feature consultation -- per-zone initiator-side tsig keys
Paul Vixie
vixie at isc.org
Tue Dec 16 15:01:08 UTC 2008
> I think a better approach may be to allow an (optional) arbitrary symbol
> name to define servers, in addition to using IP address. So, you could
> have:
>
> server id-foo 67.215.198.150 { keys { ipso; }; };
> server id-bar 67.215.198.150 { keys { facto; }; };
>
> Then you could use these server definition within multiple zones by
> referring to the server identifier:
>
> zone "foo.com" {
> type slave;
> masters {
> id-foo;
> ...
> }
>
> zone "bar.com" {
> type slave;
> masters {
> id-bar;
> ...
> }
as johani pointed out, there's already a way to do what i want.
> As long as the syntax is being improved, it would be nice if key
> statements also had the same ability. That is:
>
> key id-key "key-name" {
> algorithm hmac-md5;
> secret "super-secret-data...";
> }
>
> Right now there is no key-id, and the key-name is the unique identifier.
> However, this is a protocol element. But there is no reason two people
> could not use the same key-name, for example "sns-tsig", which would not
> be allowed with the current syntax. Eliminating this potential conflict
> would reduce the amount of checking and co-ordination required by zone
> administrators (and people writing software to administer zones).
that's a stunningly great idea. (send patches!)
More information about the bind-workers
mailing list