SIDN Labs DNS Workbench - Transfers and TSIG
All zones are transferable from all servers. This gives users the option to set up their own systems as 'hidden' slaves; they will not get NOTIFY messages, and they are not announced in the zones, but you can use it to test transfers.
This also gives you the option to inspect the full zones in case there is some interesting behaviour.
Aside from plain transfers, there are also TSIG keys configured:
(NOTE: Yadifa and PowerDNS don't have TSIG keys configured just yet)
| Name | Algorithm | secret |
|---|---|---|
| wb_md5 | hmac-md5.sig-alg.reg.int | Wu/utSasZUkoeCNku152Zw== |
| wb_sha1 | hmac-sha1 | Vn37JPSCmaCHKJhghcpRg8m6PlQ= |
| wb_sha1_longkey | hmac-sha1 | uhMpEhPq/RAD9Bt4mqhfmi+7ZdKmjLQb/lcrqYPXR4s/nnbsqw== |
| wb_sha256 | hmac-sha256 | npfrIJjt/MJOjGJoBNZtsjftKMhkSpIYMv2RzRZt1f8= |
Examples:
$ drill -y "wb_md5:Wu/utSasZUkoeCNku152Zw==" axfr ok.bad-dnssec.wb.sidnlabs.nl @bind9.sidnlabs.nl | wc -l
73
$ drill axfr ok.bad-dnssec.wb.sidnlabs.nl @knot.sidnlabs.nl | wc -l
73
73
$ drill axfr ok.bad-dnssec.wb.sidnlabs.nl @knot.sidnlabs.nl | wc -l
73
Knot config snippet:
- domain: ok.bad-dnssec.wb.sidnlabs.nl.
acl: any
acl: awb_md5
acl: awb_sha1
acl: awb_sha1_longkey
acl: awb_sha256
file: "/var/dns-workbench/zones/ok.bad-dnssec.wb.sidnlabs.nl"