LFCS · Question #385
LFCS Question #385: Real Exam Question with Answer & Explanation
The correct answer is B: Generate a key, specify the private key in the named configuration on both servers, create a server. To secure BIND 9 zone transfers with TSIG, a shared secret key must be generated once and then securely configured as the private key on both the primary and secondary DNS servers.
Question
What are the steps which must be followed to enable serverwide zone transfers between two BIND 9 servers securely using TSIG?
Options
- AGenerate a key, specify the public key in the named configuration on both servers, create a server
- BGenerate a key, specify the private key in the named configuration on both servers, create a server
- CGenerate a key, specify the private key in the named configuration on one server and the public key
- DGenerate a key, specify the private key in the named configuration on one server and the public key
Explanation
To secure BIND 9 zone transfers with TSIG, a shared secret key must be generated once and then securely configured as the private key on both the primary and secondary DNS servers.
Common mistakes.
- A. TSIG uses a shared secret key, not a public/private key pair in the typical asymmetric sense for authentication during zone transfers; specifying a "public key" would be incorrect.
- C. TSIG uses a symmetric shared secret key; it's not a public/private key cryptography scheme where one server has a private and the other a public key. Both servers need the identical shared secret key.
- D. This option incorrectly describes TSIG as using an asymmetric key pair rather than a shared symmetric secret key.
Concept tested. BIND 9 TSIG zone transfer configuration
Reference. https://bind9.readthedocs.io/en/latest/configuration.html#tsig-keys
Topics
Community Discussion
No community discussion yet for this question.