1. Run: # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.key You will see something like: Kmydomain.key.+157+32373 2. Then do: # cat Kmydomain.key.+157+32373.private You will see something similar: Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: tHTRSKKrmyGmPnzNCf2IRA== Bits: AAA= ... the "Key:" is the important here, so copy "tHTRSKKrmyGmPnzNCf2IRA==" 3. Add the following to your named.conf: options { ... allow-transfer { none; }; ... }; logging { ... }; key mydomain-key { algorithm hmac-md5; secret "tHTRSKKrmyGmPnzNCf2IRA=="; }; zone "mydomain.menog" { // ... here is your zone definition from before allow-transfer { key mydomain-key; }; }; ... 4. Restart named 5. Try and make a zone transfer from ANOTER machine -- ask your neighbors: # dig @10.10.1.XXX axfr mydomain.menog Look at /etc/namedb/logs/general and /etc/namedb/logs/transfers What do you notice ? 6. Try again with the key: # dig@10.10.1.XXX axfr mydomain.menog -y mydomain-key:tHTRSKKrmyGmPnzNCf2IRA== ... what happens now ? Check the logs again. 7. ON THE SLAVE: - Remove the zone from /etc/namedb/slave/mydomain.menog - Restart named (/etc/rc.d/named restart) Check that the zone is gone AND that the slave wasn't able to reload it. - What do you see in the MASTER logs (transfers and general) ? - What do you see in the SLAVE logs (transfers and general) ? 8. Still on the SLAVE: Find the statement for the zone: zone "mydomain.menog" { type slave; masters { 10.10.1.XXX; }; file "slave/mydomain.menog"; }; ... and add the key, and a statement to tell which key to use when talking to "10.10.1.XXX" (the master): key mydomain-key { algorithm hmac-md5; secret "tHTRSKKrmyGmPnzNCf2IRA=="; }; server 10.10.1.203 { keys { mydomain-key; }; }; 9. Restart named - Is the zone "mydomain.menog" back in the slave/ directory ? - What do you see in the MASTER logs (transfers and general) ? - What do you see in the SLAVE logs (transfers and general) ?