AXFR/TSIG in 2.2.0

Erik Rozendaal erik at
Fri Jan 28 10:12:46 UTC 2005

Howard M. Kash III wrote:
> In 2.2.0, when using the new <zonename>.tsiginfo format, is the IP
> address in the tsiginfo file ignored when multiple masters are present
> in the nsd.zones file?  Or should the IP addresses of all masters be
> listed in the first line of the tsiginfo file?

Before 2.2.0, the filename had to match <master-ip-addresses>.tsiginfo, 
so if you had a zone with multiple masters like and 
the file needed to be called "".  At least, 
that should have worked but I don't think anyone ever really tried to 
get that working.

So now the alternative is to name the file based on the zone origin. 
The old way is still supported.

The IP address is always ignored in the .tsiginfo file.  The only reason 
we even have the tsiginfo file now is because of (backwards) 
compatibility with bind 8's named-xfer.  This is likely to change when 
2.3.0 is released with server side TSIG support and a "real" 
configuration file that can be used to store TSIG keys.

> In section 3.3.1 of the README file, shouldn't the example tsiginfo
> filename be, not nlnetlabs.tsiginfo?

Yes.  Updated in CVS.

> For the root zone, the tsigninfo filename ends up being "..tsiginfo" -
> just a bit confusing since it ends up being a "hidden" file.

Uhmm... yes, that is ugly.  You could work around it by putting in your 
.zones file:

zone root

And start your file with:

$ORIGIN .         (or always use absolute domain names in the zone).

Now the tsiginfo file would be named "root.tsiginfo".  Ugly, but zonec 
only used the origin field in the .zones file to set the initial origin. 
  The owner name of the SOA record is used as the real zone apex.

> Section 2.4 of the README needs to be updated to include nsd-xfer.

Done in CVS.  Thanks!


More information about the nsd-users mailing list