Using RNDC to control remote access to my BIND server

Greg Donohoe dubgregd at
Mon Apr 26 14:04:27 UTC 2021

Thanks Anand.
When using this TSIG solution is the key visible (clear) within the DNS
packet being sent to the remote server or is it encrypted?
Is this communication secure? eg if someone is sitting on the wire sniffing
the packets, would they be able to extract the key ?
Or is the security of the communication done through the ACL and the key is
TSIG only used to allow me to make changes to the zone file?
The main reason why I was leaning towards SSH was to try to ensure that all
communication between local & remote was encrypted.


On Fri, Apr 23, 2021 at 2:21 PM Anand Buddhdev <anandb at> wrote:

> On 23/04/2021 14:24, Greg Donohoe wrote:
> Hi Greg,
> > In regards to the nsupdate, what is the best way to secure the
> connection,
> > so to ensure that only my local server can make the amendments to the
> > remote server named & zone files?
> > I dont want anyone/anything else other than my local machine to make any
> > changes on my remote BIND server.
> You should create a TSIG key, and configure the zones on the remote
> server to only accept dynamic DNS updates signed by this key. And then
> use this key with nsupdate when sending your updates. Check the man page
> of nsupdate and look at the '-k' and '-y' options for using tsig keys.
> You can additionally also configure your remote BIND to accept updates
> only from certain IP addresses. For details on how to configure this,
> please read the excellent documentation (especially section 4.2.29 and
> the "allow-update" option):
> Regards,
> Anand Buddhdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list