TSIG authenticated zone transfers in Bind

Notes on setting up secret key authenticated TSIG zone transfers in Bind 9.8.

Create an 128b HMAC-SHA256 of type HOST key to use as the shared secret.
# dnssec-keygen -a hmac-sha256 -b 128 -n HOST gemlocgem
Kgemlocgem.+163+12752


The previous command creates two files.
# ls Kgemlo*
Kgemlocgem.+163+12752.key  Kgemlocgem.+163+12752.private


The 128b base-64 string we need for the shared secret is in both files.
# cat Kgemlocgem.+163+12752.key
gemlocgem. IN KEY 512 3 163 Wh47ever64iPdUhb9nd8hg==


Create a named.conf.keys file.
# cat named.conf.keys

key gemlocgem. {
  algorithm hmac-sha256;
  secret  "Wh47ever64iPdUhb9nd8hg==";
};



Make secret and named.conf.keys files non-readable by all in this system.
# chmod 640 Kgemlocgem.+163+12752.*
# chmod 640 named.conf.keys


Send named.conf.keys to the slave.
# toprod named.conf.keys


Include named.conf.keys and add server-key stanza in the named.conf of the server at 192.0.2.111
# cat named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.222 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};



One of the name servers ( e.g. the slave) is at 192.0.2.222 and the other name server at 192.0.2.111

The named.conf file in the other server.
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.111 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};


Adjust allow-updates and allow-transfer directives to use TSIG in the options of both servers e.g.
  allow-transfer { key gemlocgem. ; };
  allow-update { key gemlocgem. ; };
You may use and other allow-transfer directives that specify IP addresses.

The systems used.
# named -v
BIND 9.8.4-rpz2+rl005.12-P1
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.7


TSIG authenticated zone transfers between Bind Servers