[dns-operations] using TSIG keys in a mixed environment

Mark Jeftovic markjr at easydns.com
Tue Aug 11 01:10:00 UTC 2015


Thanks Joe

Will this work with one having credentials and one having *no* TSIG key?

- mark


On 2015-08-10 9:04 PM, Joe Abley wrote:
> Hi Mark,
> 
> There's no protocol reason to link a server to a particular set of
> TSIG credentials. If you're using BIND9 as your [AI]XFR client, for
> example, try
> 
> key first-key {
>   ...
> };
> 
> key second-key {
>    ...
> };
> 
> zone "first.example" {
>   type slave;
>   masters {
>     192.0.2.1 key first-key;
>     ....
>   };
>   ...
> };
> 
> zone "second.example" {
>   type slave;
>   masters {
>     192.0.2.1 key second-key;
>     ....
>   };
>   ...
> };
> 
> Same master server, different credentials.
> 
> 
> Joe
> 
>> On Aug 10, 2015, at 20:51, Mark Jeftovic <markjr at easydns.com> wrote:
>>
>>
>> If you enable a TSIG key for a zone slaving from a particular master,
>> all subsequent transfers for any zone slaving from that master will
>> attempt to use that key (because the key is defined for the host of the
>> endpoint, not the zone being mirrored)
>>
>> This can be a problem between entities managing a wide portfolio of
>> zones in a multi-user environment.
>>
>> Real world example: slaving zones from Godaddy.
>>
>> Godaddy has two egress IPs for zone transfers. What we try to do is tell
>> users who want to use TSIG to use one IP, and those who don't to use the
>> other IP.
>>
>> Problem is when a customer turns on TSIG on the Godaddy side, and uses
>> the IP we have designated as "non TSIG". There isn't anything we can do
>> about it, so it then wigs out all the other slave zones using that master.
>>
>> I don't expect there is an easy answer to this problem (other then
>> "don't do that, then") But I thought I'd mention it to see if perhaps
>> we're behind the curve and this has been solved a long time ago.
>>
>> - mark
>>
>> --
>> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
>> Company Website: http://easydns.com
>> Read My Blog:    http://markable.com
>> +1-416-535-8672 ext 225
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read My Blog:    http://markable.com
+1-416-535-8672 ext 225



More information about the dns-operations mailing list