CompTIA CASP+ Practice Test

To secure zone transfers to a secondary DNS server, what must be included in the primary DNS configuration file?

• A. key company-key; allow transfer { 192.168.20.53; }
• B. allow transfer { any; }; key company-key;
• C. key company-key; allow transfer { any; }
• D. deny transfer { all; }; allow transfer { 192.168.20.53; }

The correct answer is: key company-key; allow transfer { 192.168.20.53; }

To secure zone transfers to a secondary DNS server, it is essential to specify which servers are allowed to perform zone transfers from the primary DNS server. The correct answer includes both the configuration of a key (which refers to an authentication mechanism used in transaction signatures) and an explicit allowance for a specific IP address. In option A, by defining "key company-key;" and specifying "allow transfer { 192.168.20.53; }," the configuration is establishing an authentication key named “company-key” which is utilized to secure the transfer, and it restricts the transfer to a specific secondary DNS server at the IP address 192.168.20.53. This ensures that only the predefined trusted server can receive zone transfers, thereby protecting against unauthorized access or data leaks. The effective use of keys and IP restrictions in this configuration is critical for maintaining the security and integrity of DNS data during zone transfers. This approach helps to ensure that only authorized servers can obtain sensitive information about the DNS zones, which is vital in preventing potential attacks such as DNS spoofing or cache poisoning. Other options lack the same level of security specificity. For example, allowing transfers to "any" server, as seen in other options, exposes the primary DNS server to