nerdexam
CompTIA

LX0-104 · Question #385

What are the steps which must be followed to enable serverwide zone transfers between two BIND 9 servers securely using TSIG?

The correct answer is B. Generate a key, specify the private key in the named configuration on both servers, create a server. To enable secure BIND 9 zone transfers using TSIG, a shared secret key must be generated and then specified in the named configuration on both the primary and secondary DNS servers.

Networking Fundamentals

Question

What are the steps which must be followed to enable serverwide zone transfers between two BIND 9 servers securely using TSIG?

Options

  • AGenerate a key, specify the public key in the named configuration on both servers, create a server
  • BGenerate a key, specify the private key in the named configuration on both servers, create a server
  • CGenerate a key, specify the private key in the named configuration on one server and the public key
  • DGenerate a key, specify the private key in the named configuration on one server and the public key

How the community answered

(32 responses)
  • A
    9% (3)
  • B
    75% (24)
  • C
    3% (1)
  • D
    13% (4)

Why each option

To enable secure BIND 9 zone transfers using TSIG, a shared secret key must be generated and then specified in the named configuration on both the primary and secondary DNS servers.

AGenerate a key, specify the public key in the named configuration on both servers, create a server

TSIG relies on a shared secret (private) key, not a public key; public keys are used in asymmetric cryptography like DNSSEC, but not for TSIG's symmetric shared secret model.

BGenerate a key, specify the private key in the named configuration on both servers, create a serverCorrect

Secure zone transfers using TSIG (Transaction Signature) in BIND require both the primary and secondary DNS servers to share the *same* secret key. This key, often generated using `dnssec-keygen`, acts as a shared private key that allows both servers to cryptographically sign and verify messages, ensuring authenticity and integrity of zone transfer requests and responses.

CGenerate a key, specify the private key in the named configuration on one server and the public key

TSIG uses a single shared secret key, not a combination of private and public keys distributed differently across servers.

DGenerate a key, specify the private key in the named configuration on one server and the public key

TSIG uses a single shared secret key, not a combination of private and public keys distributed differently across servers.

Concept tested: BIND 9 TSIG secure zone transfers

Source: https://www.isc.org/docs/bind9-admin-reference-guide.pdf

Topics

#BIND 9#DNS zone transfers#TSIG#DNS security

Community Discussion

No community discussion yet for this question.

Full LX0-104 Practice