bindctl syntax for Xfrout TSIG keys

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Wed Feb 1 18:25:39 UTC 2012 

At Tue, 31 Jan 2012 21:08:10 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:

> > For an even more longer term, a single unified key configuration should be used by all applications as (I think) we discussed before.
> 
> I have no problem with frequent changes to the configuration syntax and backward incompatibilities. I intend to do clean installs from virtual "bare metal" with each bind10 development release and Ubuntu operating system release, and I will alter my installation and configuration checklist as needed.

Thanks for your patience:-)

> >From my perspective, it would be a better long term solution if there were a global key management module and key store that all the bind10 modules would utilize. This is true not only from the perspective of ease of administration but also in the event that certain users wanted or needed to use a hardware security module for key storage.

Right, I think we are on the same page.

> Meanwhile more consistency in the configuration mechanisms would be nice. For example, in the Xfrout module, Xfrout/zone_config appears to be an indexed list, zero-based, of zone configurations. You can say "config add Xfrout\zone_config" to append an element to the list, and you can manipulate list elements by referring to their indices. However, from what I can tell by trial and error, Xfrout\tsig_key_ring, which is also a list, doesn't work this way. You can't say, for example, "config add Xfrout\tsig_key_ring" to append to the list of keys. You have to replace the entire list with a new one instead.

I see, we'll need to see whether there was a technical reason why the
TSIG key configuration was different from zone configuration in
xfrout, but in general I agree the interface to admin should be as
consistent as possible.

> When you create the ticket, would you please let me know the ticket number so that I can follow this issue. Thanks. Jeff.

The ticket is #1643: http://bind10.isc.org/ticket/1643
I proposed it for a task in the next sprint (a two-week development
cycle starting next Tuesday).

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.

More information about the bind10-users mailing list