1

I want to setup my Kerberos authentication using DNS lookups to define its servers. This can be done with URI records in the DNS database. There is given an example for KDC Discovery that looks like:

_kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com

Now I try to add this record to the DNS database with nsupdate:

~$ sudo nsupdate > update add _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com ttl 'URI': not a valid number >

Doesn't work this way. What is the command to add the URI record? Is there another way to add the record to the DNS database?

Improve this question

1 Answer 1

Reset to default
1

When you run nsupdate to add a record, you must specify a Time-To-Live value (TTL) for it to specify the maximum time the record can be cached by any resolver DNS server before querying an authoritative DNS server for an up-to-date version of the record again. This is true for all record types. The TTL value goes in between the name and the record type.

If you wanted to specify a TTL of 7200 seconds (2 hours), for example:

$ sudo nsupdate > update add _kerberos.EXAMPLE.COM 7200 URI 10 1 "krb5srv:m:tcp:kdc1.example.com"

Please also note the double quotes around the string.

If your nearest DNS server is the authoritative one for your DNS zone, and the record is used locally only, then the TTL value might not be very important, but it still needs to be specified.

Improve this answer
1
  • 1
    It didn't work on the first attempt but the error message gave me the hint. the string at the end needs double quotes. I was so free to edit your answer. Commented Oct 4, 2019 at 11:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.