keymgr, TSIG key generation
Implement 'keymgr tsig generate'.
Merge request reports
Activity
One more nit, we accept this:
key: - id: slave1_key algorithm: hmac-md5 secret: Wg==
but the tool prints:
hmac-sha256:example.com:FOf+vRv98x99NYNfT4f/DLE8qVxtiPtIg5PbRLiQ++M=
My head doesn't wrap around that, I think you should:
- make the
keymgr tsig
print the new keys in our conffile format, so you can directly import that into the configuration - (optional) have a default include dir (/etc/knot.d/knot.conf.d/) and directly generate files with new keys there.
- make the
MD5 and SHA1 are just not collision resistant. There is no known attack on HMAC-MD5 and the security proof for HMAC doesn't require the hash function to be collision resistant.
I know about MD5 and SHA1, but I still consider it to be a bad practice to use it :).
I think that most people would like to do something like:
keymgr tsig generate example.com >> /etc/knot/knot.conf
or
keymgr tsig generate example.com > /etc/knot/tsig/example.com
and have
include /etc/knot/tsig
inknot.conf
.Printing raw string is not very cut&paste friendly.
It's a bad practice to use it in new protocols. DNS is old. And HMAC-MD5 is still safe.
We can output something like this:
# hmac-sha256:example.com:FOf+vRv98x99NYNfT4f/DLE8qVxtiPtIg5PbRLiQ++M= key: - id: example.com algorithm: hmac-sha256 secret: FOf+vRv98x99NYNfT4f/DLE8qVxtiPtIg5PbRLiQ++M=
Then you could copy the line accepted on command line from the comment on the first line, which will be ignored by the config parser. But @dsalzman would have to teach utilities how to parse this key file format.
Added 1 commit:
- 5e7f438b - keymgr, print both client and server TSIG key format
Added 1 commit:
- 17ce2685 - man: knotc, keymgr: reflect new format of generated TSIG key
mentioned in commit 5719692d