Using RNDC key for zone transfers
Kevin Darcy
kcd at daimlerchrysler.com
Thu Oct 13 20:47:10 UTC 2005
Jeff Lightner wrote:
>OK. I've been looking at this for a while and just want to check a
>couple of things.
>1) First - I'm assuming though can't find where it is stated
>explicitly anywhere that the rndc key I define on the master and the
>slave should be the same. (That is I generate it on the master then
>copy it from there to the slave rather than generating a separate one on
>the slave.) Is that correct?
>
I assume you mean the TSIG key. That's different from the rndc key,
which is used between an rndc client and a nameserver. You can actually
generate the TSIG key on *any* box. For that matter, you don't even need
to "generate" it -- it could just be some semi-random sequence of
characters of a given length. The important thing is that the master and
slave use the same key (meaning same name and same secret) and that
their system clocks be synchronized within a few minutes.
>
>2) Most of what I found regarded changing from host IP based
>allow-transfer statements to key based. I thought it would be best to
>have it restricted both by key and host IP so that one has to both spoof
>the IP AND compromise the key. On doing a search I found a thread that
>suggests something like the following would work - does anyone see a
>problem with this approach?:
> allow-xfr { 1.2.3.4; 1.2.3.8; };
> deny-xfr { !allow-xfr; any; }
> allow-transfer { !deny-xfr; key hostx-hosty; };
>
I've never tried it myself, to be honest, but I think the prevailing
opinion is that the "double negative" trick works fine.
- Kevin
More information about the bind-users
mailing list