Uniqifiers for TSIG keys, was Re: feature consultation -- per-zone initiator-side tsig keys

Mark Andrews Mark_Andrews at isc.org
Wed Dec 17 11:38:05 UTC 2008


In message <1229511175.9524.71.camel at shane-macbook-pro>, Shane Kerr writes:
> Mark,
> 
> On Wed, 2008-12-17 at 07:58 +1100, Mark Andrews wrote: 
> > > > As long as the syntax is being improved, it would be nice if key
> > > > statements also had the same ability. That is:
> > > >         
> > > >         key id-key "key-name" {
> > > >             algorithm hmac-md5;
> > > >             secret "super-secret-data...";
> > > >         }
> > > > 
> > > > Right now there is no key-id, and the key-name is the unique identifier.
> > > > However, this is a protocol element. But there is no reason two people
> > > > could not use the same key-name, for example "sns-tsig", which would not
> > > > be allowed with the current syntax. Eliminating this potential conflict
> > > > would reduce the amount of checking and co-ordination required by zone
> > > > administrators (and people writing software to administer zones).
> > 
> > 	The TSIG RFC already describes ways to generate names for keys
> > 	that will never collide.
> 
> Sure, and the BIND ARM describes a different way.

        <para>
          A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
          An arbitrary key name is chosen: "host1-host2.". The key name must
          be the same on both hosts.
        </para>

	Here are the 4 keys in my named.conf with secrets removed.

key "dv.isc.org.key" {
        algorithm "hmac-md5";
};

key "key.dv.isc.org" {
        algorithm "hmac-md5";
};

key "example.key" {
        algorithm "hmac-md5";
};

key "xfer-key.andrews.wattle.id.au" {
        algorithm "hmac-md5";
};

	Additionally there is "rndc-key" which is a "well known"
	key name.

	When you set up a TSIG key between parties you just choose
	something that is not currently in use.

> Yet in spite of this, some sysadmins will choose things that are short
> and easy to use. Sure, it's a mistake, but people will do it. Then if
> there is a collision the have to either change their key (meaning the
> have to co-ordinate with all of their secondaries) or they have to
> maintain extra keys (meaning adding a chance of using the wrong key).
>
> There is no need to use the TSIG key name as an identifier within a
> local configuration, even though the RFC basically encourages this (whch
> is totally misguided IMHO).
>
> We can make this:
> 
>      1. Easier for administrators.
>      2. Harder for administrators.
> 
> I know the traditional BIND way is #2, but I am suggesting that perhaps
> in this one case we make an exception and go with #1. :)

	Except now you have to remember that id-key is really
	key-name.  And you also have to remember that key-name is
	id-key.

	Mark

> --
> Shane
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-workers mailing list