GSS-TSIG authenticated Bind zone transfers

Travis Bean tbean74 at gmail.com
Fri Oct 17 03:48:57 UTC 2025 

I need to know if I am using the right syntax for my named.conf.local
to enable GSS-TSIG authenticated Bind zone transfers. What I need to
know is whether or not my grant statement for the allow-transfer
option is correct. Is this the proper syntax when using GSS-TSIG
authentication for Bind zone transfers?

I know this grant statement works for the update-policy option to
enable GSS-TSIG authenticated dynamic updates between Bind and Kea
DHCP as outlined at
kea.readthedocs.io/en/stable/arm/integrations.html#gss-tsig-deployment.
But does this grant statement also work for Bind zone transfers?

There are no examples about using GSS-TSIG for Bind zone transfers
located within the documentation located at
bind9.readthedocs.io/en/stable/reference.html#zone-transfers. The only
thing this documentation mentions is the tkey-gssapi-keytab option.
Does this imply this is the only thing that is needed for GSS-TSIG
authenticated Bind zone transfers?

The Bind documentation only shows examples using TSIG for
authenticated zone transfers located at
bind9.readthedocs.io/en/stable/chapter7.html#tsig, but no examples are
provided for using GSS-TSIG for authenticated zone transfers.

Is  "allow-transfer {  grant "DNS/$FQDN@$KERBEROS_REALM" zonesub any
; };" a valid option for GSS-TSIG authenticated Bind zone transfers
just like when using the update-policy option for Bind/Kea DHCP
GSS-TSIG authenticated dynamic updates?

Here is a snippet from my Bind Bash script:

# Configure named.conf.local.
if [ ! -f /etc/bind/named.conf.local.orig ]; then
  mv /etc/bind/named.conf.local /etc/bind/named.conf.local.orig
fi
if [ "$SERVER" = "pdc" ]; then
  DNS_TYPE="master"
  DNS_TRANSFER="grant \"DNS/$FQDN@$KERBEROS_REALM\" zonesub any"
  DNS_NOTIFY="$BDC_LAN_IP_ADDRESS"
else
  DNS_TYPE="slave"
  DNS_TRANSFER="grant \"DNS/$FQDN@$KERBEROS_REALM\" zonesub any"
  DNS_NOTIFY="$PDC_LAN_IP_ADDRESS"
fi
cat > /etc/bind/named.conf.local << EOF.named.conf.local
zone "$LAN_DOMAIN" {
  type $DNS_TYPE;
  also-notify { $DNS_NOTIFY; };
  allow-transfer { $DNS_TRANSFER; };
  update-policy {
    grant "DHCP/$FQDN@$KERBEROS_REALM" zonesub any;
  };
  file "/var/cache/bind/db.$LAN_DOMAIN.";
};

zone "$LAN_REVERSE_ZONE" {
  type $DNS_TYPE;
  also-notify { $DNS_NOTIFY; };
  allow-transfer { $DNS_TRANSFER; };
  update-policy {
    grant "DHCP/$FQDN@$KERBEROS_REALM" zonesub any;
  };
  file "/var/cache/bind/db.$LAN_REVERSE_ZONE.";
};

zone "$WAN_DOMAIN" {
  type $DNS_TYPE;
  also-notify { $DNS_NOTIFY; };
  allow-transfer { $DNS_TRANSFER; };
  file "/var/cache/bind/db.$WAN_DOMAIN.signed";
};

zone "$WAN_REVERSE_ZONE" {
  type $DNS_TYPE;
  also-notify { $DNS_NOTIFY; };
  allow-transfer { $DNS_TRANSFER; };
  file "/var/cache/bind/db.$WAN_REVERSE_ZONE.";
};
EOF.named.conf.local

Kind regards,

Travis Bean

More information about the bind-users mailing list