Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-md5.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size.
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
...
...
@@ -47,7 +47,7 @@ is invoked with no command line options or arguments, it prints a short summary
communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
\fBrndc\fR
and
\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
\fBnamed\fR, the only supported authentication algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512. They use a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
.PP
\fBrndc\fR
reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
...
...
@@ -98,9 +98,9 @@ The
\fBkey\fR
statement begins with an identifying string, the name of the key. The statement has two clauses.
\fBalgorithm\fR
identifies the encryption algorithm for
identifies the authentication algorithm for
\fBrndc\fR
to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
to use; currently only HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512 are supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's authentication key. The base\-64 string is enclosed in double quotes.
.PP
There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
\fBrndc\-confgen\fR
...
...
@@ -144,7 +144,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
.RS 4
.nf
key samplekey {
algorithm hmac\-md5;
algorithm hmac\-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
.fi
...
...
@@ -154,7 +154,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
.RS 4
.nf
key testkey {
algorithm hmac\-md5;
algorithm hmac\-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
.fi
...
...
@@ -163,7 +163,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
.PP
In the above example,
\fBrndc\fR
will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes.
<dt><spanclass="sect1"><ahref="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><spanclass="sect1"><ahref="Bv9ARM.ch07.html#id2605997"><span><strongclass="command">Chroot</strong></span> and <span><strongclass="command">Setuid</strong></span></a></span></dt>
<dt><spanclass="sect1"><ahref="Bv9ARM.ch07.html#id2605733"><span><strongclass="command">Chroot</strong></span> and <span><strongclass="command">Setuid</strong></span></a></span></dt>