Hi,
I was trying to use nsd-xfer with TSIG, and it took quite some time to figure
out, as the man page only mentions it is in the form of "tsiginfo".
I tested and it did not seem to be the same format as a key: section in the
nsd.conf file (Feature request: use the same format as the key: clause)
Looking through the source, I was confused about the simplicity of the ahum "parser" 
read_tsig_key_data() is called with a file pointer and is suppoed to return the tsig_key_type
It uses tsig_read_line(), a small routine to read and strip a line.
The first line read is ignored, apparently it thinks this might contain the IP address
that is not used, as that is specified on the command line to nsd-xfer. It would be a
good candidate to go.
The second line reads the key name, and runs it through dname_parse(). I guess to verify
the keyname is a valid RRlabel, then stores it.
The third line reads the key algorithm. Then it runs atoi() on it, so I guess me specifying
"hmac-md5" was wrong. Looking at RFC2845 didn't give me the answer, but apparently I was
looking for "157" if I can trust tsig.h (and testing shows I can)
I would have send a patch if the man pages were kept in xml format, but
since writing in roff is only barely more fun then stabbing yourself in
the eye you will have to accept this "diff" in text form:
old text:
-T tsiginfo
Use TSIG to verify the zone transfer. The tsiginfo file must
contain the TSIG key information. The file is removed upon suc-
cessful reading of the key.
new text:
-T tsiginfo
Use TSIG to verify the zone transfer. The tsiginfo file must
contain the TSIG key information and is removed upon suc-
cessful reading of the key. The file must contain exactly four
lines containing the following items in this specific order:
<comment>
<keyname>
<tsig algorithm number>
<tsig secret in base64>
The keyname must be a valid RRlabel (alphanumeric, dots and "-" only)
Currently supposed tsig algorithms are 157 (hmac-md5), 158 (hmac-sha1)
and 159 (hmac-sha256)