Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) by bugs.isc.org (Postfix) with ESMTP id 223BD2D20571 for ; Tue, 25 Nov 2014 02:52:13 +0000 (UTC) Received: by bikeshed.isc.org (Postfix, from userid 10292) id DFDA9216C3D; Tue, 25 Nov 2014 02:52:12 +0000 (UTC) Delivered-To: bind-suggest@bugs.isc.org User-Agent: Mutt/1.4.2.3i MIME-Version: 1.0 Subject: load TSIG keys at runtime Return-Path: X-Original-To: bind-suggest@bugs.isc.org Content-Disposition: inline Date: Tue, 25 Nov 2014 02:52:12 +0000 content-type: text/plain; charset="utf-8" Message-ID: <20141125025212.GA459@isc.org> To: bind-suggest@isc.org From: Evan Hunt X-RT-Original-Encoding: us-ascii Content-Length: 741 Suggested by Petr Spacek in a thread about pkcs11... > I was making the point that TSIG keys stored in key files (produced by > dnssec-keygen) located in "keys-directory" are ignored by named and and > are not usable in zone "update-policy". > > Maybe this could be a way how to separate keys from named config file and > to allow dynamic key management at run-time (with an equivalent of rndc > loadkeys for these TSIG keys). Technically this is possible by using ddns-confgen to create keys, putting them in a named.conf include file and running rndc reconfig. But the idea of loading them the way we load DNSSEC keys is interesting. They could also be inserted directly by an rndc command (e.g. "rndc addkey keyname md5 ").