mirror of
https://gitlab.isc.org/isc-projects/kea
synced 2025-08-30 13:37:55 +00:00
[2189] various minor changes
minor grammar or wording changes use mdash xml entity instead of unicode character fix typo for Trac fix example out of the configuration name use xref tag instead of link tag (so reference is not lost in non-hyperlink document) keyring to key ring fix punctuation (mistake in original) minor grammar (mistake also in original)
This commit is contained in:
@@ -1332,14 +1332,14 @@ TODO
|
|||||||
<para>
|
<para>
|
||||||
Each key has three attributes. One is a name by which it is referred
|
Each key has three attributes. One is a name by which it is referred
|
||||||
both in DNS packets and the rest of the configuration. Another is the
|
both in DNS packets and the rest of the configuration. Another is the
|
||||||
algorithm used to compute the signature. And the last part is base64
|
algorithm used to compute the signature. And the last part is a
|
||||||
encoded secret, which might be any blob of data.
|
base64 encoded secret, which might be any blob of data.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
The parts are written into a string, concatenated together by colons.
|
The parts are written into a string, concatenated together by colons.
|
||||||
So if you wanted to have a key called "example.key", used as HMAC-MD5
|
So if you wanted to have a key called "example.key", used as a
|
||||||
key with secret "secret", you'd write it as:
|
HMAC-MD5 key with secret "secret", you'd write it as:
|
||||||
<screen>"example.key.:c2VjcmV0:hmac-md5"</screen>
|
<screen>"example.key.:c2VjcmV0:hmac-md5"</screen>
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
@@ -1370,25 +1370,25 @@ TODO
|
|||||||
<title>Key ring</title>
|
<title>Key ring</title>
|
||||||
<para>
|
<para>
|
||||||
The key ring lives in the configuration in "tsig_keys/keys". Most of
|
The key ring lives in the configuration in "tsig_keys/keys". Most of
|
||||||
the system uses the keys from there ‒ ACLs, authoritative server to
|
the system uses the keys from there — ACLs, authoritative server to
|
||||||
sign responses to signed queries, the <command>b10-xfrout</command>
|
sign responses to signed queries, and <command>b10-xfrout</command>
|
||||||
to sign transfers. The <command>b10-xfrin</command> uses its own
|
to sign transfers. The <command>b10-xfrin</command> uses its own
|
||||||
configuration for keys, but that will be fixed in track ticket
|
configuration for keys, but that will be fixed in Trac ticket
|
||||||
<ulink url="http://bind10.isc.org/ticket/1351">#1351</ulink>.
|
<ulink url="http://bind10.isc.org/ticket/1351">#1351</ulink>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
The key ring is just a list of strings, each describing one key. So,
|
The key ring is just a list of strings, each describing one key. So,
|
||||||
to add a new key, you can do this:
|
to add a new key, you can do this:
|
||||||
<screen>> <userinput>config add tsig_keyring/keys "example.key.:c2VjcmV0"</userinput>
|
<screen>> <userinput>config add tsig_keys/keys "example.key.:c2VjcmV0"</userinput>
|
||||||
> <userinput>config show tsig_keyring/keys</userinput>
|
> <userinput>config show tsig_keys/keys</userinput>
|
||||||
tsig_keys/keys[0] "example.key.:c2VjcmV0" string (modified)
|
tsig_keys/keys[0] "example.key.:c2VjcmV0" string (modified)
|
||||||
> <userinput>config commit</userinput></screen>
|
> <userinput>config commit</userinput></screen>
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
You can keep as many keys as you want in the key ring, but they must
|
You can keep as many keys as you want in the key ring, but each must
|
||||||
have a different name each.
|
have a different name.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@@ -1458,8 +1458,9 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
|
|||||||
<para>
|
<para>
|
||||||
The other is TSIG key by which the message was signed. The ACL
|
The other is TSIG key by which the message was signed. The ACL
|
||||||
contains only the name (under the name "key"), the key itself
|
contains only the name (under the name "key"), the key itself
|
||||||
must be stored in the global <link linkend="tsig-key-ring">key ring</link>. This
|
must be stored in the global key ring (see <xref
|
||||||
property is applicable only to the DNS context.
|
linkend="tsig-key-ring"/>).
|
||||||
|
This property is applicable only to the DNS context.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
@@ -2233,7 +2234,7 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
|
|||||||
|
|
||||||
<para>
|
<para>
|
||||||
If you want to require TSIG in access control, a system wide TSIG
|
If you want to require TSIG in access control, a system wide TSIG
|
||||||
<link linkend='tsig-key-ring'>key ring</link> must be configured.
|
key ring must be configured (see <xref linkend="tsig-key-ring"/>).
|
||||||
In this example, we allow client matching both the IP address
|
In this example, we allow client matching both the IP address
|
||||||
and key.
|
and key.
|
||||||
</para>
|
</para>
|
||||||
@@ -2243,7 +2244,7 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
|
|||||||
> <userinput>config commit</userinput></screen>
|
> <userinput>config commit</userinput></screen>
|
||||||
|
|
||||||
<para>Both <command>b10-xfrout</command> and <command>b10-auth</command>
|
<para>Both <command>b10-xfrout</command> and <command>b10-auth</command>
|
||||||
will use the system wide keyring to check
|
will use the system wide key ring to check
|
||||||
TSIGs in the incoming messages and to sign responses.</para>
|
TSIGs in the incoming messages and to sign responses.</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
@@ -2453,11 +2454,12 @@ what is XfroutClient xfr_client??
|
|||||||
> <userinput>config commit</userinput>
|
> <userinput>config commit</userinput>
|
||||||
</screen>
|
</screen>
|
||||||
The TSIG key must be configured system wide
|
The TSIG key must be configured system wide
|
||||||
(see <xref linkend="common-tsig"/>.)
|
(see <xref linkend="common-tsig"/>).
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
Full description of ACLs can be found in <xref linkend="common-acl" />.
|
The full description of ACLs can be found in <xref
|
||||||
|
linkend="common-acl" />.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<note><simpara>
|
<note><simpara>
|
||||||
|
Reference in New Issue
Block a user