bindctl syntax for Xfrout TSIG keys

Spain, Dr. Jeffry A. spainj at countryday.net
Tue Jan 31 21:08:10 UTC 2012 

> For immediate experiment, you'll need to adjust your configuration so that it matches what the implementation expects (of course).  For a bit longer term, I personally think the syntax for both auth and xfrout should be consistent (the former is currently using the global TSIG key configuration with the syntax of "tsig_keys").  I plan to create a ticket for that.  Unfortunately, that would introduce backward incompatibility and you'll need to adjust your configuration once again.  I hope you can accept the inconvenience, considering the current maturity of BIND 10.

> For an even more longer term, a single unified key configuration should be used by all applications as (I think) we discussed before.

I have no problem with frequent changes to the configuration syntax and backward incompatibilities. I intend to do clean installs from virtual "bare metal" with each bind10 development release and Ubuntu operating system release, and I will alter my installation and configuration checklist as needed.

>From my perspective, it would be a better long term solution if there were a global key management module and key store that all the bind10 modules would utilize. This is true not only from the perspective of ease of administration but also in the event that certain users wanted or needed to use a hardware security module for key storage.

Meanwhile more consistency in the configuration mechanisms would be nice. For example, in the Xfrout module, Xfrout/zone_config appears to be an indexed list, zero-based, of zone configurations. You can say "config add Xfrout\zone_config" to append an element to the list, and you can manipulate list elements by referring to their indices. However, from what I can tell by trial and error, Xfrout\tsig_key_ring, which is also a list, doesn't work this way. You can't say, for example, "config add Xfrout\tsig_key_ring" to append to the list of keys. You have to replace the entire list with a new one instead.

When you create the ticket, would you please let me know the ticket number so that I can follow this issue. Thanks. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind10-users mailing list