Changeset 2057
- Timestamp:
- 03/03/11 13:09:08 (2 years ago)
- Files:
-
- 1 modified
-
trunk/pdns/pdns/docs/pdns.xml (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/pdns/pdns/docs/pdns.xml
r2026 r2057 15 15 </author> 16 16 17 <pubdate>v 2.9.19$Date: 2011-01-06 23:00:05 +0100 (Thu, 06 Jan 2011) $</pubdate>17 <pubdate>v3.0-pre $Date: 2011-01-06 23:00:05 +0100 (Thu, 06 Jan 2011) $</pubdate> 18 18 19 19 <abstract> … … 123 123 Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), 124 124 Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and 125 Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, ..125 Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd ( 126 126 </para> 127 127 <para> … … 132 132 <listitem> 133 133 <para> 134 TSIG for authorizing and authenticating AXFR requests .134 TSIG for authorizing and authenticating AXFR requests & incoming zone transfers. 135 135 </para> 136 136 </listitem> … … 10003 10003 </para> 10004 10004 <para> 10005 To ease interoperability, the equivalent configuration above in BIND would look like this: 10006 <programlisting> 10007 key test. { 10008 algorithm hmac-md5; 10009 secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; 10010 }; 10011 10012 zone "powerdnssec.org" { 10013 type master; 10014 file "powerdnssec.org"; 10015 allow-transfer { key test.; }; 10016 }; 10017 </programlisting> 10018 </para> 10019 <para> 10005 10020 A packet authorized and authenticated by a TSIG signature will gain access to a zone even 10006 10021 if the remote IP address is not otherwise allowed to AXFR a zone. … … 10009 10024 <section id="tsig-outbound-notify-axfr"><title>Provisioning signed notification and AXFR requests</title> 10010 10025 <para> 10011 <warning><para>Not implemented yet!</para></warning> 10026 To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its master(s), set the 10027 AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used. 10012 10028 </para> 10029 <para> 10030 The actual TSIG key must also be provisioned, as outlined in the previous section. 10031 </para> 10032 <para> 10033 For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows: 10034 <programlisting> 10035 sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); 10036 sql> select id from domains where name='powerdnssec.org'; 10037 5 10038 sql> insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test'); 10039 </programlisting> 10040 </para> 10041 <para> 10042 This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section. 10043 </para> 10044 <para> 10045 In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements: 10046 <programlisting> 10047 key test. { 10048 algorithm hmac-md5; 10049 secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; 10050 }; 10051 10052 server 127.0.0.1 { 10053 keys { test.; }; 10054 }; 10055 10056 zone "powerdnssec.org" { 10057 type slave; 10058 masters { 127.0.0.1; }; 10059 file "powerdnssec.org"; 10060 }; 10061 </programlisting> 10062 Except that in this case, TSIG will be used for all communications with the master, not just those about AXFR requests. 10063 </para> 10064 <para> 10065 <warning><para>PowerDNS for now only verifies the TSIG signature on the first AXFR 'message', which helps for access control, but does not provide 100.0% 10066 protection of subsequent AXFR zone content messages.</para></warning></para> 10013 10067 </section> 10014 10068 </chapter>
