Switching key types for authorizing updates
John Thurston
john.thurston at alaska.gov
Tue Aug 10 22:25:01 UTC 2021
I have a zone defined in which I permit dynamic updates. Many years ago,
I defined a key per name, and added that key into the update-policy
attribute in the zone definition.
For example:
key "foo.bar.baz.com" {
algorithm hmac-md5;
secret "12345..890";
};
zone "bar.baz.com" {
type master;
update-policy {
grant "foo.bar.baz.com" selfsub foo.bar.baz.com TXT;
};
};
The theory being, the holder of the key named "foo.bar.baz.com" is able
to manipulate TXT records in foo.bar.baz.com and all of its subdomains.
But now I'd like to move away from those old md5 keys. I would like to
find a way to define a second key which will work along side, during the
transition, the existing md5 key. When everyone is using the new key,
I'd then remove the old md5 key.
But as far as I can tell, the name of the key needs to match the
hostname in the update-policy statement. I can define a new aes-256 key,
but it can't have the name "foo.bar.baz.com" while the current md5 key
is defined. Nor can I find a way to craft an update-policy statement
line to let a new key with a different name manipulate the desired TXT
records, while letting the current key continue to work.
Is there a way to get the configuration I want? or must I make a
wholesale swap of each md5 key for something newer?
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the bind-users
mailing list