AXFR/TSIG in 2.2.0

Erik Rozendaal erik at NLnetLabs.nl
Fri Jan 28 10:12:46 UTC 2005


Howard M. Kash III wrote:
> In 2.2.0, when using the new <zonename>.tsiginfo format, is the IP
> address in the tsiginfo file ignored when multiple masters are present
> in the nsd.zones file?  Or should the IP addresses of all masters be
> listed in the first line of the tsiginfo file?

Before 2.2.0, the filename had to match <master-ip-addresses>.tsiginfo, 
so if you had a zone with multiple masters like 10.0.0.1 and 192.168.1.1 
the file needed to be called "10.0.0.1 192.168.1.1.tsiginfo".  At least, 
that should have worked but I don't think anyone ever really tried to 
get that working.

So now the alternative is to name the file based on the zone origin. 
The old way is still supported.

The IP address is always ignored in the .tsiginfo file.  The only reason 
we even have the tsiginfo file now is because of (backwards) 
compatibility with bind 8's named-xfer.  This is likely to change when 
2.3.0 is released with server side TSIG support and a "real" 
configuration file that can be used to store TSIG keys.

> In section 3.3.1 of the README file, shouldn't the example tsiginfo
> filename be nlnetlabs.nl.tsiginfo, not nlnetlabs.tsiginfo?

Yes.  Updated in CVS.

> For the root zone, the tsigninfo filename ends up being "..tsiginfo" -
> just a bit confusing since it ends up being a "hidden" file.

Uhmm... yes, that is ugly.  You could work around it by putting in your 
.zones file:

zone root root.zone

And start your root.zone file with:

$ORIGIN .         (or always use absolute domain names in the zone).

Now the tsiginfo file would be named "root.tsiginfo".  Ugly, but zonec 
only used the origin field in the .zones file to set the initial origin. 
  The owner name of the SOA record is used as the real zone apex.

> Section 2.4 of the README needs to be updated to include nsd-xfer.

Done in CVS.  Thanks!

Erik



More information about the nsd-users mailing list