tsig indicates error
Evan Hunt
each at isc.org
Mon Jul 27 16:37:04 UTC 2015
On Mon, Jul 27, 2015 at 04:33:06PM +0100, Tony Finch wrote:
> It isn't a very good idea to use the same key for zone transfers and
> for rndc. It is common to allow zone transfers to third parties, and
> you don't want them to be able to fiddle with your name server!
Sometimes, in my experience, people do this because rndc-confgen is
relatively easy to use, but generating other keys using dnssec-keygen
is cumbersome.
So I'll just take this opportunity to mention that in the more recent
versions of BIND you can use 'tsig-keygen <name>', it's much easier. Or
if you're on an older release, 'ddns-confgen -q -k <name>' does the same
thing.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list