Commit 16bd0ab7 authored by Stephen Morris's avatar Stephen Morris
Browse files

[3432] Miscellaneous modifications to DHCP-DDNS documentation made during review

parent a5f18aac
......@@ -5302,29 +5302,32 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section.
<section id="d2-tsig-key-list-config">
<title>TSIG Key List</title>
<para>
DDNS protocol can be conducted with or without TSIG as defined in
RFC 2845. This configuration section allows the administrator to
define the dictionary of TSIG keys which may be used. To use TSIG
when working with a specific DDNS Domain that key must be defined in
the TSIG Key List and referenced by name in that domain's configuration
entry.
When the domain D2 has matched to a change request has a TSIG key
associated with it, D2 will use that key to sign DNS update messages
sent to and verify repsonses received from DNS server(s). For each TSIG
key required by the DNS servers that D2 will be working with there must
be a corresponding TSIG key in the TSIG Key list.
</para>
A DDNS protocol exchange can be conducted with or without TSIG
(defined in <ulink url="http://tools.ietf/org/html/rfc2845">RFC
2845</ulink>). This configuration section allows the administrator
to define the set of TSIG keys that may be used in such
exchanges.</para>
<para>To use TSIG when updating entries in a DNS Domain,
a key must be defined in the TSIG Key List and referenced by
name in that domain's configuration entry. When D2 matches a
change request to a domain, it checks whether the domain has
a TSIG key associated with it. If so, D2 will use that key to
sign DNS update messages sent to and verify repsonses received
from the domain's DNS server(s). For each TSIG key required by
the DNS servers that D2 will be working with there must be a
corresponding TSIG key in the TSIG Key list.</para>
<para>
As one might gather from its name, this section is a list of
TSIG keys. Each entry describes a TSIG key used by one or
more DNS servers to authenticate requests and sign responses.
Each entry has three parameters:
As one might gather from the name, the tsig_key section of the
D2 configuration lists the TSIG keys. Each entry describes a
TSIG key used by one or more DNS servers to authenticate requests
and sign responses. Every entry in the list has three parameters:
<itemizedlist>
<listitem>
<simpara>
<command>name</command> &mdash;
is a unique text label used to identify this key within the
a unique text label used to identify this key within the
list. This value is used to specify which key (if any) should be
used when updating a specific domain. So long as it is unique its
content is arbitrary, although for clarity and ease of maintenance
......@@ -5366,16 +5369,16 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section.
<command>secret</command> &mdash;
is used to specify the shared secret key code for this key. This value is
case sensitive and must exactly match the value specified on the DNS server(s).
This is a base64 encoded text value that can be located if dnssec public and
private key files.
It is a base64-encoded text value.
</simpara>
</listitem>
</itemizedlist>
</para>
<para>
Suppose that a domain D2 will be updating is maintained by a BIND9 DNS server which
is using TSIG with that domain. Suppose further that the entry for the TSIG key in
BIND9's named.conf file looks like this:
As an example, suppose that a domain D2 will be updating is
maintained by a BIND9 DNS server which requires dynamic updates
to be secured with TSIG. Suppose further that the entry for
the TSIG key in BIND9's named.conf file looks like this:
<screen>
:
key "key.four.example.com." {
......@@ -5384,23 +5387,23 @@ corresponding values in the DHCP servers' "dhcp-ddns" configuration section.
};
:
</screen>
By default, the TSIG Key list is empty.
By default, the TSIG Key list is empty:
<screen>
<userinput>> config show DhcpDdns/tsig_keys</userinput>
DhcpDdns/tsig_keys [] list (default)
</screen>
So we must first create a new key in the list:
We must first create a new key in the list:
<screen>
<userinput>> config add DhcpDdns/tsig_keys</userinput>
</screen>
Displaying the new element, reveals this:
Displaying the new element, reveals:
<screen>
<userinput>> config show DhcpDdns/tsig_keys[0]</userinput>
DhcpDdns/tsig_keys[0]/name "" string (default)
DhcpDdns/tsig_keys[0]/algorithm "HMAC-MD5" string (modified)
DhcpDdns/tsig_keys[0]/secret "" string (default)
</screen>
Now we simple set all three values to match BIND9's key:
Now set all three values to match BIND9's key:
<screen>
<userinput>> config set DhcpDdns/tsig_keys[0]/name "key.four.example.com"</userinput>
<userinput>> config set DhcpDdns/tsig_keys[0]/algorithm "HMAC-SHA224"</userinput>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment