Report information
The Basics
Id:
37903
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Evan Hunt <each@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
feature
Dates
Created:Mon, 24 Nov 2014 21:52:13 -0500
Updated:Tue, 11 Jul 2017 10:56:34 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 24 Nov 2014 21:52:14 -0500 Evan Hunt <each@isc.org> - Ticket created
Subject: load TSIG keys at runtime
Date: Tue, 25 Nov 2014 02:52:12 +0000
To: bind-suggest@isc.org
From: Evan Hunt <each@isc.org>

Suggested by Petr Spacek in a thread about pkcs11... > I was making the point that TSIG keys stored in key files (produced by > dnssec-keygen) located in "keys-directory" are ignored by named and and > are not usable in zone "update-policy". > > Maybe this could be a way how to separate keys from named config file and > to allow dynamic key management at run-time (with an equivalent of rndc > loadkeys for these TSIG keys). Technically this is possible by using ddns-confgen to create keys, putting them in a named.conf include file and running rndc reconfig. But the idea of loading them the way we load DNSSEC keys is interesting. They could also be inserted directly by an rndc command (e.g. "rndc addkey keyname md5 <secret>").
  Mon, 24 Nov 2014 22:15:34 -0500 Mark Andrews <marka@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #37903] load TSIG keys at runtime
Date: Tue, 25 Nov 2014 14:15:27 +1100
To: bind-suggest@isc.org
From: Mark Andrews <marka@isc.org>

We need to move the TSIG keys out of named.conf into a database file. Key-directory is not the place for these. I really don't want to have millions of files in the default key directory. Using K* files for TSIG was a kludge. The database key should be <downcased-name-wireformat> + <downcased-algorithm-wireformat>. The database data is the purge date (0 == don't purge) + shared secret in binary form + original TKEY name if appropriate. Any keys in named.conf just get added (marked not for purge). TKEY should write to this database. External tools could add / remove w/o going through rndc. We have a text based file format for TKEY/GSSAPI which should be modified to use this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Mon, 24 Nov 2014 22:15:34 -0500 The RT System itself - Status changed from 'new' to 'open'
  Mon, 24 Nov 2014 23:06:38 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #37903] load TSIG keys at runtime
Date: Tue, 25 Nov 2014 04:06:38 +0000
To: Mark Andrews via RT <bind-suggest@isc.org>
From: Evan Hunt <each@isc.org>

> External tools could add / remove w/o going through rndc. Probably still useful to have an rndc command to alert named to the existence of new or updated keys; otherwise we need a database lookup every time we process an ACL with a key in it. Other than that I like this design. > We have a text based file format for TKEY/GSSAPI which should be > modified to use this. Is this documented anywhere?
Fri, 02 Jan 2015 10:43:46 -0500 Brian Conry <bconry@isc.org> - Severity S2 Normal added
Tue, 11 Jul 2017 10:56:24 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #3 to bind9-public
Tue, 11 Jul 2017 10:56:34 -0400 Vicky Risk <vicky@isc.org> - Area feature added