[dns-operations] using TSIG keys in a mixed environment

Mark Andrews marka at isc.org
Tue Aug 11 01:15:18 UTC 2015

In message <55C946B7.40705 at easydns.com>, Mark Jeftovic writes:
> If you enable a TSIG key for a zone slaving from a particular master,
> all subsequent transfers for any zone slaving from that master will
> attempt to use that key (because the key is defined for the host of the
> endpoint, not the zone being mirrored)

That's not a protocol requirement. e.g. named supports specifying the
key to be used at the zone level.

	zone "1" { type slave; masters { key key1; }; };
	zone "2" { type slave; masters { key key2; }; };

> This can be a problem between entities managing a wide portfolio of
> zones in a multi-user environment.
> Real world example: slaving zones from Godaddy.
> Godaddy has two egress IPs for zone transfers. What we try to do is tell
> users who want to use TSIG to use one IP, and those who don't to use the
> other IP.
> Problem is when a customer turns on TSIG on the Godaddy side, and uses
> the IP we have designated as "non TSIG". There isn't anything we can do
> about it, so it then wigs out all the other slave zones using that master.
> I don't expect there is an easy answer to this problem (other then
> "don't do that, then") But I thought I'd mention it to see if perhaps
> we're behind the curve and this has been solved a long time ago.
> - mark
> -- 
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website: http://easydns.com
> Read My Blog:    http://markable.com
> +1-416-535-8672 ext 225
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list