TSIG for the Xfrin module?

Spain, Dr. Jeffry A. spainj at countryday.net
Thu Dec 8 03:45:38 UTC 2011


The BIND10 Guide discusses in chapter 10 the use of TSIG for outgoing zone transfers. Will TSIG also work for incoming transfers?

Assuming yes, my best guess at the configuration would be the following, if you would please critique it:
config add Xfrin/zones
config set Xfrin/zones[0]/name "jaspain.net"
config set Xfrin/zones[0]/master_addr "2001:4870:20ca:158:4423:f19d:4ead:5c20"
config set tsig_keys/keys ["nstest.key:<base64-key>"]
config set Xfrin/tsig_keys/keys ["nstest.key:<base64-key>"]
config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": " 2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": " nstest.key"}]
config add Zonemgr/secondary_zones
config set Zonemgr/secondary_zones[0]/name "jaspain.net"
config set Zonemgr/secondary_zones[0]/class "IN"

The corresponding configuration on my bind9 master would be in part (allow-transfer statement omitted, among other things):
key nstest-bind10.jaspain.net. {
        algorithm hmac-sha256;
        secret "<base64-key>";
};

server 2001:4870:20ca:158:14ff:7695:9632:e9ec {
        keys { nstest-bind10.jaspain.net. ; };
};

zone "jaspain.net" {
        type master;
        ...
        also-notify { 2001:4870:20ca:158:14ff:7695:9632:e9ec; };
};

In the above 2001:4870:20ca:158:4423:f19d:4ead:5c20 is the address of the bind9 master, and 2001:4870:20ca:158:14ff:7695:9632:e9ec is the address of the bind10 slave.

The key algorithm hmac-sha256 is configured for the bind9 master but apparently not for the bind10 slave. How does bind10 determine the key algorithm?

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind10-users/attachments/20111208/8e3eec83/attachment.html>


More information about the bind10-users mailing list