From: Pieter Lexis Date: Tue, 20 Dec 2016 18:24:52 +0000 (+0100) Subject: Document TSIG commands in pdnsutil X-Git-Tag: rec-4.1.0-alpha1~349^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1ee4ad6af4889e737a59243fe14a4e7913d42ad;p=thirdparty%2Fpdns.git Document TSIG commands in pdnsutil --- diff --git a/docs/manpages/pdnsutil.1.md b/docs/manpages/pdnsutil.1.md index 621bf1b224..c6ea009001 100644 --- a/docs/manpages/pdnsutil.1.md +++ b/docs/manpages/pdnsutil.1.md @@ -146,6 +146,9 @@ delete-tsig-key *NAME* generate-tsig-key *NAME* *ALGORITHM* : Generate new TSIG key with name *NAME* and the specified algorithm. +import-tsig-key *NAME* *ALGORITHM* *KEY* +: Import *KEY* of the specified algorithm as *NAME*. + ## ZONE MANIPULATION COMMANDS create-zone *ZONE* : Create an empty zone named *ZONE*. diff --git a/docs/markdown/authoritative/tsig.md b/docs/markdown/authoritative/tsig.md index fd487707f7..2ecacefa63 100644 --- a/docs/markdown/authoritative/tsig.md +++ b/docs/markdown/authoritative/tsig.md @@ -12,7 +12,7 @@ where X is 224, 256, 384 or 512. The content is a Base64-encoded secret. **Note**: Most backends require DNSSEC support enabled to support TSIG. For the Generic SQL Backend make sure to use the DNSSEC enabled schema and to turn on -the relevant '-dnssec' flag (for example, gmysql-dnssec)! +the relevant '-dnssec' flag (for example, `gmysql-dnssec`)! ## Provisioning outbound AXFR access To actually provision a named secret permission to AXFR a zone, set a metadata @@ -28,6 +28,13 @@ insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-AXF $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' ``` +Another of importing and activating TSIG keys into the database is using [`pdnsutil`](../manpages/pdnsutil.1.md): + +``` +pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' +pdnsutil activate-tsig-key powerdnssec.org test master +``` + To ease interoperability, the equivalent configuration above in BIND would look like this: ``` @@ -63,6 +70,13 @@ select id from domains where name='powerdnssec.org'; insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test'); ``` +This can also be done using [`pdnsutil`](../manpages/pdnsutil.1.md): + +``` +pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' +pdnsutil activate-tsig-key powerdnssec.org test slave +``` + This setup corresponds to the `TSIG-ALLOW-AXFR` access rule defined in the previous section. In the interest of interoperability, the configuration above is (not quite)