From: Stephen Morris Date: Mon, 26 May 2014 12:48:05 +0000 (+0100) Subject: [3432] Miscellaneous modifications to DHCP-DDNS documentation made during review X-Git-Tag: trac3434_base~20^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16bd0ab7a3c4dab658b83b6f931275da12256a95;p=thirdparty%2Fkea.git [3432] Miscellaneous modifications to DHCP-DDNS documentation made during review --- diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml index 273ce6c94c..d65e0fba8b 100644 --- a/doc/guide/bind10-guide.xml +++ b/doc/guide/bind10-guide.xml @@ -5302,29 +5302,32 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section.
TSIG Key List - DDNS protocol can be conducted with or without TSIG as defined in - RFC 2845. This configuration section allows the administrator to - define the dictionary of TSIG keys which may be used. To use TSIG - when working with a specific DDNS Domain that key must be defined in - the TSIG Key List and referenced by name in that domain's configuration - entry. - - When the domain D2 has matched to a change request has a TSIG key - associated with it, D2 will use that key to sign DNS update messages - sent to and verify repsonses received from DNS server(s). For each TSIG - key required by the DNS servers that D2 will be working with there must - be a corresponding TSIG key in the TSIG Key list. - + A DDNS protocol exchange can be conducted with or without TSIG + (defined in RFC + 2845). This configuration section allows the administrator + to define the set of TSIG keys that may be used in such + exchanges. + + To use TSIG when updating entries in a DNS Domain, + a key must be defined in the TSIG Key List and referenced by + name in that domain's configuration entry. When D2 matches a + change request to a domain, it checks whether the domain has + a TSIG key associated with it. If so, D2 will use that key to + sign DNS update messages sent to and verify repsonses received + from the domain's DNS server(s). For each TSIG key required by + the DNS servers that D2 will be working with there must be a + corresponding TSIG key in the TSIG Key list. + - As one might gather from its name, this section is a list of - TSIG keys. Each entry describes a TSIG key used by one or - more DNS servers to authenticate requests and sign responses. - Each entry has three parameters: + As one might gather from the name, the tsig_key section of the + D2 configuration lists the TSIG keys. Each entry describes a + TSIG key used by one or more DNS servers to authenticate requests + and sign responses. Every entry in the list has three parameters: name — - is a unique text label used to identify this key within the + a unique text label used to identify this key within the list. This value is used to specify which key (if any) should be used when updating a specific domain. So long as it is unique its content is arbitrary, although for clarity and ease of maintenance @@ -5366,16 +5369,16 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section. secret — is used to specify the shared secret key code for this key. This value is case sensitive and must exactly match the value specified on the DNS server(s). - This is a base64 encoded text value that can be located if dnssec public and - private key files. + It is a base64-encoded text value. - Suppose that a domain D2 will be updating is maintained by a BIND9 DNS server which - is using TSIG with that domain. Suppose further that the entry for the TSIG key in - BIND9's named.conf file looks like this: + As an example, suppose that a domain D2 will be updating is + maintained by a BIND9 DNS server which requires dynamic updates + to be secured with TSIG. Suppose further that the entry for + the TSIG key in BIND9's named.conf file looks like this: : key "key.four.example.com." { @@ -5384,23 +5387,23 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section. }; : - By default, the TSIG Key list is empty. + By default, the TSIG Key list is empty: > config show DhcpDdns/tsig_keys DhcpDdns/tsig_keys [] list (default) - So we must first create a new key in the list: + We must first create a new key in the list: > config add DhcpDdns/tsig_keys - Displaying the new element, reveals this: + Displaying the new element, reveals: > config show DhcpDdns/tsig_keys[0] DhcpDdns/tsig_keys[0]/name "" string (default) DhcpDdns/tsig_keys[0]/algorithm "HMAC-MD5" string (modified) DhcpDdns/tsig_keys[0]/secret "" string (default) - Now we simple set all three values to match BIND9's key: + Now set all three values to match BIND9's key: > config set DhcpDdns/tsig_keys[0]/name "key.four.example.com" > config set DhcpDdns/tsig_keys[0]/algorithm "HMAC-SHA224"