Secondary DNS question...

Chuck Peters cp at
Thu Jun 27 21:24:38 UTC 2013

On Thu, Jun 27, 2013 at 9:48 AM, SH Development <listaccount at
> wrote:

>  I have now moved all of my secondary to BuddyNS with much better
> redundancy...

They don't appear to support secure zone transfers with TKEY/TSIG or

I haven't found any free or low cost secondary DNS providers that support
TSIG, although some support DNSSEC.

I have been trying to get up to date info on secure zone transfers and most
of what I have seen on the web seems out of date or incorrect.  For example
most TSIG examples suggest using HMAC-MD5.  The Wikipedia DNSSEC page, says "Other
standards (not DNSSEC) are used to secure bulk data (such as a DNS zone
transfer <>) sent between DNS
servers." and points to the and
it doesn't even mention TKEY, TSIG, or DNSSEC and hints at using some other
backend database to secure transfers.

I'm not sure which crypto method would be best for securing zone transfers
and I haven't tested DNSSEC yet, but I have started using TSIG 512 bit
HMAC-SHA512.  Perhaps some of you can point us to current best practices?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list