GSS-TSIG authenticated Bind zone transfers
Mark Andrews
marka at isc.org
Mon Oct 20 22:59:46 UTC 2025
> On 21 Oct 2025, at 00:47, Petr Špaček <pspacek at isc.org> wrote:
>
> On 17. 10. 25 5:48, Travis Bean wrote:
>> I need to know if I am using the right syntax for my named.conf.local
>> to enable GSS-TSIG authenticated Bind zone transfers. What I need to
>> know is whether or not my grant statement for the allow-transfer
>> option is correct. Is this the proper syntax when using GSS-TSIG
>> authentication for Bind zone transfers?
>
> I don't think it is supported, albeit technically it might be possible.
It’s possible or should be as we’ve never tested it. The normal acl syntax
will work with the negotiated TSIG which is tied back to the GSS credential.
GSS-TSIG just negotiates a TSIG which is then used with the AXFR request.
I have no idea where ‘grant’ came from for this. Possibly an hallucination
from some LLM.
> What would be the client side for the transfer?
They would have to write a client. We’ve never written a client to do this.
> --
> Petr Špaček
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list