Manualshelf

DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual529432-003
3-17
Use TSIG
Steps to Configure TSIG for Securing Zone Updates:
1. Create the shared key using the dnssec-keygen tool. (See Generating a Key
Pair on page 3-21.)
2. Share the generated key between the name servers among which secure
communication is desired.
3. Include the key in the
key statement of the named.conf file of the primary name
server:
Key key-name {
algorithm hmac-md5;
secret "generated-secret-key";
};
This example specifies a TSIG key for the name server. The key directive
specifies the algorithm to be used for verification and the generated key.
To restrict zone transfers from a primary server to slave servers, use the
allow-
transfer directive in a zone definition:
zone "example.com" {
type master;
file "db.example.com";
allow-transfer { key <key-name>; };
};
This example specifies that zone transfers for example.com would be sent only to
those name servers that have the specified key.
4. On the slave's end, configure the slave to sign zone transfer requests with the
same key:
Key key-name {
algorithm hmac-md5;
secret "generated-secret-key";
};
server IP address of Primary {
keys { key-name; };
The server statement directs the slave name server to sign all requests to the
primary name server using the specified key.