Adsense Leaderboard Ad

6.17.2012

Configuring Transaction Signatures (TSIG) on BIND 9

This document was written using a RHEL 6 system running BIND 9.7.3 in a chrooted environment.

Transaction signatures (TSIG) is a protocol that uses shared secret keys and one-way hashing to provide a secure means to identify each node of a connection as being authorized to make or respond to a DNS update or transfer.

TSIG keys can be used to authenticate notifies, dynamic updates, recursive queries and zone transfers.


Configuring the Master server

Let's move to the directory where the configuration files for our BIND install are kept.

cd /var/named/chroot/etc

Now we will run the dnssec-keygen command to create the shared keys. We will be using HMAC-SHA1 as our encryption algorithm and a key size of 160 bits.

dnssec-keygen -a HMAC-SHA1 -b 160 -n HOST rndc-key

Sample output:
Krndc-key.+121+47878

This should generate two files:
Krndc-key.+121_47878.private
Krndc-key.+121_47878.key

Now we will view the private key file and record the shared key. We will need to use this key on both the master server and slave server.

cat Krndc-key.+121_47878.private

Sample output:

Private-key-format: v1.3
Algorithm: 161 (HMAC_SHA1)
Key: ODvOnAg9F2j2Y09jTQRC276h1vY=
Bits: AAA=
Created: 20120517154534
Publish: 20120517154534
Activate: 20120517154534

The two lines in the above file that are important are lines 2 & 3. Copy them somewhere safe to be used in the rest of the configuration.

Now we need to create a tsig.key file.

vi tsig.key

The file should read like below, make sure to use the information copied in the last step in the lines highlighted below. Also you should use the IP address of your slave server in line six of this file. If you have multiple slaves you can duplicate slave entries by copying the slave section and changing the IP address (See example below of file with multiple slave servers).

key "TRANSFER" {
algorithm hmac-sha1;
secret "ODvOnAg9F2j2Y09jTQRC276h1vY=";
};

# Slave server 1 IP
server 192.168.1.6 {
keys { TRANSFER; };
};  
# Slave server 2 IP
server 192.168.1.56 {
keys { TRANSFER; };
};

Now let's tell named to include this file in it's configuration and to only allow transfers from slaves that share our key.

vi /var/named/chroot/etc/named.conf

Add the following line:

include “/etc/tsig.key”;

Edit the allow-transfer statement to specific the key name ONLY:

allow-transfer { key TRANSFER; };

Save and close the file.

NOTE: If you leave any IP addresses in the allow-transfer statement it will still allow transfers without using the TSIG key. Having an allow-transfer statement without any hosts listed allows us to be sure no transfers will be permitted without the key.

Now we must reload the service in order for the new configuration to be read.

service named restart
or
rndc reload


Slave Server Configuration

Let's create a tsig.key file in our BIND configuration file directory.

cd /var/named/chroot/etc
vi tsig.key

Add the following to the file (using the information copied from the private key file earlier):

key "TRANSFER" {
algorithm hmac-sha1;
secret "ODvOnAg9F2j2Y09jTQRC276h1vY=";
};

# Master server IP
server 192.168.1.2 {
keys { TRANSFER; };
};

NOTE: Make sure to change the server IP address to the MASTER server.

Now let's tell named to include this file in it's configuration.

vi /var/named/chroot/etc/named.conf

Add the following line then save and close the file:

include “/etc/tsig.key”;

Restart named to read new configuration.

service named restart
or
rndc reload

Verify TSIG keys

In the console window of your master server start tailing the transfer log. We log transfers and queries in the same log, so we will use grep to filter out queries and make the transfer easily identified.

tail -f /var/named/chroot/var/named/data/ns1-bind.log | grep -v query

NOTE: In this case out query log and transfer log were the same file.  Depending on your BIND configuration, your logs may be in a separate file or even a different location.
 
In a console window of your slave server initiate a transfer:

[savona@devel2 ~]$ rndc retransfer domain.com

Back at the console window for your master server you should be able to verify that the TSIG key was used in the transfer by examining the log entries.

17-May-2012 12:21:29.521 xfer-out: info: client 192.168.1.6#48945: transfer of 'domain.com/IN': AXFR started: TSIG transfer
17-May-2012 12:21:29.521 xfer-out: info: client 192.168.1.6#48945: transfer of 'domain.com/IN': AXFR ended

You should also see similar messages in the slave transfer log:

17-May-2012 12:21:42.825 general: info: zone domain.com/IN: transferred serial 201008302: TSIG 'transfer'
17-May-2012 12:21:42.825 xfer-in: info: transfer of 'domain.com/IN' from 192.168.1.2#53: Transfer completed: 1 messages, 62 records, 1693 bytes, 0.001 secs (1693000 bytes/sec)


No comments:

Post a Comment