TSIG primary and secondary

Michael Kjorling michael at kjorling.com
Thu Dec 20 12:24:58 UTC 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This won't work; you've mixed up the key names "test" and "test.".

I'm not completely familiar with TSIG-authenticated AXFRs but it seems
reasonable that the master should mention the slave, and vice versa.


Michael Kjörling


On Dec 19 2001 17:28 -0800, Tony wrote:

> primary master ip: 1.1.1.1
> slave: 2.2.2.2
>
> to allow secure zone transfer:
>
> named.conf for my master is:
>
> options {
>         directory "/var/named";
> };
>
> key test. {
>         algorithm hmac-md5;
>         secret "zkaUvVU9nTEjWV3c4TAduQ==";
> };
>
> server 1.1.1.1 {
>         keys { test; };
> };
>
> zone "mydomain.com" in {
>         type master;
>         file "mydomain/db.mydomain.com";
>         allow-transfer { key test; };
> };
>
> ----------------------------------------------------------------
>
> for secondary is:
>
> options {
>         directory "/var/named";
> };
>
> key test. {
>         algorithm hmac-md5;
>         secret "zkaUvVU9nTEjWV3c4TAduQ==";
> };
>
> server 2.2.2.2 {
>         keys { test; };
> };
>
> zone "mydomain.com" in {
>         type slave;
>         masters { 1.1.1.1; };
>         file "mydomain/db.mydomain.com.bak";
>         allow-transfer { key test; };
> };
>
>
> -------------------------------------------------------------------
>
>
> Is this correct? The line
>
> server 2.2.2.2 {
>         keys { test; };
> };
>
> Should the ip be the primary or the slave on the primary and vice versa?
>
>
> Thanks

- -- 
Michael Kjörling  --  Programmer/Network administrator  ^..^
Internet: michael at kjorling.com -- FidoNet: 2:204/254.4   \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e

"There is something to be said about not trying to be glamorous
and popular and cool. Just be real -- and life will be real."
(Joyce Sequichie Hifler, September 13 2001, www.hifler.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html

iD8DBQE8IdidKqN7/Ypw4z4RAtr4AKC265tMmBLY2570PGNpBn2EAAE6egCgk4pa
xxMPHXeJJYeQb8vjqYA0jPk=
=Vkfc
-----END PGP SIGNATURE-----

More information about the bind-users mailing list