Perhaps it seems easy for you, but it was not for me at begining even if I am running bind9 master/bind9 slave already.

We will begin with TSIG key, on your master DNS server :

root@Sagitarius:~# tsig-keygen mykey > /etc/bind/keys/mykey.key
root@Sagitarius:~# cat /etc/bind/keys/mykey.key
key "mykey" {
        algorithm hmac-sha256;
        secret "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk=";
};
root@Sagitarius:~# 

Now we will configure this on my “named.conf.local” file as :

root@Sagitarius:/etc/bind# cat named.conf.local 
[...]
//On indique la clé à utiliser et son algorithme de chiffrement
include "/etc/bind/keys/mykey.key";

//On indique l'adresse IP du serveur "Esclave"
server 192.168.1.81
{
        keys { mykey; };
};
[...]
zone "my-blah-zone.fr" {
       type master;
       file "/etc/bind/my-blah-zone.fr.zone";
       allow-transfer { 192.168.1.81; key mykey; };
       notify yes;
};
[...]

Ok. last command :

root@Sagitarius:~# rndc reload
root@Sagitarius:~#

Ok good, now let’s see how it is configured on NSD host.
It’s really easy :

clucas@slave:/etc/nsd$ cat /etc/nsd/nsd.conf.d/secondaries/my-blah-zone.fr.conf 
key:
  name: "mykey"
  algorithm: hmac-sha256
  secret: "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk="


zone:
        # this server is secondary,  is master.
        name: my-blah-zone.fr
        allow-notify: 192.168.1.43 mykey
        request-xfr:  192.168.1.43 mykey

Now :

nsd-checkconf /etc/nsd/nsd.conf
nsd-control reload
nsd-control status

It seems easy, but I have take long time to see that all these items bellow must be identical :

• name of the key
• algorithm
• secret

Easy as hell !

PS : All this can be controlled by Ansible, but it is another story.