Format of 'dig -k' "TSIG key file"?
Mark Elkins
mje at posix.co.za
Fri Jul 31 11:43:58 UTC 2009
On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote:
> What does work is:
> dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zone
> but I really, really find this not altogether pleasant.
This gets a bit more funkie when you are not using the default
key-algorithm of hmac-md5 - which you probably should not be using any
more...
> Plus, I'm curious to know what 'dig -k' really wants to see.
Uses the original key files.. fine on the machine that they were created
on - but there are always at least two machines involved with any one
key!
I've been thinking about this.
I'd like to see intelligence that allows 'dig' to look inside the
'named.conf' file (following any "include" statements) for the same key
info that 'named' uses.
Why: The '-y' option is used with zone transfers. That usually means
someone is setting up a secondary and trying to get TSIG to work. They
probably have already set up key stanzas in the config file - so trying
to use those keys would help debugging? They can always fall back to
providing the full tupple of info for the '-y' option.
If only the key-name is specified with the '-y' option, Dig should then
knows to look for a matching "key" stanza" in the "named-config-file".
This would at least avoid the need to having the key-secret on the
command line (along with the correct key-algorithm).
dig -C named-config-file ('c' is already used) - tells dig to look
elsewhere for the config file.
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the bind-users
mailing list