Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!nx01.iad01.newshosting.com!newshosting.com!novia!usenet.stanford.edu!not-for-mail
From: Jan-Piet Mens <jpmens.dns@gmail.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: Securing zone transfer and DDNS
Date: Mon, 7 Nov 2011 15:59:34 +0100
Lines: 43
Sender: Jan-Piet Mens <jpmens@gmail.com>
Approved: bind-users@lists.isc.org
Message-ID: <mailman.9.1320677995.68562.bind-users@lists.isc.org>
References: <21ed7915.4729b742.4eb72f52.7f82@o2.pl> <4EB746D7.9000205@dougbarton.us> <687fd44f.1f6eb34b.4eb7ebcc.d7948@o2.pl>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: usenet.stanford.edu 1320677995 7013 149.20.64.75 (7 Nov 2011 14:59:55 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bind-users@lists.isc.org
To: Aleksander Kurczyk <aleksanderkurczyk@o2.pl>
Return-Path: <jpmens@gmail.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; bh=DVzG8W9Sw5ytI4yby49uGQAvn1l0ufgEua7bE3+RtiQ=; b=qO65IlBsxaKxrFQQQB4oCpdZIp3OoGbOmVkbHMPFcAdoO7OZ8v/2OvsNVqrECrx+7+ ixrWKBkGFSiNmc8Y0FI5I6EhaOHEUFiHD55sCAok3LRCyEfZDI/sNVEv08Je6xNVt2Ve UTZtVwnmivWqBNknyJGlRBI1PtcHWpO2W7TXs=
Content-Disposition: inline
In-Reply-To: <687fd44f.1f6eb34b.4eb7ebcc.d7948@o2.pl>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
Xref: x330-a1.tempe.blueboxinc.net comp.protocols.dns.bind:49

> Bind version is: 9.7.4

Upgrade; 9.8.1 is current. (In addition, you're reading a book called
BIND 10 -- even though the book doesn't once mention that software!)

> Maybe this is a stupid question but what is ARM?

BIND 9 Administrator Reference Manual. It is provided in multiple
formats within the BIND source distribution. (doc/arm/*)

[...]

I assume what you probably want to do is something like this:

        key "my.key" {
                algorithm HMAC-MD5;
                secret "xxxx";
        };
        key "my.key2" {
        ...
        };

        acl xferkey {
                key my.key2;
        };

        zone "example.net" IN {
                type master;
                file "example.net";
                allow-update {
                        key "my.key";
                };
                allow-transfer {
                        xferkey;
                };
        };

Create your keys with the dnssec-keygen utility (check its manual page).

Instead of allow-update, I'd like to suggest you read up on the `grant'
statement which allows a much finer granularity on DDNS.

        -JP