tcp-primaries-timeout 150;\n\
tcp-receive-buffer 0;\n\
tcp-send-buffer 0;\n\
-# tkey-domain <none>\n\
# tkey-gssapi-credential <none>\n\
transfer-message-size 20480;\n\
transfers-in 10;\n\
dns_tkeyctx_create(mctx, &tctx);
- obj = NULL;
- result = cfg_map_get(options, "tkey-domain", &obj);
- if (result == ISC_R_SUCCESS) {
- s = cfg_obj_asstring(obj);
- isc_buffer_constinit(&b, s, strlen(s));
- isc_buffer_add(&b, strlen(s));
- name = dns_fixedname_initname(&fname);
- RETERR(dns_name_fromtext(name, &b, dns_rootname, 0));
- tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
- dns_name_init(tctx->domain);
- dns_name_dup(name, mctx, tctx->domain);
- }
-
obj = NULL;
result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
if (result == ISC_R_SUCCESS) {
principal which the server can acquire through the default system key
file, normally ``/etc/krb5.keytab``. The location of the keytab file can be
overridden using the :any:`tkey-gssapi-keytab` option. Normally this
- principal is of the form ``DNS/server.domain``. To use
- GSS-TSIG, :any:`tkey-domain` must also be set if a specific keytab is
- not set with :any:`tkey-gssapi-keytab`.
-
-.. namedconf:statement:: tkey-domain
- :tags: security
- :short: Sets the domain appended to the names of all shared keys generated with ``TKEY``.
-
- This domain is appended to the names of all shared keys generated with
- ``TKEY``. When a client requests a ``TKEY`` exchange, it may or may
- not specify the desired name for the key. If present, the name of the
- shared key is ``client-specified part`` + :any:`tkey-domain`.
- Otherwise, the name of the shared key is ``random hex digits``
- + :any:`tkey-domain`. In most cases, the ``domainname``
- should be the server's domain name, or an otherwise nonexistent
- subdomain like ``_tkey.domainname``. If using GSS-TSIG,
- this variable must be defined, unless a specific keytab
- is indicated using :any:`tkey-gssapi-keytab`.
+ principal is of the form ``DNS/server.domain``.
.. namedconf:statement:: dump-file
:tags: logging
tcp-primaries-timeout <integer>;
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
- tkey-domain <quoted_string>;
+ tkey-domain <quoted_string>; // obsolete
tkey-gssapi-credential <quoted_string>; // deprecated
tkey-gssapi-keytab <quoted_string>;
tls-port <integer>;
#define DNS_TKEYMODE_DELETE 5
struct dns_tkeyctx {
- dns_name_t *domain;
dns_gss_cred_id_t gsscred;
isc_mem_t *mctx;
char *gssapi_keytab;
*tctxp = NULL;
mctx = tctx->mctx;
- if (tctx->domain != NULL) {
- if (dns_name_dynamic(tctx->domain)) {
- dns_name_free(tctx->domain, mctx);
- }
- isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
- }
if (tctx->gssapi_keytab != NULL) {
isc_mem_free(mctx, tctx->gssapi_keytab);
}
ring));
break;
case DNS_TKEYMODE_GSSAPI:
- /*
- * For non-delete operations we do this:
- *
- * if (qname != ".")
- * keyname = qname + defaultdomain
- * else
- * keyname = <random hex> + defaultdomain
- */
- if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI)
- {
- tkey_log("dns_tkey_processquery: tkey-domain not set");
- result = DNS_R_REFUSED;
- goto failure;
- }
-
keyname = dns_fixedname_initname(&fkeyname);
if (!dns_name_equal(qname, dns_rootname)) {
{ "tcp-receive-buffer", &cfg_type_uint32, 0 },
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
- { "tkey-domain", &cfg_type_qstring, 0 },
+ { "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
{ "tkey-gssapi-credential", &cfg_type_qstring,
CFG_CLAUSEFLAG_DEPRECATED },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
projects / thirdparty / bind9.git / commitdiff
