[dns-operations] using TSIG keys in a mixed environment

Anand Buddhdev anandb at ripe.net
Tue Aug 11 06:59:12 UTC 2015

On 11/08/15 03:15, Mark Andrews wrote:

>> If you enable a TSIG key for a zone slaving from a particular master,
>> all subsequent transfers for any zone slaving from that master will
>> attempt to use that key (because the key is defined for the host of the
>> endpoint, not the zone being mirrored)
> That's not a protocol requirement. e.g. named supports specifying the
> key to be used at the zone level.
> 	zone "1" { type slave; masters { key key1; }; };
> 	zone "2" { type slave; masters { key key2; }; };

This is correct, and works just fine. We have a complex setup at the
RIPE NCC involving lots of different zones, keys and masters, and we use
this type of configuration.

Unfortunately, a lot of BIND documentation out there shows examples of
TSIG by setting it up at the host level, and this confuses users.


More information about the dns-operations mailing list