In message <4ab072dc.2070...@nzrs.net.nz>, Sebastian Castro writes: > Hi everyone: > > I was reading the document "Deprecation of HMAC-MD5 in DNS TSIG and TKEY > Resource Records" > (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt) > and I thought "Darn, I must be prepared to do a TSIG renovation", so > started researching how to do it. > > First step was checking if BIND supported a different algorithm, but the > BIND ARM for BIND9.5 and 9.6 indicates "The algorithm, hmac-md5, is the > only one supported by BIND". That seemed strange, considering the > document indicated above was originally proposed in 2008. So I "used the > source" and found out other algorithms are supported in 9.5 and 9.6, so > there is a mistake in the documentation. > > Anyway, TSIG rollover is an operation needed as indicated on RFC 2385: > > -------------------- RFC 2385 quote ----------------------------- > 6.2. Secret keys should be changed periodically. If the client host > has been compromised, the server should suspend the use of all > secrets known to that client. If possible, secrets should be stored > in encrypted form. Secrets should never be transmitted in the clear > over any network. This document does not address the issue on how to > distribute secrets. Secrets should never be shared by more than two > entities. > -------------------- RFC 2385 quote ----------------------------- > > but again the documentation indicates: "Multiple keys may be present, > but only the first is used."
Which only applies to control channels keys. > So, to coordinate the retirement of an old TSIG key and the introduction > of a new one, it seems a close coordination between peers is needed in > order to make it work, within a 'maintenance window' where the > operations using the TSIG are not executed (in my particular interest, > zone transfers)? Is it not possible to gradually introduce a new key, > use both for a period of time and later retire the old one, similar to > what is done in DNSSEC? > > Any experience on this matter that could be shared publicly or privately > will be appreciated. > > Kind Regards > Sebastian Castro > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users