[nsd-users] nsd-xfer using TSIG - read_tsig_key_data()
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Feb 16 09:38:55 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
This info is explained in the README file ;).
But fair enough, I agree that a useful pointer could also be in the manpage.
Best regards,
Matthijs
Paul Wouters wrote:
>
> Hi,
>
> I was trying to use nsd-xfer with TSIG, and it took quite some time to
> figure
> out, as the man page only mentions it is in the form of "tsiginfo".
>
> I tested and it did not seem to be the same format as a key: section in the
> nsd.conf file (Feature request: use the same format as the key: clause)
>
> Looking through the source, I was confused about the simplicity of the
> ahum "parser" :)
>
> read_tsig_key_data() is called with a file pointer and is suppoed to
> return the tsig_key_type
>
> It uses tsig_read_line(), a small routine to read and strip a line.
>
> The first line read is ignored, apparently it thinks this might contain
> the IP address
> that is not used, as that is specified on the command line to nsd-xfer.
> It would be a
> good candidate to go.
>
> The second line reads the key name, and runs it through dname_parse(). I
> guess to verify
> the keyname is a valid RRlabel, then stores it.
>
> The third line reads the key algorithm. Then it runs atoi() on it, so I
> guess me specifying
> "hmac-md5" was wrong. Looking at RFC2845 didn't give me the answer, but
> apparently I was
> looking for "157" if I can trust tsig.h (and testing shows I can)
>
> I would have send a patch if the man pages were kept in xml format, but
> since writing in roff is only barely more fun then stabbing yourself in
> the eye you will have to accept this "diff" in text form:
>
> old text:
>
> -T tsiginfo
> Use TSIG to verify the zone transfer. The tsiginfo
> file must
> contain the TSIG key information. The file is removed
> upon suc-
> cessful reading of the key.
>
> new text:
>
> -T tsiginfo
> Use TSIG to verify the zone transfer. The tsiginfo
> file must
> contain the TSIG key information and is removed upon suc-
> cessful reading of the key. The file must contain exactly
> four
> lines containing the following items in this specific order:
> <comment>
> <keyname>
> <tsig algorithm number>
> <tsig secret in base64>
>
> The keyname must be a valid RRlabel (alphanumeric, dots
> and "-" only)
> Currently supposed tsig algorithms are 157 (hmac-md5), 158
> (hmac-sha1)
> and 159 (hmac-sha256)
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLemetAAoJEA8yVCPsQCW5YT8H/RDbrAvr5TUpT4TnPNosFNv9
rjZaT7ZtdM4O8DnEobbZ9q/w7Kei9jZRBIz+PDvPeHt5+/mHVzu06oPks10J58wp
sipNN1DjT2YXajiUPd8sTl3MyUR7hXDj6kZLavBE7v/wW8xkcm5DV9fntSYC02tA
ngnsjKgRa1tzZYud7Ilk6gv491vk0uzgSgGsgaZXGQApkIwBZ5I3NJK1NvuVyY/0
SrjHd32v9Sz2BdpRKTqjfoQKnIZ0XCdxnVjqDFxrRnHKZBh/qIqN10lhRfn/pFZV
EDos6YOQy93BVY5HUEBVJNB0vYJ/FzGtJZLCIwaG04hbg1eZRsk1YGkaIIYI1sY=
=QGXb
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list