Re: BIND 9.11.2, named-checkconf barfs on cookie-secret
On 03/01/2018 12:48, Ingeborg Hellemo wrote: > What am I missing? Bug in named-checkconf? Yes, it's a known bug, fixed in the forthcoming 9.11.3 release: 4695. [bug] cookie-secrets were not being properly checked by named-checkconf. [RT #45886] kind regards, Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.2, named-checkconf barfs on cookie-secret
I want to upgrade to BIND 9.11.2 I have an anycast cluster and want to pre-set the server cookie string with option cookie-secret. My problem is that named-checkconf complains over the length of the cookie-secret regardless how I set cookie-secret and cookie-algorithm: options { ... cookie-secret "b603f51bdd19cd343da445d207b728e1"; }; ~/#named-checkconf /etc/namedb/named.conf /etc/namedb/named.conf:33: SHA1 cookie-secret must be on 160 bits /etc/namedb/named.conf:33: SHA256 cookie-secret must be on 256 bits If I change to options { ... cookie-algorithm sha256; cookie-secret "f974e9f8435c7b3da20940e3b073b1800b8d3637425ac743f21a3b57 561c552a"; }; ~/#named-checkconf /etc/namedb/named.conf /etc/namedb/named.conf:34: AES cookie-secret must be on 128 bits /etc/namedb/named.conf:34: SHA1 cookie-secret must be on 160 bits ~/#named-checkconf -v 9.11.2 What am I missing? Bug in named-checkconf? --Ingeborg -- Ingeborg Østrem Hellemo -- ingeborg.hell...@uit.no Dep. of Information Technology --- Univ. of Tromsø ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users