Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!news.glorb.com!usenet.stanford.edu!not-for-mail From: Doug Barton Newsgroups: comp.protocols.dns.bind Subject: Re: Securing zone transfer and DDNS Date: Sun, 06 Nov 2011 18:47:51 -0800 Organization: http://SupersetSolutions.com/ Lines: 56 Approved: bind-users@lists.isc.org Message-ID: References: <21ed7915.4729b742.4eb72f52.7f82@o2.pl> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Trace: usenet.stanford.edu 1320630492 6343 149.20.64.75 (7 Nov 2011 01:48:12 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users@lists.isc.org To: Aleksander Kurczyk Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org X-Originating-IP: 12.207.105.210 X-Sender: dougb@dougbarton.us User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111001 Thunderbird/7.0.1 In-Reply-To: <21ed7915.4729b742.4eb72f52.7f82@o2.pl> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: x330-a1.tempe.blueboxinc.net comp.protocols.dns.bind:43 On 11/06/2011 17:07, Aleksander Kurczyk wrote: > Hello, I just reading a book called "Pro DNS and BIND 10" written by > Ron Aitchrison. I'm stuck in chapter 10 called "DNS Secure > Configurations". There's described how to secure zone transfer and > dynamic updates. The author has used one key to secure both the zone > transfer and the dynamic updates but I want to use two separate keys. First question, why use 2 keys? The combination of a key and an address match list should be enough. Second question, what version of BIND are you using? It probably doesn't matter, but it's good form to include that information. > Unfortunately when I add to the keys option in server section more > than one key the named doesn't start anymore. Format of the key > option in the book is different than in the manual. When I remove > whole server section everything works ok. Is the keys section > important? For what this section is for? How can I use one key to > secure zone transfer to one host and other to secure zone transfer to > other host? It is possible? Doesn't look that way. The ARM is your best source for config info. > Part of the named.conf: >include "key"; The include directive is related to adding an external file to your named.conf. Unless that's what you're intending to do, you probably don't want it here. > server 127.0.0.1 { keys { "key"; }; }; The term "keys" here would seem to indicate that you can add multiple keys per server, but ... > zone "my.zone" in { type master; file "my.zone"; allow-transfer { key > "key"; }; allow-update { key "key"; }; }; I don't see anything in the ARM about including key directives in the allow-update or allow-transfer grammar. You can probably also get some useful information by using named-checkconf. hth, Doug -- "We could put the whole Internet into a book." "Too practical." Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/