Securing zone transfer and DDNS

Doug Barton dougb at
Mon Nov 7 02:47:51 UTC 2011

On 11/06/2011 17:07, Aleksander Kurczyk wrote:
> Hello, I just reading a book called "Pro DNS and BIND 10" written by
> Ron Aitchrison. I'm stuck in chapter 10 called "DNS Secure
> Configurations". There's described how to secure zone transfer and
> dynamic updates. The author has used one key to secure both the zone
> transfer and the dynamic updates but I want to use two separate keys.

First question, why use 2 keys? The combination of a key and an address
match list should be enough. Second question, what version of BIND are
you using? It probably doesn't matter, but it's good form to include
that information.

> Unfortunately when I add to the keys option in server section more
> than one key the named doesn't start anymore. Format of the key
> option in the book is different than in the manual. When I remove
> whole server section everything works ok. Is the keys section
> important? For what this section is for? How can I use one key to
> secure zone transfer to one host and other to secure zone transfer to
> other host? It is possible?

Doesn't look that way. The ARM is your best source for config info.

> Part of the named.conf: 

>include "key";

The include directive is related to adding an external file to your
named.conf. Unless that's what you're intending to do, you probably
don't want it here.

> server { keys { "key"; }; };

The term "keys" here would seem to indicate that you can add multiple
keys per server, but ...

> zone "" in { type master; file ""; allow-transfer { key
> "key"; }; allow-update { key "key"; }; };

I don't see anything in the ARM about including key directives in the
allow-update or allow-transfer grammar.

You can probably also get some useful information by using named-checkconf.




		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

More information about the bind-users mailing list