Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id 108262D20571 for <bind-suggest@bugs.isc.org>; Tue, 25 Nov 2014 03:15:33 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 970C21FCAB4 for <bind-suggest@isc.org>; Tue, 25 Nov 2014 03:15:30 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8F8AB16005D for <bind-suggest@isc.org>; Tue, 25 Nov 2014 03:18:58 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 60247160057 for <bind-suggest@isc.org>; Tue, 25 Nov 2014 03:18:58 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 03715243E555 for <bind-suggest@isc.org>; Tue, 25 Nov 2014 14:15:28 +1100 (EST)
Delivered-To: bind-suggest@bugs.isc.org
Subject: Re: [ISC-Bugs #37903] load TSIG keys at runtime 
Return-Path: <marka@isc.org>
In-Reply-To: Your message of "Tue, 25 Nov 2014 02:52:14 -0000." <rt-3.8.6-2430-1416883934-1401.37903-3-0@isc.org>
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
X-Original-To: bind-suggest@bugs.isc.org
Date: Tue, 25 Nov 2014 14:15:27 +1100
References: <RT-Ticket-37903@isc.org> <20141125025212.GA459@isc.org> <rt-3.8.6-2430-1416883934-1401.37903-3-0@isc.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
Content-Type: text/plain; charset="utf-8"
Message-ID: <20141125031528.03715243E555@rock.dv.isc.org>
To: bind-suggest@isc.org
X-RT-Original-Encoding: utf-8
From: Mark Andrews <marka@isc.org>
RT-Message-ID: <rt-3.8.6-2430-1416885334-869.37903-0-0@isc.org>
Content-Length: 835


We need to move the TSIG keys out of named.conf into a database
file.  Key-directory is not the place for these.  I really don't
want to have millions of files in the default key directory.

Using K* files for TSIG was a kludge.

The database key should be <downcased-name-wireformat> +
<downcased-algorithm-wireformat>.

The database data is the purge date (0 == don't purge) + shared
secret in binary form + original TKEY name if appropriate.

Any keys in named.conf just get added (marked not for purge).  TKEY
should write to this database.

External tools could add / remove w/o going through rndc.

We have a text based file format for TKEY/GSSAPI which should be
modified to use this.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org