BIND 10 #931: Implement signing part in b10-auth
BIND 10 Development
do-not-reply at isc.org
Thu May 19 08:15:46 UTC 2011
#931: Implement signing part in b10-auth
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
vorner | Status: reviewing
Type: task | Milestone:
Priority: major | Sprint-20110531
Component: | Resolution:
Unclassified | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 0.0
Feature Depending on Ticket: tsig | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
Replying to [comment:4 vorner]:
As for changelog:
The proposed changelog is:
{{{
Authoritative server can now sign the answers using TSIG (configured in
tsig_keys/keys,
list of strings like "name:c2VjcmV0Cg==:sha1-hmac"). It doesn't use them
for ACL yet,
only signs if the request is signed.
}}}
I'd use a hmac-md5 example with omitting the algorithm because this
format isn't compatible with BIND 9 dig and could be confusing. Also,
I would try to do something so that people naively copy this secret to
their configuration (e.g., using a bogus string like <base64-secret>
or adding a note that "this secret is example only; don't copy it to
your configuration" (although it may sound too verbose)).
Also, "only signs if the request is signed." is not 100% correct. I'd
say "only verifies the request if it's signed and sends signed
responses" or something (but this point is minor. it's up to you)
--
Ticket URL: <http://bind10.isc.org/ticket/931#comment:9>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list