[ Answered ] Question about TSIG

Dig · 05-04-2010, 04:01 PM

Hello,

i've 2 namesevrers running bind 9 and i restricted the transfer between the master and salve through the TSIG , The transfer goes well with no problem for all zones but when i make dig axfr domain.tld @master
i got transfer failed and on the other hand master logs said that transfered denied ... anybody knows why ?

bathory · 05-04-2010, 04:31 PM

Hi,

You need

Code:

allow-transfer {x.x.x.x;};

in the zone domain.tld definition (or in the global options if you want axfr for all the zones your dns is authoritative for), where x.x.x.x is the ip of the box you want to do the zone transfer.

Dig · 05-04-2010, 04:34 PM

Thank you bathory but is that mean it dig axfr will work only with ip restriction and will not work with TSIG only without IPs ?

bathory · 05-04-2010, 04:48 PM

If you want to use TSIG keys for zone transfers, you can use:

Code:

allow-transfer {key TSIG.key;};

and of course you have to include TSIG.key in named.conf

Dig · 05-05-2010, 02:41 PM

Thank you bathory for help , you explained how to use key or IP with allowing transfer , but my question was how to dig axfr after implement all of that as it can't be through

#dig axfr domain.tld @master

and after many research it should be like that

#dig -y key-name:key @master domain.tld axfr

and it works now

thanks again