What are the steps which must be followed to enable serverwide zone transfers between two BIND
9 servers securely using TSIG?
A.
Generate a key, specify the public key in the named configuration on both servers, create a server
statement in the named configuration on both servers.
B.
Generate a key, specify the private key in the named configuration on both servers, create a
server statement in the named configuration on both servers.
C.
Generate a key, specify the private key in the named configuration on one server and the public
key in the named configuration on the other, create a remote statement in the named configuration
on both servers.
D.
Generate a key, specify the private key in the named configuration on one server and the public
key in the named configuration on the other, create a server statement in the named configuration
on both servers.
i think A. is the correct answer here.. you specify public key in named.conf as far as i know.
The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.
Both .key and .private files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.
i read the docs closer.. it seems B. might be correct when using TSIG