mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-23 07:07:00 -04:00
document the key-directory option
document SIG(0) support.
This commit is contained in:
parent
d83b5cb4c8
commit
10e99ae4b5
2 changed files with 34 additions and 9 deletions
|
|
@ -16,7 +16,7 @@
|
|||
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: nsupdate.docbook,v 1.8.2.3 2003/07/22 04:03:36 marka Exp $ -->
|
||||
<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.1 2003/08/13 04:30:15 marka Exp $ -->
|
||||
|
||||
<refentry>
|
||||
<refentryinfo>
|
||||
|
|
@ -81,10 +81,10 @@ made and the replies received from the name server.
|
|||
<para>
|
||||
Transaction signatures can be used to authenticate the Dynamic DNS
|
||||
updates.
|
||||
These use the TSIG resource record type described in RFC2845.
|
||||
The signatures rely on a shared secret that should only be known to
|
||||
<command>nsupdate</command>
|
||||
and the name server.
|
||||
These use the TSIG resource record type described in RFC2845 or the
|
||||
SIG(0) record described in RFC3535 and RFC2931.
|
||||
TSIG relies on a shared secret that should only be known to
|
||||
<command>nsupdate</command> and the name server.
|
||||
Currently, the only supported encryption algorithm for TSIG is
|
||||
HMAC-MD5, which is defined in RFC 2104.
|
||||
Once other algorithms are defined for TSIG, applications will need to
|
||||
|
|
@ -99,6 +99,8 @@ statements would be added to
|
|||
so that the name server can associate the appropriate secret key
|
||||
and algorithm with the IP address of the
|
||||
client application that will be using TSIG authentication.
|
||||
SIG(0) uses public key cryptography. To use a SIG(0) key, the public
|
||||
key must be stored in a KEY record in a zone served by the name server.
|
||||
<command>nsupdate</command>
|
||||
does not read
|
||||
<filename>/etc/named.conf</filename>.
|
||||
|
|
@ -109,8 +111,8 @@ uses the
|
|||
<option>-y</option>
|
||||
or
|
||||
<option>-k</option>
|
||||
option to provide the shared secret needed to generate a TSIG record
|
||||
for authenticating Dynamic DNS update requests.
|
||||
option (with an HMAC-MD5 key) to provide the shared secret needed to generate
|
||||
a TSIG record for authenticating Dynamic DNS update requests.
|
||||
These options are mutually exclusive.
|
||||
With the
|
||||
<option>-k</option>
|
||||
|
|
@ -144,6 +146,11 @@ This may be visible in the output from
|
|||
or in a history file maintained by the user's shell.
|
||||
</para>
|
||||
<para>
|
||||
The <option>-k</option> may also be used to specify a SIG(0) key used
|
||||
to authenticate Dynamic DNS update requests. In this case, the key
|
||||
specified is not an HMAC-MD5 key.
|
||||
</para>
|
||||
<para>
|
||||
By default
|
||||
<command>nsupdate</command>
|
||||
uses UDP to send update requests to the name server.
|
||||
|
|
@ -537,6 +544,9 @@ base-64 encoding of HMAC-MD5 key created by
|
|||
<refentrytitle>RFC2535</refentrytitle>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>RFC2931</refentrytitle>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
|
||||
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.6 2003/08/11 05:58:17 marka Exp $ -->
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.7 2003/08/13 04:30:15 marka Exp $ -->
|
||||
|
||||
<book>
|
||||
<title>BIND 9 Administrator Reference Manual</title>
|
||||
|
|
@ -2622,6 +2622,7 @@ statement in the <filename>named.conf</filename> file:</para>
|
|||
<optional> version <replaceable>version_string</replaceable>; </optional>
|
||||
<optional> hostname <replaceable>hostname_string</replaceable>; </optional>
|
||||
<optional> directory <replaceable>path_name</replaceable>; </optional>
|
||||
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
|
||||
<optional> named-xfer <replaceable>path_name</replaceable>; </optional>
|
||||
<optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
|
||||
<optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
|
||||
|
|
@ -2710,7 +2711,7 @@ statement in the <filename>named.conf</filename> file:</para>
|
|||
</programlisting>
|
||||
</sect2>
|
||||
|
||||
<sect2><title><command>options</command> Statement Definition and Usage</title>
|
||||
<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
|
||||
|
||||
<para>The <command>options</command> statement sets up global options
|
||||
to be used by <acronym>BIND</acronym>. This statement may appear only
|
||||
|
|
@ -2752,6 +2753,13 @@ to `<filename>.</filename>', the directory from which the server
|
|||
was started. The directory specified should be an absolute path.</para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><command>key-directory</command></term>
|
||||
<listitem><para>When performing dynamic update of secure zones, the
|
||||
directory where the public and private key files should be found,
|
||||
if different than the current working directory. The directory specified
|
||||
must be an absolute path.</para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><command>named-xfer</command></term>
|
||||
<listitem><para><emphasis>This option is obsolete.</emphasis>
|
||||
It was used in <acronym>BIND</acronym> 8 to
|
||||
|
|
@ -4178,6 +4186,7 @@ Statement Grammar</title>
|
|||
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
|
||||
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
|
||||
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
|
||||
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
|
||||
|
||||
}</optional>;
|
||||
</programlisting>
|
||||
|
|
@ -4487,6 +4496,12 @@ See the description in <xref linkend="tuning"/>.
|
|||
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><command>key-directory</command></term>
|
||||
<listitem><para>See the description of
|
||||
<command>key-directory</command> in <xref linkend="options"/></para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
|
||||
</variablelist>
|
||||
|
||||
</sect3>
|
||||
|
|
|
|||
Loading…
Reference in a new issue