[bind10-dev] XfrOut questions

Michal 'vorner' Vaner michal.vaner at nic.cz
Tue Jul 12 20:13:55 UTC 2011


Hello

On Tue, Jul 12, 2011 at 01:27:54PM +0800, Jerry wrote:
> > > • Looking at the spec file, it seems XfrOut is using its own TSIG keyring
> > instead of
> > >   the global one. Is there any reason for this?
> 
> Xfrout should be able to configure TSIG key for each zone, there is a TODO task for it: http://bind10.isc.org/ticket/943. So the spec file will be updated after #943 has been done.

I agree with that, but I think it makes more sense to have one global TSIG
keyring and allow or deny access by per-zone ACL, which will be able to check
which key was used to sign the request, so admin can put all TSIG shared secrets
at one place and never copy them elsewhere and then reference them by their
names from within the ACLs.

Does that sound reasonable to you?

With regards

-- 
XML is like violence. If it doesn't solve your problem, use more.

Michal 'vorner' Vaner



More information about the bind10-dev mailing list