[bind10-dev] XfrOut questions

Jerry jerry.zzpku at gmail.com
Wed Jul 13 02:15:41 UTC 2011


> > > > • Looking at the spec file, it seems XfrOut is using its own TSIG
> keyring
> > > instead of
> > > >   the global one. Is there any reason for this?
> >
> > Xfrout should be able to configure TSIG key for each zone, there is a
> TODO task for it: http://bind10.isc.org/ticket/943. So the spec file will
> be updated after #943 has been done.
> 
> I agree with that, but I think it makes more sense to have one global TSIG
> keyring and allow or deny access by per-zone ACL, which will be able to
> check
> which key was used to sign the request, so admin can put all TSIG shared
> secrets
> at one place and never copy them elsewhere and then reference them by their
> names from within the ACLs.
> 
> Does that sound reasonable to you?

I thinks it makes sense. It would be easy for admin to manage TSIG shared secrets.

--
Jerry





More information about the bind10-dev mailing list