[dns-operations] using TSIG keys in a mixed environment

Joe Abley jabley at hopcount.ca
Tue Aug 11 01:04:02 UTC 2015 

Hi Mark,

There's no protocol reason to link a server to a particular set of
TSIG credentials. If you're using BIND9 as your [AI]XFR client, for
example, try

key first-key {
  ...
};

key second-key {
   ...
};

zone "first.example" {
  type slave;
  masters {
    192.0.2.1 key first-key;
    ....
  };
  ...
};

zone "second.example" {
  type slave;
  masters {
    192.0.2.1 key second-key;
    ....
  };
  ...
};

Same master server, different credentials.


Joe

> On Aug 10, 2015, at 20:51, Mark Jeftovic <markjr at easydns.com> wrote:
>
>
> If you enable a TSIG key for a zone slaving from a particular master,
> all subsequent transfers for any zone slaving from that master will
> attempt to use that key (because the key is defined for the host of the
> endpoint, not the zone being mirrored)
>
> This can be a problem between entities managing a wide portfolio of
> zones in a multi-user environment.
>
> Real world example: slaving zones from Godaddy.
>
> Godaddy has two egress IPs for zone transfers. What we try to do is tell
> users who want to use TSIG to use one IP, and those who don't to use the
> other IP.
>
> Problem is when a customer turns on TSIG on the Godaddy side, and uses
> the IP we have designated as "non TSIG". There isn't anything we can do
> about it, so it then wigs out all the other slave zones using that master.
>
> I don't expect there is an easy answer to this problem (other then
> "don't do that, then") But I thought I'd mention it to see if perhaps
> we're behind the curve and this has been solved a long time ago.
>
> - mark
>
> --
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website: http://easydns.com
> Read My Blog:    http://markable.com
> +1-416-535-8672 ext 225
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list