(no subject)
Kevin Darcy
kcd at daimlerchrysler.com
Fri Mar 9 20:17:49 UTC 2001
Why be so paranoid? If the zone transfer request is TSIG-authenticated, isn't
that good enough?
I understand that it's possible to implement TSIG+source-address restrictions
in a roundabout way using negation (double negation?). But I'm not sure why
anyone would go to such lengths, unless they were really sloppy about
protecting their TSIG keys...
- Kevin
Osman Shoukry wrote:
> Hi,
> I am unable to really understand how the TSIG works, even though I
> have configured it, but here is what I see.
> I remove the key from the slave, the transfer of zones goes through.
> I keep it, the request is signed and the transfer goes through. If I remove
> the TSIG section from the master, then the transfer fails.
>
> How do I forbid transfer unless the request is signed AND comming
> from the correct IP??
>
> Here is my current config, maybe there is something I am
> overlooking..
>
> ========== Master Config
> key shared-secret. {
> algorithm hmac-md5;
> secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
>
> server xx.xx.xx.2 {
> transfer-format many-answers;
> keys { shared-secret. ; };
> };
>
> acl "slaves" { xx.xx.xx.2; };
>
> options {
> directory "/var/named";
> allow-transfer { none; };
> pid-file "/var/run/named.pid";
> };
>
> zone "test.com" {
> type master;
> file "test.com";
> allow-transfer { slaves; };
> };
>
> ========== Slave config
>
> key shared-secret. {
> algorithm hmac-md5;
> secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
>
> server xx.xx.xx.1 {
> keys { shared-secret. ; };
> };
>
> options {
> directory "/var/named";
> allow-transfer { none; };
> pid-file "/var/run/named.pid";
> };
>
> zone "test.com" {
> type slave;
> file "test.com";
> masters { xx.xx.xx.1; };
> };
>
> Thank you for any help you can offer,
>
> Osman Shoukry
More information about the bind-users
mailing list