feature consultation -- per-zone initiator-side tsig keys
Mark Andrews
Mark_Andrews at isc.org
Tue Dec 16 20:58:26 UTC 2008
In message <73240.1229439668 at nsa.vix.com>, Paul Vixie writes:
> > I think a better approach may be to allow an (optional) arbitrary symbol
> > name to define servers, in addition to using IP address. So, you could
> > have:
> >
> > server id-foo 67.215.198.150 { keys { ipso; }; };
> > server id-bar 67.215.198.150 { keys { facto; }; };
> >
> > Then you could use these server definition within multiple zones by
> > referring to the server identifier:
> >
> > zone "foo.com" {
> > type slave;
> > masters {
> > id-foo;
> > ...
> > }
> >
> > zone "bar.com" {
> > type slave;
> > masters {
> > id-bar;
> > ...
> > }
>
> as johani pointed out, there's already a way to do what i want.
>
> > As long as the syntax is being improved, it would be nice if key
> > statements also had the same ability. That is:
> >
> > key id-key "key-name" {
> > algorithm hmac-md5;
> > secret "super-secret-data...";
> > }
> >
> > Right now there is no key-id, and the key-name is the unique identifier.
> > However, this is a protocol element. But there is no reason two people
> > could not use the same key-name, for example "sns-tsig", which would not
> > be allowed with the current syntax. Eliminating this potential conflict
> > would reduce the amount of checking and co-ordination required by zone
> > administrators (and people writing software to administer zones).
The TSIG RFC already describes ways to generate names for keys
that will never collide.
> that's a stunningly great idea. (send patches!)
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-workers
mailing list