TSIG

Configure TSIG for zone transfers

On the master

Create the key
#dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave

Get the key value
#cat Kmaster-slave*key
master-slave. IN KEY 512 3 157 ts7byllvrX5r4Il3t177Ug==

Create a key file to include in named.conf
#vim master-slave.key


key master-slave {
        algorithm hmac-md5;
        secret ts7byllvrX5r4Il3t177Ug==;
};

Change the permissions on the file
#chmod 640 master-slave.key
#chown :named master-slave.key

Link to /etc if in chroot
#ln -s /var/named/chroot/etc/master-slave.key /etc/master-slave.key

Make sure the key has the correct context
#chcon master-slave.key --reference rndc.key

Update named.conf so that the key is included by adding the following
include "/etc/master-slave.key";

Configure the server to allow transfers using the key

allow-transfer { key master-slave; };

Restart the named service on the master
#service named restart

On the slave

Create a key file to include in named.conf
#vim master-slave.key


key master-slave {
        algorithm hmac-md5;
        secret ts7byllvrX5r4Il3t177Ug==;
};

Change the permissions on the file
#chmod 640 master-slave.key
#chown :named master-slave.key

Link to /etc if in chroot
#ln -s /var/named/chroot/etc/master-slave.key /etc/master-slave.key

Make sure the key has the correct context
#chcon master-slave.key --reference rndc.key

Update named.conf so that the key is included by adding the following
include "/etc/master-slave.key";

Add the master server in and configure to use the required key

server SERVERIP {

        keys master-slave;

};

Restart bind

#service named restart

Testing

You can use the dig command to test zone transfers

Without tsig

#dig @MASTERIP example.com axfr

With tsig

dig -y master-slave:ts7byllvrX5r4Il3t177Ug== @MASTERIP example.com axfr