Configuring TSIG keys and ACL's on slave server
Curt Sampson
cjs at cynic.net
Tue Apr 17 00:15:27 UTC 2007
On Mon, 16 Apr 2007, Phusion wrote:
> I need help configuring TSIG keys and ACL's on a slave server.
Your key statements look fine, but your ACLs don't seem right.
You probably want something that includes things similar to the following:
transfer-keys.conf:
key transfer.key. {
algorithm hmac-md5;
secret "...";
};
named-master.conf:
include "transfer-keys.conf";
options {
allow-transfer {
localhost;
key transfer.key.;
};
};
name-slave.conf:
include "transfer-keys.conf";
masters my_masters {
10.1.1.2 key transfer.key.;
};
zone foo.com. {
type slave;
file "slave/foo.com";
masters { my_masters; };
};
Also, you don't want recursion on (except for maybe local queries, if
the machine and all its users are trusted--I still have doubts about
even that) in your slave servers; they're still authoratative servers.
As well, it appears to me (though I've not yet played with this
seriously) that you can put some or all of your slaves in you slave file
master list and they'll co-ordinate properly, pulling down the data from
the "master" with the highest serial number. Thus, if you completely
lose your master (e.g., it falls off the Internet) and you need to
update a zone, you can use a copy of the master files on the slave (I
keep all mine in version control on a separate machine, and have extra
checkouts handy on slaves just in case) change the slave to use the
master config file, make your changes, reload, and you're set.
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list