How to create the TSIG?

Chris Buxton cbuxton at
Fri Feb 6 00:58:27 UTC 2009

Create a key:

dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key

(Note: Use something better than hmac-md5 if your BIND version  
supports it.) This creates two files, with similar names. Extract the  
secret from either of them (it is the same in both) and create a key  

key "slave1.key" {
	algorithm hmac-md5;
	secret "put here the secret from the file";

Put this statement into named.conf on both the master server and one  
of your slaves. Then, put this into the master server's named.conf:

server { // use the actual IP address of the slave here
	keys { slave1.key; };

On the slave:

server { // this should be the IP address of the master
	keys { slave1.key; };

This will then secure all communication (except forwarded updates)  
between master and slave1. That includes notifies, SOA queries and  
responses, and zone transfers.

Repeat the above for each slave. Use a different key for each slave.  
This means the master will have 5 keys defined (plus an RNDC key,  
hopefully), and 5 server statements. You may also want to create  
additional keys (and additional server statements) for use between  
slaves, just in case you ever need to promote one.

Next, create yet another key for dynamic updates. Put that key's name  
into your allow-update statement. Turn on update-forwarding on the  
slaves, like this (in each slave zone):

allow-update-forwarding { any; };

Since the master will only permit signed updates, and since the slaves  
will forward signed updates unmodified (signatures intact), you do not  
need to secure this ACL.

Chris Buxton
Professional Services
Men & Mice

On Feb 4, 2009, at 2:23 PM, Michelle Konzack wrote:

> Hello,
> since the french authorities (current government has shutdown my  
> network
> in paris) I am installing my system on some root  servers  at   
> different
> ISPs all over the world...
> So while reding the bind9 manual, it is not clear for me, HOW to   
> create
> the TSIG and use it, because I will instal on one  of  my  root   
> servers
> bind9 as master ant then let the 5 slaves up date from it.
> But I have the need for dynamicaly updation the zones.
> So, what must I do to use TSIG?
> (as from the manual, "allow-update" with IP addresses is suicide)
> Thanks, Greetings and nice Day/Evening
>    Michelle Konzack
>    Systemadministrator
>    24V Electronic Engineer
>    Tamay Dogan Network
>    Debian GNU/Linux Consultant
> -- 
> Linux-User #280138 with the Linux Counter,
> ##################### Debian GNU/Linux Consultant  
> #####################
> <>               <http:// 
> Michelle Konzack   Apt. 917                  ICQ #328449886
> +49/177/9351947    50, rue de Soultz         MSN LinuxMichi
> +33/6/61925193     67100 Strasbourg/France   IRC #Debian (
> _______________________________________________
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list