Securing zone transfer and DDNS
Doug Barton
dougb at dougbarton.us
Mon Nov 7 02:47:51 UTC 2011
On 11/06/2011 17:07, Aleksander Kurczyk wrote:
> Hello, I just reading a book called "Pro DNS and BIND 10" written by
> Ron Aitchrison. I'm stuck in chapter 10 called "DNS Secure
> Configurations". There's described how to secure zone transfer and
> dynamic updates. The author has used one key to secure both the zone
> transfer and the dynamic updates but I want to use two separate keys.
First question, why use 2 keys? The combination of a key and an address
match list should be enough. Second question, what version of BIND are
you using? It probably doesn't matter, but it's good form to include
that information.
> Unfortunately when I add to the keys option in server section more
> than one key the named doesn't start anymore. Format of the key
> option in the book is different than in the manual. When I remove
> whole server section everything works ok. Is the keys section
> important? For what this section is for? How can I use one key to
> secure zone transfer to one host and other to secure zone transfer to
> other host? It is possible?
Doesn't look that way. The ARM is your best source for config info.
> Part of the named.conf:
>include "key";
The include directive is related to adding an external file to your
named.conf. Unless that's what you're intending to do, you probably
don't want it here.
> server 127.0.0.1 { keys { "key"; }; };
The term "keys" here would seem to indicate that you can add multiple
keys per server, but ...
> zone "my.zone" in { type master; file "my.zone"; allow-transfer { key
> "key"; }; allow-update { key "key"; }; };
I don't see anything in the ARM about including key directives in the
allow-update or allow-transfer grammar.
You can probably also get some useful information by using named-checkconf.
hth,
Doug
--
"We could put the whole Internet into a book."
"Too practical."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the bind-users
mailing list