TSIG for the Xfrin module?

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Thu Dec 8 09:13:03 UTC 2011


At Thu, 8 Dec 2011 03:45:38 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:

> The BIND10 Guide discusses in chapter 10 the use of TSIG for outgoing zone transfers. Will TSIG also work for incoming transfers?

Yes, it should.

> Assuming yes, my best guess at the configuration would be the following, if you would please critique it:
> config add Xfrin/zones
> config set Xfrin/zones[0]/name "jaspain.net"
> config set Xfrin/zones[0]/master_addr "2001:4870:20ca:158:4423:f19d:4ead:5c20"
> config set tsig_keys/keys ["nstest.key:<base64-key>"]

> config set Xfrin/tsig_keys/keys ["nstest.key:<base64-key>"]
> config set Xfrin/zones[0]/transfer_acl [{"action": "ACCEPT", "from": " 2001:4870:20ca:158:4423:f19d:4ead:5c20", "key": " nstest.key"}]

This is not a valid TSIG configuration for Xfrin it should be
something like:

> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>

If you want to use hmac-sha256...

> The key algorithm hmac-sha256 is configured for the bind9 master but apparently not for the bind10 slave. How does bind10 determine the key algorithm?

...it would be:

> config set Xfrin/zones[0]/tsig_key nstest.key:<base64-key>:sha-256.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.



More information about the bind10-users mailing list