Be able to secure zone transfer between master & slave name server using TSIG keys.

1. All the master server will derive a key using dnssec-keygen statement in /etc/bind directory
   

   tsig-keygen groupXX.net >> /etc/bind/groupXX.net.key

   
   Check that this generates file
   

   ls -la /etc/bind/groupXX.net.key

   
   Note: Make sure that the key name is as descriptive as possible. In our example, the name chosen is groupXX.net to show that it is for the domain `groupXX.net` and the TSIG key is to be exchanged between `ns1` (the primary server) and `ns2` (the secondary server).

2. Update the primary server’s named.conf.local` with this key.
   1. Edit named.conf.local and add the #include statement
      

      include "/etc/bind/groupXX.net.key";
      server <ip-of-slave> {
      	keys { ns.groupXX; }; 
      };

   2. Continue editing named.conf.local to allow zone transfer from slave servers with the generated key instead of IP addresses. So for the domain `groupXX.net` the zone file look like this
      

      zone "groupXX.net" {
      	type master;
      	file "db.groupXX.net";
      	allow-transfer {
      		//192.168.30.XX
      		key groupXX.net;   //use keys for secure zone transfer
      	};
      };

3. Send the key off-band to your slave name server administrator so they could configure their slave name server to use the key. To do this
   1. Copy the key to the slave server securely. For example from server1 to server2
      

      scp groupXX.net.key [email protected]:/home/apnic/
      mv /home/apnic/groupXX.net.key /etc/bind/

   2. Update the secondary server’s `named.conf` to reflect the same changes as the primary.
      

      	include "/etc/bind/groupXX.net.keys";
      	server <ip-of-master> {
      		keys { groupXX.net; }; 
      	};

4. Run both master & slave nameserver and see if zone transfers happen. For successful transfer log will look:
   

   12-May-2016 17:30:34.147 zone groupXX.net/IN: Transfer started.
   12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: connected using 192.168.102.1#45052
   12-May-2016 17:30:34.147 zone groupXX.net/IN: transferred serial 201600201: TSIG 'ns1-ns2.groupXX'
   12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: Transfer status: success
   12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: Transfer completed: 1 messages, 10 records, 345 bytes, 0.001 secs (345000 bytes/sec)
   12-May-2016 17:30:34.147 zone groupXX.net/IN: sending notifies (serial 201600201)

5. Zone transfer can also be tested using dig command, try using it with a key.
   Example: Without the key, transfer is expected to fail.
   

   dig @192.168.30.XX groupXX.net axfr
   
   ; <<>> DiG 9.9.8-P4 <<>> @192.168.30.XX groupXX.net axfr
   ; (1 server found)
   ;; global options: +cmd
   ; Transfer failed.

   
   Example: with a key
   

   dig @server domain axfr -k <key_file>

   
   So for groupXX.net from slave server try the following:
   

   dig @192.168.30.XX groupXX.net axfr -k groupXX.net.key

   
   Note: If the time difference between master & slave is more than 3 minutes, the zone transfer will fail even if you have the correct key.