[dns-operations] using TSIG keys in a mixed environment
Mark Jeftovic
markjr at easydns.com
Tue Aug 11 00:49:59 UTC 2015
If you enable a TSIG key for a zone slaving from a particular master,
all subsequent transfers for any zone slaving from that master will
attempt to use that key (because the key is defined for the host of the
endpoint, not the zone being mirrored)
This can be a problem between entities managing a wide portfolio of
zones in a multi-user environment.
Real world example: slaving zones from Godaddy.
Godaddy has two egress IPs for zone transfers. What we try to do is tell
users who want to use TSIG to use one IP, and those who don't to use the
other IP.
Problem is when a customer turns on TSIG on the Godaddy side, and uses
the IP we have designated as "non TSIG". There isn't anything we can do
about it, so it then wigs out all the other slave zones using that master.
I don't expect there is an easy answer to this problem (other then
"don't do that, then") But I thought I'd mention it to see if perhaps
we're behind the curve and this has been solved a long time ago.
- mark
--
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog: http://markable.com
+1-416-535-8672 ext 225
More information about the dns-operations
mailing list