diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml index fcb55fe826..4b2061f2f3 100644 --- a/doc/guide/bind10-guide.xml +++ b/doc/guide/bind10-guide.xml @@ -1332,14 +1332,14 @@ TODO Each key has three attributes. One is a name by which it is referred both in DNS packets and the rest of the configuration. Another is the - algorithm used to compute the signature. And the last part is base64 - encoded secret, which might be any blob of data. + algorithm used to compute the signature. And the last part is a + base64 encoded secret, which might be any blob of data. The parts are written into a string, concatenated together by colons. - So if you wanted to have a key called "example.key", used as HMAC-MD5 - key with secret "secret", you'd write it as: + So if you wanted to have a key called "example.key", used as a + HMAC-MD5 key with secret "secret", you'd write it as: "example.key.:c2VjcmV0:hmac-md5" @@ -1370,25 +1370,25 @@ TODO Key ring The key ring lives in the configuration in "tsig_keys/keys". Most of - the system uses the keys from there ‒ ACLs, authoritative server to - sign responses to signed queries, the b10-xfrout + the system uses the keys from there — ACLs, authoritative server to + sign responses to signed queries, and b10-xfrout to sign transfers. The b10-xfrin uses its own - configuration for keys, but that will be fixed in track ticket + configuration for keys, but that will be fixed in Trac ticket #1351. The key ring is just a list of strings, each describing one key. So, to add a new key, you can do this: - > config add tsig_keyring/keys "example.key.:c2VjcmV0" -> config show tsig_keyring/keys + > config add tsig_keys/keys "example.key.:c2VjcmV0" +> config show tsig_keys/keys tsig_keys/keys[0] "example.key.:c2VjcmV0" string (modified) > config commit - You can keep as many keys as you want in the key ring, but they must - have a different name each. + You can keep as many keys as you want in the key ring, but each must + have a different name. @@ -1458,8 +1458,9 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ] The other is TSIG key by which the message was signed. The ACL contains only the name (under the name "key"), the key itself - must be stored in the global key ring. This - property is applicable only to the DNS context. + must be stored in the global key ring (see ). + This property is applicable only to the DNS context. @@ -2233,7 +2234,7 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default) If you want to require TSIG in access control, a system wide TSIG - key ring must be configured. + key ring must be configured (see ). In this example, we allow client matching both the IP address and key. @@ -2243,7 +2244,7 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default) > config commit Both b10-xfrout and b10-auth - will use the system wide keyring to check + will use the system wide key ring to check TSIGs in the incoming messages and to sign responses. @@ -2453,11 +2454,12 @@ what is XfroutClient xfr_client?? > config commit The TSIG key must be configured system wide - (see .) + (see ). - Full description of ACLs can be found in . + The full description of ACLs can be found in .