<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Folks,<o:p></o:p></p>
<p class="MsoNormal"> Came across usage of a keyid as an address list in a allow-transfer option on a older server site. Didn’t really know that was legal. It seemed an easier way to allow zone transfers without constantly updating a list of
IP addresses on a master server. The only trouble – it didn’t seem to actually work?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We’ve been trying it in a older lab server running a Solaris 9.9.9-S4 version of bind. The master has:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New"">options {<br>
….<br>
allow-transfer {key bongo; 192.168.1.1};<br>
};<o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New"">key “bongo” {<o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New""> algorithm hmac-md5;<o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New""> secret "BippityBop";<o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle"><span style="font-size:9.0pt;font-family:"Courier New"">};<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> The slave server defines the same key and is located at 192.168.1.1. When we use the above on the master, transfers for any zone work fine. If we remove the IP address and try a transfer we get ‘denied’. What are we missing?
Thought we might have to associate the keyid with zones on the slave, but couldn’t find any options for that??? We don’t use TSIG on these servers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Thanks for the help!<o:p></o:p></p>
<p class="MsoNormal">John<o:p></o:p></p>
<p class="MsoNormal">---------------- <br>
John Murtari – <a href="mailto:jm5903@att.com">jm5903@att.com</a><o:p></o:p></p>
<p class="MsoNormal">Ciberspring<o:p></o:p></p>
<p class="MsoNormal">office: 315-944-0998<o:p></o:p></p>
<p class="MsoNormal">cell: 315-430-2702<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>