Asymmetric keys with rndc-confgen?
Mark Andrews
Mark_Andrews at isc.org
Wed Jan 17 06:08:22 UTC 2007
> Every time I've seen rndc-conf generat an hmac-md5 key, the text of the
> key has been the same everywhere.
rndc uses a *shared* secret.
> Yesterday, using 9.3.3 (I believe), I got the following result (at the
> end of this).
Which should be impossible given how it is printed.
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
algorithm hmac-md5;\n\
secret \"%.*s\";\n\
};\n\
\n\
options {\n\
default-key \"%s\";\n\
default-server %s;\n\
default-port %d;\n\
};\n\
# End of rndc.conf\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
# algorithm hmac-md5;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
# controls {\n\
# inet %s port %d\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
keyname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
keyname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);
}
> Is there some syntax that will cause a public/private key by default
> with rndc.confgen?
No.
> Note: this is not the key I am using, the one I am using IS the same in
> both rndc.conf and the bind include file.
>
> (PS: Maybe asymetric is not the right word?)
>
> -Dan
>
>
> # Start of rndc.conf
> key "rndc-key" {
> algorithm hmac-md5;
> secret "NlUtbtQyzxVpfQ51W1jEu+UsBN0A3vXs4K2d5Ob0Tzs=";
> };
>
> options {
> default-key "rndc-key";
> default-server 127.0.0.1;
> default-port 953;
> };
> # End of rndc.conf
>
> # Use with the following in named.conf, adjusting the allow list as
> needed:
> # key "rndc-key" {
> # algorithm hmac-md5;
> # secret "K5YfO1+dX5ku5sXjzSrJyw==";
> # };
> #
> # controls {
> # inet 127.0.0.1 port 953
> # allow { 127.0.0.1; } keys { "rndc-key"; };
> # };
> # End of named.conf
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list