Uniqifiers for TSIG keys, was Re: feature consultation -- per-zone initiator-side tsig keys
Mark Andrews
Mark_Andrews at isc.org
Wed Dec 17 11:38:05 UTC 2008
In message <1229511175.9524.71.camel at shane-macbook-pro>, Shane Kerr writes:
> Mark,
>
> On Wed, 2008-12-17 at 07:58 +1100, Mark Andrews wrote:
> > > > As long as the syntax is being improved, it would be nice if key
> > > > statements also had the same ability. That is:
> > > >
> > > > key id-key "key-name" {
> > > > algorithm hmac-md5;
> > > > secret "super-secret-data...";
> > > > }
> > > >
> > > > Right now there is no key-id, and the key-name is the unique identifier.
> > > > However, this is a protocol element. But there is no reason two people
> > > > could not use the same key-name, for example "sns-tsig", which would not
> > > > be allowed with the current syntax. Eliminating this potential conflict
> > > > would reduce the amount of checking and co-ordination required by zone
> > > > administrators (and people writing software to administer zones).
> >
> > The TSIG RFC already describes ways to generate names for keys
> > that will never collide.
>
> Sure, and the BIND ARM describes a different way.
<para>
A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
An arbitrary key name is chosen: "host1-host2.". The key name must
be the same on both hosts.
</para>
Here are the 4 keys in my named.conf with secrets removed.
key "dv.isc.org.key" {
algorithm "hmac-md5";
};
key "key.dv.isc.org" {
algorithm "hmac-md5";
};
key "example.key" {
algorithm "hmac-md5";
};
key "xfer-key.andrews.wattle.id.au" {
algorithm "hmac-md5";
};
Additionally there is "rndc-key" which is a "well known"
key name.
When you set up a TSIG key between parties you just choose
something that is not currently in use.
> Yet in spite of this, some sysadmins will choose things that are short
> and easy to use. Sure, it's a mistake, but people will do it. Then if
> there is a collision the have to either change their key (meaning the
> have to co-ordinate with all of their secondaries) or they have to
> maintain extra keys (meaning adding a chance of using the wrong key).
>
> There is no need to use the TSIG key name as an identifier within a
> local configuration, even though the RFC basically encourages this (whch
> is totally misguided IMHO).
>
> We can make this:
>
> 1. Easier for administrators.
> 2. Harder for administrators.
>
> I know the traditional BIND way is #2, but I am suggesting that perhaps
> in this one case we make an exception and go with #1. :)
Except now you have to remember that id-key is really
key-name. And you also have to remember that key-name is
id-key.
Mark
> --
> Shane
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-workers
mailing list