mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
document SIG(0) support.
This commit is contained in:
Brian Wellington
@@ -16,7 +16,7 @@
|
||||
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: nsupdate.docbook,v 1.9 2001/11/27 18:55:20 gson Exp $ -->
|
||||
<!-- $Id: nsupdate.docbook,v 1.10 2002/01/29 23:30:12 bwelling Exp $ -->
|
||||
|
||||
<refentry>
|
||||
<refentryinfo>
|
||||
@@ -81,10 +81,10 @@ made and the replies received from the name server.
|
||||
<para>
|
||||
Transaction signatures can be used to authenticate the Dynamic DNS
|
||||
updates.
|
||||
These use the TSIG resource record type described in RFC2845.
|
||||
The signatures rely on a shared secret that should only be known to
|
||||
<command>nsupdate</command>
|
||||
and the name server.
|
||||
These use the TSIG resource record type described in RFC2845 or the
|
||||
SIG(0) record described in RFC3535 and RFC2931.
|
||||
TSIG relies on a shared secret that should only be known to
|
||||
<command>nsupdate</command> and the name server.
|
||||
Currently, the only supported encryption algorithm for TSIG is
|
||||
HMAC-MD5, which is defined in RFC 2104.
|
||||
Once other algorithms are defined for TSIG, applications will need to
|
||||
@@ -99,6 +99,8 @@ statements would be added to
|
||||
so that the name server can associate the appropriate secret key
|
||||
and algorithm with the IP address of the
|
||||
client application that will be using TSIG authentication.
|
||||
SIG(0) uses public key cryptography. To use a SIG(0) key, the public
|
||||
key must be stored in a KEY record in a zone served by the name server.
|
||||
<command>nsupdate</command>
|
||||
does not read
|
||||
<filename>/etc/named.conf</filename>.
|
||||
@@ -109,8 +111,8 @@ uses the
|
||||
<option>-y</option>
|
||||
or
|
||||
<option>-k</option>
|
||||
option to provide the shared secret needed to generate a TSIG record
|
||||
for authenticating Dynamic DNS update requests.
|
||||
option (with an HMAC-MD5 key) to provide the shared secret needed to generate
|
||||
a TSIG record for authenticating Dynamic DNS update requests.
|
||||
These options are mutually exclusive.
|
||||
With the
|
||||
<option>-k</option>
|
||||
@@ -144,6 +146,11 @@ This may be visible in the output from
|
||||
or in a history file maintained by the user's shell.
|
||||
</para>
|
||||
<para>
|
||||
The <option>-k</option> may also be used to specify a SIG(0) key used
|
||||
to authenticate Dynamic DNS update requests. In this case, the key
|
||||
specified is not an HMAC-MD5 key.
|
||||
</para>
|
||||
<para>
|
||||
By default
|
||||
<command>nsupdate</command>
|
||||
uses UDP to send update requests to the name server.
|
||||
@@ -537,6 +544,9 @@ base-64 encoding of HMAC-MD5 key created by
|
||||
<refentrytitle>RFC2535</refentrytitle>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>RFC2931</refentrytitle>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
|
||||
Reference in New Issue
Block a user