generate-tsig-key *NAME* *ALGORITHM*
: Generate new TSIG key with name *NAME* and the specified algorithm.
+import-tsig-key *NAME* *ALGORITHM* *KEY*
+: Import *KEY* of the specified algorithm as *NAME*.
+
## ZONE MANIPULATION COMMANDS
create-zone *ZONE*
: Create an empty zone named *ZONE*.
**Note**: Most backends require DNSSEC support enabled to support TSIG. For the
Generic SQL Backend make sure to use the DNSSEC enabled schema and to turn on
-the relevant '-dnssec' flag (for example, gmysql-dnssec)!
+the relevant '-dnssec' flag (for example, `gmysql-dnssec`)!
## Provisioning outbound AXFR access
To actually provision a named secret permission to AXFR a zone, set a metadata
$ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
```
+Another of importing and activating TSIG keys into the database is using [`pdnsutil`](../manpages/pdnsutil.1.md):
+
+```
+pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+pdnsutil activate-tsig-key powerdnssec.org test master
+```
+
To ease interoperability, the equivalent configuration above in BIND would look like this:
```
insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test');
```
+This can also be done using [`pdnsutil`](../manpages/pdnsutil.1.md):
+
+```
+pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+pdnsutil activate-tsig-key powerdnssec.org test slave
+```
+
This setup corresponds to the `TSIG-ALLOW-AXFR` access rule defined in the previous section.
In the interest of interoperability, the configuration above is (not quite)
projects / thirdparty / pdns.git / commitdiff
