Hi everyone: I was reading the document "Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records" (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt) and I thought "Darn, I must be prepared to do a TSIG renovation", so started researching how to do it.
First step was checking if BIND supported a different algorithm, but the BIND ARM for BIND9.5 and 9.6 indicates "The algorithm, hmac-md5, is the only one supported by BIND". That seemed strange, considering the document indicated above was originally proposed in 2008. So I "used the source" and found out other algorithms are supported in 9.5 and 9.6, so there is a mistake in the documentation. Anyway, TSIG rollover is an operation needed as indicated on RFC 2385: -------------------- RFC 2385 quote ----------------------------- 6.2. Secret keys should be changed periodically. If the client host has been compromised, the server should suspend the use of all secrets known to that client. If possible, secrets should be stored in encrypted form. Secrets should never be transmitted in the clear over any network. This document does not address the issue on how to distribute secrets. Secrets should never be shared by more than two entities. -------------------- RFC 2385 quote ----------------------------- but again the documentation indicates: "Multiple keys may be present, but only the first is used." So, to coordinate the retirement of an old TSIG key and the introduction of a new one, it seems a close coordination between peers is needed in order to make it work, within a 'maintenance window' where the operations using the TSIG are not executed (in my particular interest, zone transfers)? Is it not possible to gradually introduce a new key, use both for a period of time and later retire the old one, similar to what is done in DNSSEC? Any experience on this matter that could be shared publicly or privately will be appreciated. Kind Regards Sebastian Castro _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
