...
For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have 'DNS' in its service class. You can upload a keytab file to the Grid with multiple keys in which each key has an SPN in this format: DNS/<host>@<realm>. You can associate a DNS member or a Grid DNS with one or more keys of the same SPN or realm or of different SPN or realms. You can assign the uploaded keys to member DNS or Grid DNS, but NIOS displays an error when you try to enable GSS-TSIG without a valid key if the assigned key does not have the service class 'DNS' in its SPN.
To enable GSS-TSIG authentication for DNS and import keytab files:
...
- Principal: The principal member of the key. For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have DNS in its service class. It is of the following form:
DNS/<host>@<realm>You can either specify an FQDN or an IP address for the <host> of an SPN.
...
The appliance saves the audit log entries for insert and delete operations. If you upload keys with encryption types other than the ones that NIOS supports, the appliance displays a warning message in Grid Manager and in the syslog and also it displays the encryption type as *other* in Grid Manager and in the syslog. For more information about the syslog, see Using a Syslog Server.
The appliance generates an audit log when you upload a key, assign the key to a member, remove the key associated with a member or delete a key. The audit log entries are based on each key that you have uploaded. For example, NIOS saves the following in the audit log when you upload a key:
2014-02-14 18:17:30.531Z \[admin\]: imported DNS Kerberos key for
principal='DNS/infoblox.localdomain@abc.com', version=5, enctype=des-cbc-crc
For more information about audit logs, see Using the Audit Log. You can search Kerberos keys using the realm (domain), principal name or an encryption type.
...