Re: BIND 9.11.2, named-checkconf barfs on cookie-secret

2018-01-03 Thread Ray Bellis 
On 03/01/2018 12:48, Ingeborg Hellemo wrote:

> What am I missing?  Bug in named-checkconf?

Yes, it's a known bug, fixed in the forthcoming 9.11.3 release:

4695. [bug] cookie-secrets were not being properly checked by
named-checkconf. [RT #45886]

kind regards,

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.11.2, named-checkconf barfs on cookie-secret

2018-01-03 Thread Ingeborg Hellemo 
I want to upgrade to BIND 9.11.2

I have an anycast cluster and want to pre-set the server cookie string with 
option cookie-secret.

My problem is that named-checkconf complains over the length of the 
cookie-secret regardless how I set  cookie-secret and cookie-algorithm:

options {
...
cookie-secret "b603f51bdd19cd343da445d207b728e1";
};

~/#named-checkconf /etc/namedb/named.conf
/etc/namedb/named.conf:33: SHA1 cookie-secret must be on 160 bits
/etc/namedb/named.conf:33: SHA256 cookie-secret must be on 256 bits

If I change to

options {
...
cookie-algorithm sha256;
cookie-secret "f974e9f8435c7b3da20940e3b073b1800b8d3637425ac743f21a3b57
561c552a";
};

~/#named-checkconf /etc/namedb/named.conf
/etc/namedb/named.conf:34: AES cookie-secret must be on 128 bits
/etc/namedb/named.conf:34: SHA1 cookie-secret must be on 160 bits


~/#named-checkconf -v
9.11.2



What am I missing?  Bug in named-checkconf?



--Ingeborg

-- 
Ingeborg Østrem Hellemo  --  ingeborg.hell...@uit.no
Dep. of Information Technology  ---  Univ. of Tromsø


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users