TKEY and zone transfer
Mark Andrews
marka at isc.org
Tue Jan 29 10:39:44 UTC 2013
In message <CAKs98dGEcc27tdg0+DtvOJbvVEof1X+MMuki_tZ5TaZ2ooDfqQ at mail.gmail.com>
, Kent Tong writes:
>
> Hi,
>
> I read that Bind9 supports using TKEY for zone transfers. However, I don't
> understand how the TKEY negotiation is triggered. In comparison, for
> dynamic updates, the update-policy will require Bind to determine the
> identity of the requester, but for zone transfer there is only a
> allow-transfer which takes an address_match_list only.
I think you mean TSIG rather than TKEY. Address match lists support
the use of keys.
address_match_list = address_match_list_element ;
[ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] | key key_id |
acl_name | { address_match_list } )
master:
key "mykey" { algorithm hmacmd5; secret "afasfasfasfasdfsad"; };
zone "example.net" {
type master;
allow-transfer { key mykey; };
file "example.net";
};
slave:
key "mykey" { algorithm hmacmd5; secret "afasfasfasfasdfsad"; };
zone "example.net" {
type slave;
file "example.net";
masters { 1.2.3.4 key mykey; };
};
Mark
> Any info? Thanks in advance!
>
> --
> Kent Tong
> IT author and consultant, child education coach
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list