cascade tsig

Added in version 0.1.0-beta1.

Synopsis

cascade [GLOBAL OPTIONS] tsig <COMMAND>

cascade [GLOBAL OPTIONS] tsig add <TSIG_KEY_NAME> <ALGORITHM> <SECRET>

cascade [GLOBAL OPTIONS] tsig list

cascade [GLOBAL OPTIONS] tsig remove <TSIG_KEY_NAME>

Description

Manage RFC 8945 (TSIG) keys for authenticating zone transfer (AXFR, IXFR) and related messages (SOA and NOTIFY).

Tip

Cascade isn’t currently able to generate TSIG keys itself. One way to generate a TSIG key is to use the tsig-keygen tool from the ISC BIND project.

Global Options

See Cascade CLI for information about global options supported by every CLI command.

Commands

add

Add a new TSIG key.

Incoming DNS messages that are TSIG signed will be rejected if the key used to sign the message is not registered with Cascade.

list: List registered TSIG keys.

remove: Remove a TSIG key.

Note

Returns an error if the key does not exist in the TSIG key store, or if the key is still referenced by other configuration.

Arguments for `tsig add`

<TSIG_KEY_NAME>

[<ALGORITHM>]:<TSIG_KEY_NAME>:<SECRET>

The name of the TSIG key to add, or a complete TSIG key specification.

TSIG key names must be valid domain names.

A complete TSIG key specification consists of an optional algorithm (default hmac-sha256), a key name and the secret key material. When a complete TSIG key specification is supplied, supplying the <ALGORITHM> and <SECRET> arguments as well will result in an error.

Secret key material must be the correct length for the specified algorithm and must be encoded using the RFC 4648 Base64 encoding.

Warning

Secret key material supplied via a command-line argument may be visible to other processes running on the same computer as the Cascade CLI.

<ALGORITHM>: The TSIG algorithm of the specified TSIG key. Can be one of: hmac-sha1, hmac-sha256, hmac-sha384 or hmac-sha512.

<SECRET>

RFC 4648 Base64 encoded secret key material. The number of bytes prior to encoding must be correct for the specified <ALGORITHM>.

Can also be a path to a file containing the Base64 encoded secret material.

Note

Secret key material supplied via a command-line argument may be visible to other processes running on the same computer as the Cascade CLI. Consider supplying a file name instead.