|
Transaction Signature Keys can provide an added measure of security for DNS servers receiving zone transfers from the primary DNS server or dynamic zone updates from a DHCP server. It is possible and in fact fairly typical for DNS servers to use an IP address as the only means to specify who's allowed to transfer zones or update zones. The problem with this approach is that IP addresses can be faked which could allow an unauthorized person to alter DNS records. The TSIG key is shared between a pair of servers and provides an additional layer of security. To generate the key simply use the dnssec-keygen program provided with current BIND distributions. |
Example: # dnssec-keygen -a hmac-md5 -b 128 -n HOST dns1-dns2 Kdns1-dns2.+157+46748 # cat Kdns1-dns2.+157+46748.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: MXO0pi5xjF102xeXhPj+qw==
|
The key MXO0pi5xjF102xeXhPj+qw== may be used on both servers t ocontrol transfers. To tell the primary DNS server to use the TSIG key to control zone transfers from a secondary DNS server add appropriate lines to the named.conf file. |
Example:
#
# Primary server - 192.168.36.1
# Secondary server - 192.168.36.2
#
# (named.conf on the primary.)
options {
directory "/";
allow-transfer { key dns1-dns2; };
};
key dns1-dns2{
algorithm "hmac-md5";
secret
"MXO0pi5xjF102xeXhPj+qw==";
};
server 192.168.36.2 {
keys { dns1-dns2; };
};
#
#
#
# (named.conf on the secondary)
key dns1-dns2{
algorithm "hmac-md5";
secret
"MXO0pi5xjF102xeXhPj+qw==";
};
server 192.168.36.1 {
keys { dns1-dns2; };
};
|
After the servers reload their config the new key will be required for zone transfers from 192.168.36.1 to 192.168.36.2. For additional information and for the latest distribution of BIND, visit www.isc.org |
You are visitor number 1567