Commit 4fea1ab5 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

[1643] Documentation

parent 719a5941
...@@ -1629,31 +1629,23 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen> ...@@ -1629,31 +1629,23 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
</simpara></note> </simpara></note>
<para> <para>
If you want to require TSIG in access control, a separate TSIG If you want to require TSIG in access control, a system wide TSIG
"key ring" must be configured specifically "key ring" must be configured.
for <command>b10-xfrout</command> as well as a system wide
key ring, both containing a consistent set of keys.
For example, to change the previous example to allowing requests For example, to change the previous example to allowing requests
from 192.0.2.1 signed by a TSIG with a key name of from 192.0.2.1 signed by a TSIG with a key name of
"key.example", you'll need to do this: "key.example", you'll need to do this:
</para> </para>
<screen>&gt; <userinput>config set tsig_keys/keys ["key.example:&lt;base64-key&gt;"]</userinput> <screen>&gt; <userinput>config set tsig_keys/keys ["key.example:&lt;base64-key&gt;"]</userinput>
&gt; <userinput>config set Xfrout/tsig_keys/keys ["key.example:&lt;base64-key&gt;"]</userinput>
&gt; <userinput>config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1", "key": "key.example"}]</userinput> &gt; <userinput>config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1", "key": "key.example"}]</userinput>
&gt; <userinput>config commit</userinput></screen> &gt; <userinput>config commit</userinput></screen>
<para> <param>Both Xfrout and Auth will use the system wide keyring to check
The first line of configuration defines a system wide key ring. TSIGs in the incomming messages and to sign responses.</param>
This is necessary because the <command>b10-auth</command> server
also checks TSIGs and it uses the system wide configuration.
</para>
<note><simpara> <note><simpara>
In a future version, <command>b10-xfrout</command> will also
use the system wide TSIG configuration.
The way to specify zone specific configuration (ACLs, etc) is The way to specify zone specific configuration (ACLs, etc) is
likely to be changed, too. likely to be changed.
</simpara></note> </simpara></note>
<!-- <!--
......
...@@ -97,13 +97,6 @@ ...@@ -97,13 +97,6 @@
defines the maximum number of outgoing zone transfers defines the maximum number of outgoing zone transfers
that can run concurrently. The default is 10. that can run concurrently. The default is 10.
</para> </para>
<para>
<varname>tsig_key_ring</varname>
A list of TSIG keys (each of which is in the form of
<replaceable>name:base64-key[:algorithm]</replaceable>)
used for access control on transfer requests.
The default is an empty list.
</para>
<para> <para>
<varname>transfer_acl</varname> <varname>transfer_acl</varname>
A list of ACL elements that apply to all transfer requests by A list of ACL elements that apply to all transfer requests by
...@@ -160,13 +153,6 @@ ...@@ -160,13 +153,6 @@
</simpara></note> </simpara></note>
<!--
tsig_key_ring list of
tsig_key string
-->
<!-- TODO: formating --> <!-- TODO: formating -->
<para> <para>
The configuration commands are: The configuration commands are:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment