InTouch to use the same key, provided they are configured correctly. Even if it’s an AD service account, the password needs to be rotated periodically. To manually trigger client re-keying without a reboot, you can use the Infoblox Grid Manager or API to update the keytab file. You cannot install multiple GSS-TSIG keys with the same SPN in Infoblox. If you need further assistance, feel free to ask!
Best Regards,
Re: GSS-TSIG clarifications
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello,
Thanks for the quick reply.
About re-keying: I meant that after I have uploaded new TSIG-KEY to Infoblox the clients still try to use the old one.
They will start using the new one after a reboot or if I wait was it 10hours by default.
Talking about Windows clients: is there a way to trigger re-keying process (GSS-TSIG reauth)?
Thanks,
AJ