In message <4c15371c.7070...@dougbarton.us>, Doug Barton writes: > On 06/11/10 02:51, John Marshall wrote: > > BIND 9.7.1rc1 > > FreeBSD 8.1-PRERELEASE > > > > I've just stepped into the world of nsupdate (instead of doing the > > freeze/edit/thaw dance). I have had success using TSIG (nsupdate -k) > > but I would like to use TKEY-GSS (nsupdate -g). When I try to do that, > > nsupdate dumps core. > > > > $ /usr/bin/nsupdate -g -d > > > prereq nxdomain rwpc12.mby.riverwillow.net.au. > > > > > Reply from SOA query: > > --------< snip>-------- > > Found zone name: mby.riverwillow.net.au > > The master is: ns1.mby.riverwillow.net.au > > start_gssrequest > > nsupdate: Failed to generate random block > > Abort trap (core dumped) > > > > I suspect the operating system at this point but want to build BIND > > against separate gssapi_krb5 and OpenSSL libraries in order to isolate > > the problem. > > > > Telling configure --with-openssl=/usr/local does the trick for OpenSSL. > > Telling configure --with-gssapi=/usr/local makes all the right kind of > > impressions on config.log, but the linker still ends up using the > > operating system's gssapi libraries under /usr/lib. Is there something > > else I need to do to nudge BIND in the direction of libgssapi_krb5 in > > /usr/local ? > > > > Until now I've never built BIND with gssapi, so I'm prepared to be told > > I've missed something basic. > > John, > > Don't worry, you haven't. There is a thread on > freebsd-secur...@freebsd.org atm about the wacky state of our base > system kerberos, and unfortunately my understanding is that simply > installing kerberos from ports doesn't help much. > > I don't want to get too deep in the weeds on FreeBSD-specific stuff > here, so you may want to follow up on -security for that stuff. I do > want to leave the door open however for anyone to comment on > BIND-specific issues with the configure script. > > FYI, there is also > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests > that installing cyrus-sasl2 rather than kerberos from ports may be the > right way to go. I haven't even started evaluating that patch yet, but > perhaps someone on this list who has implemented GSS-TSIG could comment? > > Personally I loathe kerberos almost as much as windows, so I haven't > exactly been eager to dive into this, but because there is user demand > for it I would like to get up to speed so this seems as good a time as any. > > > Doug
Anything in the base system that is also in ports should be in its own seperate tree(s). /usr/local/<foo>/{bin,lib,include} or /usr/local/{bin,lib,include}/<foo> This allows one to select the ports or system components on a per component basis. I prefer the former. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users