[dns-operations] using TSIG keys in a mixed environment
Anand Buddhdev
anandb at ripe.net
Tue Aug 11 06:59:12 UTC 2015
On 11/08/15 03:15, Mark Andrews wrote:
>> If you enable a TSIG key for a zone slaving from a particular master,
>> all subsequent transfers for any zone slaving from that master will
>> attempt to use that key (because the key is defined for the host of the
>> endpoint, not the zone being mirrored)
>
> That's not a protocol requirement. e.g. named supports specifying the
> key to be used at the zone level.
>
> zone "1" { type slave; masters { 1.2.3.4 key key1; }; };
> zone "2" { type slave; masters { 1.2.3.4 key key2; }; };
This is correct, and works just fine. We have a complex setup at the
RIPE NCC involving lots of different zones, keys and masters, and we use
this type of configuration.
Unfortunately, a lot of BIND documentation out there shows examples of
TSIG by setting it up at the host level, and this confuses users.
Regards,
Anand
More information about the dns-operations
mailing list