Using RNDC key for zone transfers

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 13 20:47:10 UTC 2005


Jeff Lightner wrote:

>OK.  I've been looking at this for a while and just want to check a
>couple of things.
>1)	First - I'm assuming though can't find where it is stated
>explicitly anywhere that the rndc key I define on the master and the
>slave should be the same.   (That is I generate it on the master then
>copy it from there to the slave rather than generating a separate one on
>the slave.)  Is that correct?
>
I assume you mean the TSIG key. That's different from the rndc key, 
which is used between an rndc client and a nameserver. You can actually 
generate the TSIG key on *any* box. For that matter, you don't even need 
to "generate" it -- it could just be some semi-random sequence of 
characters of a given length. The important thing is that the master and 
slave use the same key (meaning same name and same secret) and that 
their system clocks be synchronized within a few minutes.

>
>2)	Most of what I found regarded changing from host IP based
>allow-transfer statements to key based.   I thought it would be best to
>have it restricted both by key and host IP so that one has to both spoof
>the IP AND compromise the key.   On doing a search I found a thread that
>suggests something like the following would work - does anyone see a
>problem with this approach?:
>   allow-xfr { 1.2.3.4; 1.2.3.8; };
>	deny-xfr { !allow-xfr; any; }
>	allow-transfer { !deny-xfr; key hostx-hosty; };
>
I've never tried it myself, to be honest, but I think the prevailing 
opinion is that the "double negative" trick works fine.

                                                                         
                                       - Kevin




More information about the bind-users mailing list