TSIG for Secure Zone Transfer

Be able to secure zone transfer between master & slave name server using TSIG keys.

  1. All the master server will derive a key using dnssec-keygen statement
    dnssec-keygen -a <algorithm> -b <bits> -n HOST <tsig-key-name>


    dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST

    Check that this generates two files

    # ls -al

  2. Update the primary server’s named.conf.local with this key. It is recommended to put it in a separate file and use the include statement in named.conf.local to specify this key.
    1. Copy the key part into a file and name it The format is as follows:
      key {
      algorithm HMAC-MD5;
      secret “<copy-the-secret-here>”;
    2. Edit named.conf.local and add the #include statement.
      include “”;
      server <ip-of-slave> {
      keys {; };
    3. Now edit named.conf.local to allow zone transfer from slave servers with the generated key instead of IP addresses.
      allow-transfer {
      //192.168.30.X (comment this out)
      key; //use keys for secure zone transfer
  3. Send the key off-band to your slave name server administrator so they could configure their slave name server to use the key. To do this,
    1. Copy the key to the slave server securely.
      scp <> apnic@<ip-address-of-slaveserver>:/home/apnic/

      Ex: for server1

      scp apnic@
    2. Request the owner of Secondary Server to Update the secondary server’s named.conf.local to reflect the same changes as the primary.
      include “”;
      server <ip-of-master> {
      keys { ns1-ns2.mydomain; };
      allow-transfer {
      // (comment this out)
      key ns1-ns2.groupX.nett; //use keys for secure zone transfer
  4. Run both master & slave nameserver and see if zone transfers happen. Zone transfer can also be tested using dig command, try using it with a key.
    Example: Without the key, transfer is expected to fail.
    dig @server domain axfr


    Transfer failed.

    Example: with a key

    dig -y "" @<slave-server> <slave domain> axfr

  • netsec20181209-np/dns_tsig.txt
  • Last modified: 2021/04/19 06:39
  • by