Commit 4fea1ab5 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

[1643] Documentation

parent 719a5941
......@@ -1629,31 +1629,23 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
</simpara></note>
<para>
If you want to require TSIG in access control, a separate TSIG
"key ring" must be configured specifically
for <command>b10-xfrout</command> as well as a system wide
key ring, both containing a consistent set of keys.
If you want to require TSIG in access control, a system wide TSIG
"key ring" must be configured.
For example, to change the previous example to allowing requests
from 192.0.2.1 signed by a TSIG with a key name of
"key.example", you'll need to do this:
</para>
<screen>&gt; <userinput>config set tsig_keys/keys ["key.example:&lt;base64-key&gt;"]</userinput>
&gt; <userinput>config set Xfrout/tsig_keys/keys ["key.example:&lt;base64-key&gt;"]</userinput>
&gt; <userinput>config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1", "key": "key.example"}]</userinput>
&gt; <userinput>config commit</userinput></screen>
<para>
The first line of configuration defines a system wide key ring.
This is necessary because the <command>b10-auth</command> server
also checks TSIGs and it uses the system wide configuration.
</para>
<param>Both Xfrout and Auth will use the system wide keyring to check
TSIGs in the incomming messages and to sign responses.</param>
<note><simpara>
In a future version, <command>b10-xfrout</command> will also
use the system wide TSIG configuration.
The way to specify zone specific configuration (ACLs, etc) is
likely to be changed, too.
likely to be changed.
</simpara></note>
<!--
......
......@@ -97,13 +97,6 @@
defines the maximum number of outgoing zone transfers
that can run concurrently. The default is 10.
</para>
<para>
<varname>tsig_key_ring</varname>
A list of TSIG keys (each of which is in the form of
<replaceable>name:base64-key[:algorithm]</replaceable>)
used for access control on transfer requests.
The default is an empty list.
</para>
<para>
<varname>transfer_acl</varname>
A list of ACL elements that apply to all transfer requests by
......@@ -160,13 +153,6 @@
</simpara></note>
<!--
tsig_key_ring list of
tsig_key string
-->
<!-- TODO: formating -->
<para>
The configuration commands are:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment