I'm in the process of setting up DNS replication where Windows Server acts as the master and BIND9 is the slave. I want to ensure this setup is secure using TSIG. For anyone who has experience with configuring this type of scenario, I have a few questions:
- What's the best way to generate the TSIG key?
- How should I configure it on both Windows DNS and BIND9?
- Are there any specific considerations I should keep in mind for this mixed environment?
Thanks for your help!
1 Answer
When generating the TSIG key, do it on the BIND side, then copy the Base64 secret into Windows using PowerShell. Make sure you reference the same key and algorithm in BIND’s master list. A key point is to ensure both servers are synced with NTP; many TSIG issues arise from clock drift or algorithm mismatches.
I'm going to try that! THANKS. Have you ever set this up yourself?