Since ISC has announced the deprecation of the tkey-gssapi-credential and tkey-domain configuration statements in BIND, both of which are used by Integrity’s current GSSTSIG implementation, can we PLEASE use the refactoring opportunity to get better support for multi-realm GSSTSIG and keytab management?  We currently have to use postDeploy.sh scripting to get the resulting configuration that we want (jettisoning the BAM-generated single-realm keytab and substituting our own, commenting out the BAM-generated tkey-gssapi-credential and tkey-domain statements, and substituting a tkey-gssapi-keytab statement). 

Ideally BAM should either A) natively support generating a keytab that contains the needed principals and referencing it via the tkey-gssapi-keytab configuration statement (which is ISC’s go-forward requirement) or allow the user to import their own keytab and reference that (as other competing products do).

I’m sure I have a feature-request for multi-realm support floating around out there but it’s been years and I’ve lost track of it.  Since at least SOME amount of recoding is going to be required to support ISC’s go-forward path in this area, let’s take the opportunity to extend and better the implementation!