Using RNDC key for zone transfers
Jeff Lightner
jlightner at water.com
Thu Oct 13 17:57:24 UTC 2005
OK. I've been looking at this for a while and just want to check a
couple of things.
1) First - I'm assuming though can't find where it is stated
explicitly anywhere that the rndc key I define on the master and the
slave should be the same. (That is I generate it on the master then
copy it from there to the slave rather than generating a separate one on
the slave.) Is that correct?
2) Most of what I found regarded changing from host IP based
allow-transfer statements to key based. I thought it would be best to
have it restricted both by key and host IP so that one has to both spoof
the IP AND compromise the key. On doing a search I found a thread that
suggests something like the following would work - does anyone see a
problem with this approach?:
allow-xfr { 1.2.3.4; 1.2.3.8; };
deny-xfr { !allow-xfr; any; }
allow-transfer { !deny-xfr; key hostx-hosty; };
Jeffrey C. Lightner
Unix Systems Administrator
DS Waters of North America
678-486-3516
More information about the bind-users
mailing list