plugin/tsig: Document unimplemented secondary tsig transfers (#5605)
document unimplemented secondary tsig; clarify plugin description
This commit is contained in:
Chris O'Haver
GitHub
parent
07159c8d87
commit
8737ad49b3
1 changed files with 11 additions and 4 deletions
|
|
@ -2,12 +2,15 @@
|
|||
|
||||
## Name
|
||||
|
||||
*tsig* - validate TSIG requests and sign responses.
|
||||
*tsig* - define TSIG keys, validate incoming TSIG signed requests and sign responses.
|
||||
|
||||
## Description
|
||||
|
||||
With *tsig*, you can define a set of TSIG secret keys for validating incoming TSIG requests and signing
|
||||
responses. It can also require TSIG for certain query types, refusing requests that do not comply.
|
||||
With *tsig*, you can define CoreDNS's TSIG secret keys. Using those keys, *tsig* validates incoming TSIG requests and signs
|
||||
responses to those requests. It does not itself sign requests outgoing from CoreDNS; it is up to the
|
||||
respective plugins sending those requests to sign them using the keys defined by *tsig*.
|
||||
|
||||
The *tsig* plugin can also require that incoming requests be signed for certain query types, refusing requests that do not comply.
|
||||
|
||||
## Syntax
|
||||
|
||||
|
|
@ -67,9 +70,13 @@ auth.zone {
|
|||
|
||||
## Bugs
|
||||
|
||||
### Secondary
|
||||
|
||||
TSIG transfers are not yet implemented for the *secondary* plugin. The *secondary* plugin will not sign its zone transfer requests.
|
||||
|
||||
### Zone Transfer Notifies
|
||||
|
||||
With the transfer plugin, zone transfer notifications from CoreDNS are not TSIG signed.
|
||||
With the *transfer* plugin, zone transfer notifications from CoreDNS are not TSIG signed.
|
||||
|
||||
### Special Considerations for Forwarding Servers (RFC 8945 5.5)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue