.. option:: -k keyfile
- This option tells :iscman:`named` to sign queries using TSIG using a key read from the given file. Key
- files can be generated using :iscman:`tsig-keygen`. When using TSIG
- authentication with :program:`dig`, the name server that is queried needs to
- know the key and algorithm that is being used. In BIND, this is done
- by providing appropriate ``key`` and ``server`` statements in
- :iscman:`named.conf`.
+ This option tells :program:`dig` to sign queries using TSIG or
+ SIG(0) using a key read from the given file. Key files can be
+ generated using :iscman:`tsig-keygen`. When using TSIG authentication
+ with :program:`dig`, the name server that is queried needs to
+ know the key and algorithm that is being used. In BIND, this is
+ done by providing appropriate ``key`` and ``server`` statements
+ in :iscman:`named.conf` for TSIG and by looking up the KEY record
+ in zone data for SIG(0).
.. option:: -m
unsigned int digestbits = 0;
isc_buffer_t *namebuf = NULL;
dns_tsigkey_t *tsigkey = NULL;
+dst_key_t *sig0key = NULL;
bool validated = true;
bool debugging = false;
bool debugtiming = false;
debug("setup_file_key()");
+ if (sig0key != NULL) {
+ dst_key_free(&sig0key);
+ }
+
/* Try reading the key from a K* pair */
result = dst_key_fromnamedfile(
keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey);
case DST_ALG_HMACSHA512:
hmacname = DNS_TSIG_HMACSHA512_NAME;
break;
- default:
- printf(";; Couldn't create key %s: bad algorithm\n",
- keynametext);
- goto failure;
}
- result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
- dstkey, false, NULL, 0, 0, mctx,
- NULL, &tsigkey);
- if (result != ISC_R_SUCCESS) {
- printf(";; Couldn't create key %s: %s\n", keynametext,
- isc_result_totext(result));
- goto failure;
+
+ if (hmacname != NULL) {
+ result = dns_tsigkey_createfromkey(
+ dst_key_name(dstkey), hmacname, dstkey, false, NULL, 0,
+ 0, mctx, NULL, &tsigkey);
+ if (result != ISC_R_SUCCESS) {
+ printf(";; Couldn't create key %s: %s\n", keynametext,
+ isc_result_totext(result));
+ goto failure;
+ }
+ } else {
+ dst_key_attach(dstkey, &sig0key);
+ dst_key_free(&dstkey);
}
failure:
if (dstkey != NULL) {
debug("initializing keys");
result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
check_result(result, "dns_message_settsigkey");
+ } else if (sig0key != NULL) {
+ debug("initializing keys");
+ result = dns_message_setsig0key(lookup->sendmsg, sig0key);
+ check_result(result, "dns_message_setsig0key");
}
lookup->sendspace = isc_mem_get(mctx, COMMSIZE);
clear_searchlist();
if (tsigkey != NULL) {
- debug("freeing key %p", tsigkey);
+ debug("freeing TSIG key %p", tsigkey);
dns_tsigkey_detach(&tsigkey);
}
+
+ if (sig0key != NULL) {
+ debug("freeing SIG(0) key %p", sig0key);
+ dst_key_free(&sig0key);
+ }
+
if (namebuf != NULL) {
+ debug("freeing key %p", tsigkey);
isc_buffer_free(&namebuf);
}
.INDENT 0.0
.TP
.B \-k keyfile
-This option tells \fI\%named\fP to sign queries using TSIG using a key read from the given file. Key
-files can be generated using \fI\%tsig\-keygen\fP\&. When using TSIG
-authentication with \fBdig\fP, the name server that is queried needs to
-know the key and algorithm that is being used. In BIND, this is done
-by providing appropriate \fBkey\fP and \fBserver\fP statements in
-\fI\%named.conf\fP\&.
+This option tells \fBdig\fP to sign queries using TSIG or
+SIG(0) using a key read from the given file. Key files can be
+generated using \fI\%tsig\-keygen\fP\&. When using TSIG authentication
+with \fBdig\fP, the name server that is queried needs to
+know the key and algorithm that is being used. In BIND, this is
+done by providing appropriate \fBkey\fP and \fBserver\fP statements
+in \fI\%named.conf\fP for TSIG and by looking up the KEY record
+in zone data for SIG(0).
.UNINDENT
.INDENT 0.0
.TP
projects / thirdparty / bind9.git / commitdiff
