[dns-operations] using TSIG keys in a mixed environment
Mark Andrews
marka at isc.org
Tue Aug 11 01:15:18 UTC 2015
In message <55C946B7.40705 at easydns.com>, Mark Jeftovic writes:
>
> If you enable a TSIG key for a zone slaving from a particular master,
> all subsequent transfers for any zone slaving from that master will
> attempt to use that key (because the key is defined for the host of the
> endpoint, not the zone being mirrored)
That's not a protocol requirement. e.g. named supports specifying the
key to be used at the zone level.
zone "1" { type slave; masters { 1.2.3.4 key key1; }; };
zone "2" { type slave; masters { 1.2.3.4 key key2; }; };
Mark
> This can be a problem between entities managing a wide portfolio of
> zones in a multi-user environment.
>
> Real world example: slaving zones from Godaddy.
>
> Godaddy has two egress IPs for zone transfers. What we try to do is tell
> users who want to use TSIG to use one IP, and those who don't to use the
> other IP.
>
> Problem is when a customer turns on TSIG on the Godaddy side, and uses
> the IP we have designated as "non TSIG". There isn't anything we can do
> about it, so it then wigs out all the other slave zones using that master.
>
> I don't expect there is an easy answer to this problem (other then
> "don't do that, then") But I thought I'd mention it to see if perhaps
> we're behind the curve and this has been solved a long time ago.
>
> - mark
>
> --
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website: http://easydns.com
> Read My Blog: http://markable.com
> +1-416-535-8672 ext 225
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list