Testing RFC 5011 key roll
Evan Hunt
each at isc.org
Mon Apr 20 20:33:39 UTC 2015
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
> That page says (for BIND):
> "Note: When using this config file you will probably need to delete
> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys*
> every time you restart BIND after missing a keyroll." (I'm not quite
> sure how that filename was derived...)
The misguided idea was to make a filename that would be unique for
each view, but not to use the view name because those can contain
characters that are illegal in file names (e.g., '/'). So it's a
sha256 hash of the view name, which is guaranteed to be a legal file
name because it's all hexadecimal. It's also guaranteed to be maximally
confusing.
As of BIND 9.10, it doesn't name files that way anymore. It'll still
read an existing file using that naming format if it finds one, though.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list