# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"
+
+# TSIG keys
+# tsig-key:
+# # The key name is sent to the other party, it must be the same
+# name: "keyname"
+# # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
+# algorithm: sha256
+# # secret material, must be the same as the other party uses.
+# # base64 encoded random number.
+# # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
+# secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
If no tags are specified the policies from this clause will be applied for
all clients.
+.. _unbound.conf.tsig-key:
+
+TSIG Key Options
+^^^^^^^^^^^^^^^^^
+
+The **tsig-key:** clauses specify the TSIG keys that are used.
+There can be multiple **tsig-key:** clauses, with each specifying a
+different key.
+Each key has a name, algorithm and secret key material.
+
+TSIG keys are shared secrets.
+Both sides of the connection share the secret information.
+Also they must both use the same name for the key, and same algorithm.
+
+With ``include: "key.conf"`` it is possible to put the declaration of the key
+or some lines of it in an external file from the main configuration file.
+It can also be used without such an include, with it the config statements
+and key material can be put in separate files.
+
+
+@@UAHL@unbound.conf.tsig-key@name@@: *"<key name>"*
+ Name of the TSIG key.
+ The key name is transferred in DNS wireformat in the TSIG record, and
+ is used to reference the TSIG key from where it is configured to be used.
+
+
+@@UAHL@unbound.conf.tsig-key@algorithm@@: *<algorithm name>*
+ Name of the algorithm to use with this TSIG key.
+ This can be md5, sha1, sha224, sha256, sha384 or sha512.
+
+
+@@UAHL@unbound.conf.tsig-key@secret@@: *"<base64 blob>"*
+ The secret contents is a base64 string.
+ A way to get random base64 bytes is e.g.
+ from ``dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64``
+
Memory Control Example
----------------------
projects / thirdparty / unbound.git / commitdiff
