TSIG for the Xfrin module?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Thu Dec 8 09:13:03 UTC 2011
At Thu, 8 Dec 2011 03:45:38 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:
> The BIND10 Guide discusses in chapter 10 the use of TSIG for outgoing zone transfers. Will TSIG also work for incoming transfers?
Yes, it should.
> Assuming yes, my best guess at the configuration would be the following, if you would please critique it:
> config add Xfrin/zones
> config set Xfrin/zones[0]/name "jaspain.net"
> config set Xfrin/zones[0]/master_addr "2001:4870:20ca:158:4423:f19d:4ead:5c20"
> config set tsig_keys/keys ["nstest.key:<base64-key>"]
> config set Xfrin/tsig_keys/keys ["nstest.key:<base64-key>"]
> config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": " 2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": " nstest.key"}]
This is not a valid TSIG configuration for Xfrin it should be
something like:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>
If you want to use hmac-sha256...
> The key algorithm hmac-sha256 is configured for the bind9 master but apparently not for the bind10 slave. How does bind10 determine the key algorithm?
...it would be:
> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>:sha-256.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-users
mailing list