ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

2574. [doc] Document nsupdate -g and -o. [RT #19351]

Browse Source
This commit is contained in:
Mark Andrews
2009-03-09 04:21:56 +00:00
parent 780bc6eec5
commit 874d2a93ca
2 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,3 +1,5 @@
2574. [doc] Document nsupdate -g and -o. [RT #19351]
2573. [bug] Replacing a non-CNAME record with a CNAME record in a
single transaction in a signed zone failed. [RT #19397]

53
bin/nsupdate/nsupdate.docbook
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.34.48.2 2009/01/22 23:47:05 tbox Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Jun 30, 2000</date>
@@ -58,6 +58,8 @@
<arg><option>-d</option></arg>
<arg><option>-D</option></arg>
<group>
<arg><option>-g</option></arg>
<arg><option>-o</option></arg>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
</group>
@@ -109,31 +111,27 @@
report additional debugging information to <option>-d</option>.
</para>
<para>
Transaction signatures can be used to authenticate the Dynamic DNS
updates.
These use the TSIG resource record type described in RFC2845 or the
SIG(0) record described in RFC3535 and RFC2931.
TSIG relies on a shared secret that should only be known to
<command>nsupdate</command> and the name server.
Currently, the only supported encryption algorithm for TSIG is
HMAC-MD5, which is defined in RFC 2104.
Once other algorithms are defined for TSIG, applications will need to
ensure they select the appropriate algorithm as well as the key when
authenticating each other.
For instance, suitable
<type>key</type>
and
<type>server</type>
statements would be added to
<filename>/etc/named.conf</filename>
so that the name server can associate the appropriate secret key
and algorithm with the IP address of the
client application that will be using TSIG authentication.
SIG(0) uses public key cryptography. To use a SIG(0) key, the public
key must be stored in a KEY record in a zone served by the name server.
<command>nsupdate</command>
does not read
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC2845 or the SIG(0) record described in RFC3535 and
RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on
a shared secret that should only be known to
<command>nsupdate</command> and the name server. Currently,
the only supported encryption algorithm for TSIG is HMAC-MD5,
which is defined in RFC 2104. Once other algorithms are
defined for TSIG, applications will need to ensure they select
the appropriate algorithm as well as the key when authenticating
each other. For instance, suitable <type>key</type> and
<type>server</type> statements would be added to
<filename>/etc/named.conf</filename> so that the name server
can associate the appropriate secret key and algorithm with
the IP address of the client application that will be using
TSIG authentication. SIG(0) uses public key cryptography.
To use a SIG(0) key, the public key must be stored in a KEY
record in a zone served by the name server.
<command>nsupdate</command> does not read
<filename>/etc/named.conf</filename>.
GSS-TSIG uses Kerberos credentials.
</para>
<para><command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> option
@@ -165,6 +163,11 @@
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</para>
<para>
The <option>-g</option> and <option>-o</option> specify that
GSS-TSIG is to be used. The <option>-o</option> should only
be used with old Microsoft Windows 2000 servers.
</para>
<para>
By default,
<command>nsupdate</command>