From: W.C.A. Wijngaards Date: Fri, 13 Jun 2025 14:32:36 +0000 (+0200) Subject: - xfr-tsig, man page and example config. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31e8118b760d6a5cb5755820b7573932f172790d;p=thirdparty%2Funbound.git - xfr-tsig, man page and example config. --- diff --git a/doc/example.conf.in b/doc/example.conf.in index a85b58de4..12b8379eb 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1418,3 +1418,14 @@ remote-control: # rpz-signal-nxdomain-ra: no # for-downstream: no # tags: "example" + +# TSIG keys +# tsig-key: +# # The key name is sent to the other party, it must be the same +# name: "keyname" +# # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512 +# algorithm: sha256 +# # secret material, must be the same as the other party uses. +# # base64 encoded random number. +# # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 +# secret: "K2tf3TRjvQkVCmJF3/Z9vA==" diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst index 80a62309d..cc5f246b3 100644 --- a/doc/unbound.conf.rst +++ b/doc/unbound.conf.rst @@ -4934,6 +4934,42 @@ The RPZ zones can be configured in the config file with these settings in the If no tags are specified the policies from this clause will be applied for all clients. +.. _unbound.conf.tsig-key: + +TSIG Key Options +^^^^^^^^^^^^^^^^^ + +The **tsig-key:** clauses specify the TSIG keys that are used. +There can be multiple **tsig-key:** clauses, with each specifying a +different key. +Each key has a name, algorithm and secret key material. + +TSIG keys are shared secrets. +Both sides of the connection share the secret information. +Also they must both use the same name for the key, and same algorithm. + +With ``include: "key.conf"`` it is possible to put the declaration of the key +or some lines of it in an external file from the main configuration file. +It can also be used without such an include, with it the config statements +and key material can be put in separate files. + + +@@UAHL@unbound.conf.tsig-key@name@@: *""* + Name of the TSIG key. + The key name is transferred in DNS wireformat in the TSIG record, and + is used to reference the TSIG key from where it is configured to be used. + + +@@UAHL@unbound.conf.tsig-key@algorithm@@: ** + Name of the algorithm to use with this TSIG key. + This can be md5, sha1, sha224, sha256, sha384 or sha512. + + +@@UAHL@unbound.conf.tsig-key@secret@@: *""* + The secret contents is a base64 string. + A way to get random base64 bytes is e.g. + from ``dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64`` + Memory Control Example ----------------------