From: Francis Dupont Date: Wed, 27 Mar 2024 10:20:52 +0000 (+0100) Subject: [#3133] Checkpoint X-Git-Tag: Kea-2.5.8~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=998d8276696fecc828a251a6781e59f3fb71ce09;p=thirdparty%2Fkea.git [#3133] Checkpoint --- diff --git a/doc/examples/ddns/all-keys.json b/doc/examples/ddns/all-keys.json index 6907d178fe..bcb4735d98 100644 --- a/doc/examples/ddns/all-keys.json +++ b/doc/examples/ddns/all-keys.json @@ -138,6 +138,14 @@ // Secret of the TSIG key (required) in base-64. "secret": "LSWXnfkKZjdPJI5QxlpnfQ==" + }, + { + "name": "d2.sha1.key", + "algorithm": "HMAC-SHA1", + + // An alternative to secret: specify a file where the secret + // can be found. i.e. the secret is the content of the file. + "secret-file": "/tmp/d2-sha1-secret" } ], diff --git a/doc/examples/ddns/sample1.json b/doc/examples/ddns/sample1.json index 4c8190ea03..4d8148bc29 100644 --- a/doc/examples/ddns/sample1.json +++ b/doc/examples/ddns/sample1.json @@ -134,6 +134,11 @@ "algorithm": "HMAC-SHA1", "secret": "hRrp29wzUv3uzSNRLlY68w==" }, + { + "name": "d2.sha256.key", + "algorithm": "HMAC-SHA256", + "secret-file": "/tmp/d2-sha256-secret" + }, { "name": "d2.sha512.key", "algorithm": "HMAC-SHA512", diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index 9b3464e827..bab8c96a65 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -408,6 +408,10 @@ Every entry in the list has three parameters: key. This value is case-sensitive and must exactly match the value specified on the DNS server(s). It is a base64-encoded text value. +- ``secret-file`` - since Kea 2.5.8 a more secure alternative is supported: + specify a file name where the secret can be found, i.e. the base64-encoded + secret is the content of the file. + As an example, suppose that a domain D2 will be updating is maintained by a BIND 9 DNS server, which requires dynamic updates to be secured with TSIG. Suppose further that the entry for the TSIG key in BIND 9's diff --git a/src/bin/d2/tests/d2_simple_parser_unittest.cc b/src/bin/d2/tests/d2_simple_parser_unittest.cc index b02aa91a75..75bdd9cf46 100644 --- a/src/bin/d2/tests/d2_simple_parser_unittest.cc +++ b/src/bin/d2/tests/d2_simple_parser_unittest.cc @@ -91,7 +91,7 @@ bool checkKey(TSIGKeyInfoPtr key, const std::string& name, (key->getName() == name) && (key->getAlgorithm() == algorithm) && (key->getDigestbits() == digestbits) && - (key->getSecret() == secret) && + (key->getSecret() == secret) && (key->getTSIGKey()))); } @@ -508,7 +508,7 @@ public: void addKey(const std::string& name, const std::string& algorithm, const std::string& secret) { TSIGKeyInfoPtr key_info(new TSIGKeyInfo(name, algorithm, secret)); - (*keys_)[name]=key_info; + (*keys_)[name] = key_info; } /// @brief Adds DDNS Domain values to the given DDNS Domain element diff --git a/src/bin/d2/tests/parser_unittest.cc b/src/bin/d2/tests/parser_unittest.cc index 40779beb86..15b82af56d 100644 --- a/src/bin/d2/tests/parser_unittest.cc +++ b/src/bin/d2/tests/parser_unittest.cc @@ -298,7 +298,7 @@ TEST(ParserTest, file) { configs.push_back("sample1.json"); configs.push_back("template.json"); - for (int i = 0; i