Jump to: navigation, search

Howto/DNS updates and zone transfers with TSIG

DNS updates and zone transfers with TSIG

FreeIPA doesn't have support for TSIG in user interface but it can be configured to use TSIG for dynamic updates and zone transfers.

TSIG key configuration

Generate a new TSIG key

$ dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname

Copy and paste key from key file to named.conf

$ cat Kkeyname.+165+0316.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: keyvalue
Bits: AAA=

$ vim /etc/named.conf
key "keyname" {
       algorithm hmac-sha512;
       secret "keyvalue";

You have to repeat this copy&paste step for every FreeIPA server.

Dynamic updates


Normal rules for BIND dynamic update policies apply. Just use name of the key you defined in named.conf:

$ ipa dnszone-mod example.com. --update-policy="grant keyname name example.com A;"

One of FreeIPA specifics is that dynamic updates can be completely disabled by switch even if update policy is non-empty. Make sure that DNS dynamic updates are enabled for your zone:

$ ipa dnszone-mod example.com. --dynamic-update=1


For nsupdate from bind-utils package you have to either use option -y algorithm:keyname:keyvalue or -k keyfilename option. E.g.

$ nsupdate -y hmac-sha512:keyname:keyvalue


$ nsupdate -k Kkeyname.+165+0316.private

Zone transfers


FreeIPA user interface will not allow you to configure allow-transfer policy directly because it expects that allow-transfer consists only of IP addresses. You have to modify LDAP directly.

Run this on one of FreeIPA servers:

$ kinit admin
$ ldapmodify -Y GSSAPI << EOF
dn: idnsname=example.com.,cn=dns,dc=ipa,dc=example
changetype: modify
replace: idnsAllowTransfer
idnsAllowTransfer: key keyname;

Don't forget to replace zone name in idnsname component of DN and realm name in dc=ipa,dc=example components.


The syntax for dig from bind-utils package is the same as for nsupdate. You have to either use option -y algorithm:keyname:keyvalue or -k keyfilename option. E.g.

$ dig -y hmac-sha512:keyname:keyvalue


$ dig -k Kkeyname.+165+0316.private