BIND 10 master, updated. 2adcf03734b609514a665ce58315e71ddb110eb5 Merge branch 'master' of git+ssh://git.bind10.isc.org/var/bind10/git/bind10

BIND 10 source code commits bind10-changes at lists.isc.org
Wed Sep 26 15:10:33 UTC 2012 

The branch, master has been updated
       via  2adcf03734b609514a665ce58315e71ddb110eb5 (commit)
       via  c2a303e6d227217d56d249e132b873b37c36daa7 (commit)
       via  52177bb31f5fb8e134aecb9fd039c368684ad2df (commit)
       via  c714ebe32337bd89ba5209547fc759810c15dd19 (commit)
       via  10da91d4dcb3baf1b040864bf60cd89d82a80e8f (commit)
       via  d0a5d03e219ccb645894c8afe41e1bd548ff83e1 (commit)
       via  08162d5b7ef6b101030b71ac0553b237a7c64bd9 (commit)
      from  1edc3624622f3ca9f88c8b09e11d257e769b3172 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2adcf03734b609514a665ce58315e71ddb110eb5
Merge: c2a303e 1edc362
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date:   Wed Sep 26 17:10:10 2012 +0200

    Merge branch 'master' of git+ssh://git.bind10.isc.org/var/bind10/git/bind10

commit c2a303e6d227217d56d249e132b873b37c36daa7
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date:   Wed Sep 26 16:57:07 2012 +0200

    Changelog for #2189

commit 52177bb31f5fb8e134aecb9fd039c368684ad2df
Merge: 06651f1 c714ebe
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date:   Wed Sep 26 16:56:01 2012 +0200

    Merge #2189
    
    Conflicts:
    	ChangeLog

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                  |    4 ++
 doc/guide/bind10-guide.xml |   98 ++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 95 insertions(+), 7 deletions(-)

-----------------------------------------------------------------------
diff --git a/ChangeLog b/ChangeLog
index 595f8ae..df0e36f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+480.	[doc]		vorner
+	Added documentation about global TSIG key ring to the Guide.
+	(Trac #2189, git 52177bb31f5fb8e134aecb9fd039c368684ad2df)
+
 479.	[func]		marcin
 	Refactored perfdhcp tool to C++, added missing unit tests and removed
 	the old code. The new code uses libdhcp++ (src/lib/dhcp) for DHCP
diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml
index a95b0f5..4b2061f 100644
--- a/doc/guide/bind10-guide.xml
+++ b/doc/guide/bind10-guide.xml
@@ -1310,6 +1310,89 @@ TODO
       many modules. So we show them here in one place.
     </para>
 
+    <section id='common-tsig'>
+      <title>TSIG keys</title>
+
+      <para>
+        TSIG is a way to sign requests and responses in DNS. It is defined in
+        RFC 2845 and uses symmetric cryptography to sign the DNS messages. If
+        you want to make any use of TSIG (to authenticate transfers or DDNS,
+        for example), you need to set up shared secrets between the endpoints.
+      </para>
+
+      <para>
+        BIND 10 uses a global key ring for the secrets. It doesn't currently
+        mean they would be stored differently, they are just in one place of
+        the configuration.
+      </para>
+
+      <section id='tsig-key-syntax'>
+        <title>Key anatomy and syntax</title>
+
+        <para>
+          Each key has three attributes. One is a name by which it is referred
+          both in DNS packets and the rest of the configuration. Another is the
+          algorithm used to compute the signature. And the last part is a
+          base64 encoded secret, which might be any blob of data.
+        </para>
+
+        <para>
+          The parts are written into a string, concatenated together by colons.
+          So if you wanted to have a key called "example.key", used as a
+          HMAC-MD5 key with secret "secret", you'd write it as:
+<screen>"example.key.:c2VjcmV0:hmac-md5"</screen>
+        </para>
+
+        <para>
+          The HMAC-MD5 algorithm is the default, so you can omit it. You could
+          write the same key as:
+<screen>"example.key.:c2VjcmV0"</screen>
+        </para>
+
+        <para>
+          You can also use these algorithms (which may not be omitted from the
+          key definition if used):
+          <itemizedlist>
+            <listitem>hmac-sha1</listitem>
+            <listitem>hmac-sha224</listitem>
+            <listitem>hmac-sha256</listitem>
+            <listitem>hmac-sha384</listitem>
+            <listitem>hmac-sha512</listitem>
+          </itemizedlist>
+        </para>
+
+        <para>
+          The name of the key must be a valid DNS name.
+        </para>
+      </section>
+
+      <section id='tsig-key-ring'>
+        <title>Key ring</title>
+        <para>
+          The key ring lives in the configuration in "tsig_keys/keys". Most of
+          the system uses the keys from there — ACLs, authoritative server to
+          sign responses to signed queries, and <command>b10-xfrout</command>
+          to sign transfers. The <command>b10-xfrin</command> uses its own
+          configuration for keys, but that will be fixed in Trac ticket
+          <ulink url="http://bind10.isc.org/ticket/1351">#1351</ulink>.
+        </para>
+
+        <para>
+          The key ring is just a list of strings, each describing one key. So,
+          to add a new key, you can do this:
+          <screen>> <userinput>config add tsig_keys/keys "example.key.:c2VjcmV0"</userinput>
+> <userinput>config show tsig_keys/keys</userinput>
+tsig_keys/keys[0]   "example.key.:c2VjcmV0" string  (modified)
+> <userinput>config commit</userinput></screen>
+        </para>
+
+        <para>
+          You can keep as many keys as you want in the key ring, but each must
+          have a different name.
+        </para>
+      </section>
+    </section>
+
     <section id='common-acl'>
       <title>ACLs</title>
 
@@ -1375,9 +1458,9 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
         <para>
           The other is TSIG key by which the message was signed. The ACL
           contains only the name (under the name "key"), the key itself
-          must be stored in the global keyring. This property is applicable only
-          to the DNS context.
-<!-- TODO: Section for the keyring and link to it.-->
+	  must be stored in the global key ring (see <xref
+	  linkend="tsig-key-ring"/>).
+          This property is applicable only to the DNS context.
         </para>
 
         <para>
@@ -2151,7 +2234,7 @@ Xfrout/transfer_acl[0]	{"action": "ACCEPT"}	any	(default)</screen>
 
     <para>
       If you want to require TSIG in access control, a system wide TSIG
-      "key ring" must be configured.
+      key ring must be configured (see <xref linkend="tsig-key-ring"/>).
       In this example, we allow client matching both the IP address
       and key.
     </para>
@@ -2161,7 +2244,7 @@ Xfrout/transfer_acl[0]	{"action": "ACCEPT"}	any	(default)</screen>
 > <userinput>config commit</userinput></screen>
 
     <para>Both <command>b10-xfrout</command> and <command>b10-auth</command>
-      will use the system wide keyring to check
+      will use the system wide key ring to check
       TSIGs in the incoming messages and to sign responses.</para>
 
     <para>
@@ -2371,11 +2454,12 @@ what is XfroutClient xfr_client??
 > <userinput>config commit</userinput>
 </screen>
       The TSIG key must be configured system wide
-      (see <xref linkend="xfrout"/>.)
+      (see <xref linkend="common-tsig"/>).
       </para>
 
       <para>
-        Full description of ACLs can be found in <xref linkend="common-acl" />.
+	The full description of ACLs can be found in <xref
+	linkend="common-acl" />.
       </para>
 
       <note><simpara>

More information about the bind10-changes mailing list