[dns-operations] using TSIG keys in a mixed environment

Joe Abley jabley at hopcount.ca
Tue Aug 11 01:10:34 UTC 2015


Yup, think so.

Aue Te Ariki! He toki ki roto taku mahuna!

> On Aug 10, 2015, at 21:10, Mark Jeftovic <markjr at easydns.com> wrote:
>
> Thanks Joe
>
> Will this work with one having credentials and one having *no* TSIG key?
>
> - mark
>
>
>> On 2015-08-10 9:04 PM, Joe Abley wrote:
>> Hi Mark,
>>
>> There's no protocol reason to link a server to a particular set of
>> TSIG credentials. If you're using BIND9 as your [AI]XFR client, for
>> example, try
>>
>> key first-key {
>>  ...
>> };
>>
>> key second-key {
>>   ...
>> };
>>
>> zone "first.example" {
>>  type slave;
>>  masters {
>>    192.0.2.1 key first-key;
>>    ....
>>  };
>>  ...
>> };
>>
>> zone "second.example" {
>>  type slave;
>>  masters {
>>    192.0.2.1 key second-key;
>>    ....
>>  };
>>  ...
>> };
>>
>> Same master server, different credentials.
>>
>>
>> Joe
>>
>>> On Aug 10, 2015, at 20:51, Mark Jeftovic <markjr at easydns.com> wrote:
>>>
>>>
>>> If you enable a TSIG key for a zone slaving from a particular master,
>>> all subsequent transfers for any zone slaving from that master will
>>> attempt to use that key (because the key is defined for the host of the
>>> endpoint, not the zone being mirrored)
>>>
>>> This can be a problem between entities managing a wide portfolio of
>>> zones in a multi-user environment.
>>>
>>> Real world example: slaving zones from Godaddy.
>>>
>>> Godaddy has two egress IPs for zone transfers. What we try to do is tell
>>> users who want to use TSIG to use one IP, and those who don't to use the
>>> other IP.
>>>
>>> Problem is when a customer turns on TSIG on the Godaddy side, and uses
>>> the IP we have designated as "non TSIG". There isn't anything we can do
>>> about it, so it then wigs out all the other slave zones using that master.
>>>
>>> I don't expect there is an easy answer to this problem (other then
>>> "don't do that, then") But I thought I'd mention it to see if perhaps
>>> we're behind the curve and this has been solved a long time ago.
>>>
>>> - mark
>>>
>>> --
>>> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
>>> Company Website: http://easydns.com
>>> Read My Blog:    http://markable.com
>>> +1-416-535-8672 ext 225
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
> --
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website: http://easydns.com
> Read My Blog:    http://markable.com
> +1-416-535-8672 ext 225



More information about the dns-operations mailing list