[dns-operations] using TSIG keys in a mixed environment

Mark Jeftovic markjr at easydns.com
Tue Aug 11 00:49:59 UTC 2015

If you enable a TSIG key for a zone slaving from a particular master,
all subsequent transfers for any zone slaving from that master will
attempt to use that key (because the key is defined for the host of the
endpoint, not the zone being mirrored)

This can be a problem between entities managing a wide portfolio of
zones in a multi-user environment.

Real world example: slaving zones from Godaddy.

Godaddy has two egress IPs for zone transfers. What we try to do is tell
users who want to use TSIG to use one IP, and those who don't to use the
other IP.

Problem is when a customer turns on TSIG on the Godaddy side, and uses
the IP we have designated as "non TSIG". There isn't anything we can do
about it, so it then wigs out all the other slave zones using that master.

I don't expect there is an easy answer to this problem (other then
"don't do that, then") But I thought I'd mention it to see if perhaps
we're behind the curve and this has been solved a long time ago.

- mark

Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog:    http://markable.com
+1-416-535-8672 ext 225

More information about the dns-operations mailing list