CC: undisclosed-recipients: ;
MIME-Version: 1.0
In-Reply-To: <rt-3.8.6-2416-1416882341-586.37814-4-0@isc.org>
Content-Disposition: inline
References: <RT-Ticket-37814@isc.org> <546678C0.6040008@redhat.com> <rt-3.8.6-2430-1416007201-1405.37814-5-0@isc.org> <5473A65B.5040903@redhat.com> <rt-3.8.6-2430-1416865378-1681.37814-4-0@isc.org> <rt-3.8.6-2416-1416882341-586.37814-4-0@isc.org>
Message-ID: <20141125025439.GB459@isc.org>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) by bugs.isc.org (Postfix) with ESMTP id A319B2D20571 for <bind-suggest@bugs.isc.org>; Tue, 25 Nov 2014 02:54:39 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 965ED216C3D; Tue, 25 Nov 2014 02:54:39 +0000 (UTC)
Delivered-To: bind-suggest@bugs.isc.org
User-Agent: Mutt/1.4.2.3i
Subject: Re: [ISC-Bugs #37814] PKCS#11 support for TSIG algorithms
Return-Path: <each@isc.org>
X-Original-To: bind-suggest@bugs.isc.org
Date: Tue, 25 Nov 2014 02:54:39 +0000
To: Francis Dupont via RT <bind-suggest@isc.org>
From: Evan Hunt <each@isc.org>
RT-Message-ID: <rt-3.8.6-2438-1416884080-856.37814-0-0@isc.org>
Content-Length: 625

> I was making the point that
> TSIG keys stored in key files (produced by dnssec-keygen)
> located in "keys-directory" are ignored
> by named and and are not usable in zone "update-policy".
> 
> Maybe this could be a way how to separate keys from
> named config file and to allow dynamic key management
> at run-time (with an equivalent of rndc loadkeys
> for these TSIG keys).

Interesting idea. I submitted it to the suggest queue as
RT #37903.

If I wanted to do something like this using current BIND,
I'd generate keys using "ddns-confgen -q", concatenate them
into a named.conf include file, and run "rndc reconfig".