tsig indicates error

Evan Hunt each at isc.org
Mon Jul 27 16:37:04 UTC 2015

On Mon, Jul 27, 2015 at 04:33:06PM +0100, Tony Finch wrote:
> It isn't a very good idea to use the same key for zone transfers and
> for rndc. It is common to allow zone transfers to third parties, and
> you don't want them to be able to fiddle with your name server!

Sometimes, in my experience, people do this because rndc-confgen is
relatively easy to use, but generating other keys using dnssec-keygen
is cumbersome.

So I'll just take this opportunity to mention that in the more recent
versions of BIND you can use 'tsig-keygen <name>', it's much easier.  Or
if you're on an older release, 'ddns-confgen -q -k <name>' does the same

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list