[dns-operations] using TSIG keys in a mixed environment

Jim Reid jim at rfc1035.com
Tue Aug 11 02:07:37 UTC 2015

On 11 Aug 2015, at 01:49, Mark Jeftovic <markjr at easydns.com> wrote:

> If you enable a TSIG key for a zone slaving from a particular master,
> all subsequent transfers for any zone slaving from that master will
> attempt to use that key

I don't know offhand of any DNS software which does that.

> (because the key is defined for the host of the
> endpoint, not the zone being mirrored)

If that's the case, something is wrong. AFAIK most DNS server software would only behave in that way if it has been specifically (mis)configured to do so.

Different TSIG keys (or none) can easily be used on a zone-by-zone basis. For instance, a BIND9 config file could contain:

key foo {...};
key bar {...};

zone a { type slave; ... masters {; key foo; }; };
zone b { type slave; ... masters {; key bar; }; };
/* look ma, no TSIG! */
zone z { type slave; ... masters {; }; };

ie the usual granularity for applying TSIG credentials is per-zone, not per-IP address. Insisting on or requiring the same TSIG key for all xfers (or whatever) from the same IP address will almost certainly be wrong. As the problem you describe showed. None of the zones on a master server are obliged to use the same TSIG key unless some layer-9+ policy insists on this. IMO such a policy would at best be misguided. There's nothing in the DNS protocol which forces the same TSIG key for all traffic to/from a given IP address.

More information about the dns-operations mailing list