BIND 9 and later: TSIG example

This example tells the name server to sign responses (including zone transfers) to the name server at 192.0.2.1 with the key called example-company-sharedsecret., and to expect responses from 192.0.2.1 to be signed by the same key. Two very important points to remember when using TSIGs are:

  • Time: TSIGs require time synchronization between the name servers involved. Zone Transfer Agents (ZTAs) are set to GMT. In particular, the clock skew between the customer primary and the ZTAs must be less than 5 minutes.
  • Key: The name of the TSIG key, not just the secret, must match on the servers.
    
    key example-company-sharedsecret. {
    algorithm hmac-md5;
    secret "mZiMNOUYQPMNwsDzrX2ENw==";
    };
    server 192.0.2.1 {
    transfer-format many-answers;
    keys { example-company-sharedsecret.; };
    };
    zone "example.com" {
    …
    allow-transfer { 192.0.2.1; };
    …
    };