1 files changed, 27 insertions, 0 deletions

diff --git a/doc/source/admin/backends/pdns4.rst b/doc/source/admin/backends/pdns4.rst
index a668d65a..8120ab49 100644
--- a/doc/source/admin/backends/pdns4.rst
+++ b/doc/source/admin/backends/pdns4.rst
@@ -55,4 +55,31 @@ See :ref:`designate_manage_pool` for further details on
 the ``designate-manage pool`` command, and :ref:`pools`
 for information about the yaml file syntax
 
+
+TSIG Key Configuration
+----------------------
+
+.. note:: This is only available in PowerDNS 4.2 or newer
+
+In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer)
+requests. As pdns does not support a per host key setup, this needs to be set
+on a per zone basis, on creation.
+
+To do this, generate a tsigkey on the PowerDNS Server:
+
+.. code-block:: bash
+
+    $ pdnsutil generate-tsig-key <keyname> hmac-sha512
+    Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==
+
+Then insert it into Designate. Make sure the pool id is correct
+(the ``--resource-id`` below.)
+
+.. code-block:: bash
+
+    openstack tsigkey create --name <keyname> --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842
+
+Then add it to the ``pools.yaml`` file as shown in the example. The ID used is
+the name of the key in the PowerDNS server.
+
 .. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/