On Fri, 24 Apr 2009, Terry wrote:
> Thanks for your reply. On my slave, I have this:
>
> server 10.25.1.10 {
> keys {
> omajelns01.omajelns02;
> };
> };
>
> It will sign all requests between these hosts. If requests come
> across that appear to be from these hosts and they are not signed, the
> server at either end will reject the requests (i am pretty sure that's
> the whole idea but just clarifying)? If that's the case, I like this
> architecture, it's simple and provides a level of security without a
> great deal of configuration overhead.
No. The ARM says "A request originating from the remote server is not
required to be signed by this key." You could use allow-transfer
(site-wide or per zone) using a key there for transfers only.
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
