Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 468 — #494
i
i
i
i
i
i
i
i
The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in
both files. To use it for transactions, the second file (Khost1-host2.
+157+34265.key) must be transferred to the remote host, preferably in
a secure way (using scp, for instance). On the remote server, the key must
be included in the file /etc/named.conf to enable a secure communica-
tion between host1 and host2:
key host1-host2. {
algorithm hmac-md5;
secret ";ejIkuCyyGJwwuN3xAteKgg==;
};
Caution
File Permissions of /etc/named.conf
Make sure the permissions of /etc/named.conf are properly
restricted. The default for this file is 0640, with the owner being
root and the group named. As an alternative, move the keys
to an extra file with specially limited permissions, which is then
included from /etc/named.conf.
Caution
To enable the server host1 to use the key for host2 (which has the ad-
dress 192.168.2.3 in this example), the server’s /etc/named.conf
must include the following rule:
server 192.168.2.3 {
keys { host1-host2. ;};
};
Analogous entries must be included in the configuration files of host2.
In addition to any ACLs (Access Control Lists — not to be confused with
filesystem ACLs) that are defined for IP addresses and address ranges, add
TSIG keys for these to enable transaction security. The corresponding entry
could look like this:
allow-update { key host1-host2. ;};
This topic is discussed in more detail in the BIND Administrator Reference
Manual under update-policy.
468 21.7. DNS — Domain Name System