tsig and servers help
Jeremy C. Reed
Jeremy_Reed at isc.org
Fri Apr 24 19:26:09 UTC 2009
On Fri, 24 Apr 2009, Terry wrote:
> Thanks for your reply. On my slave, I have this:
>
> server 10.25.1.10 {
> keys {
> omajelns01.omajelns02;
> };
> };
>
> It will sign all requests between these hosts. If requests come
> across that appear to be from these hosts and they are not signed, the
> server at either end will reject the requests (i am pretty sure that's
> the whole idea but just clarifying)? If that's the case, I like this
> architecture, it's simple and provides a level of security without a
> great deal of configuration overhead.
No. The ARM says "A request originating from the remote server is not
required to be signed by this key." You could use allow-transfer
(site-wide or per zone) using a key there for transfers only.
More information about the bind-users
mailing list