Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 650

The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==) is found in both files.
To use it for transactions, the second file (Khost1-host2.+157+34265.key)
must be transferred to the remote host, preferably in a secure way (using scp, for exam-
ple). On the remote server, the key must be included in the file /etc/named.conf
to enable a secure communication between host1 and host2:
key host1-host2. {
algorithm hmac-md5;
secret ";ejIkuCyyGJwwuN3xAteKgg==;
};
WARNING: File Permissions of /etc/named.conf
Make sure that the permissions of /etc/named.conf are properly restricted.
The default for this file is 0640, with the owner being root and the group
named. As an alternative, move the keys to an extra file with specially limited
permissions, which is then included from /etc/named.conf. To include an
external file, use:
include
Replace filename with an absolute path to your file with keys.
To enable the server host1 to use the key for host2 (which has the address
192.168.2.3 in this example), the server's /etc/named.conf must include the
following rule:
server 192.168.2.3 {
keys { host1-host2. ;};
};
Analogous entries must be included in the configuration files of host2.
Add TSIG keys for any ACLs (access control lists, not to be confused with file system
ACLs) that are defined for IP addresses and address ranges to enable transaction secu-
rity. The corresponding entry could look like this:
allow-update { key host1-host2. ;};
This topic is discussed in more detail in the BIND Administrator Reference Manual
under update-policy.
632 Installation and Administration
"filename"