Managing TSIG between a Master and Slave NameserverThis System provides TSIG (Transaction Signatures) Management support. TSIG is a mechanism to help guarantee that what you publish from a primary/master nameserver is what the secondary/slave publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.
It is mandatory in the TSIG protocol to support HMAC-MD5. However
there is a feeling that it should be replaced with a stronger
algorithm such as HMAC-SHA224 or better. The current algorithms that
can be used are 160 bit HMAC-SHA1, 224 bit HMAC-SHA224,
HMAC-SHA256 (preferred), HMAC-SHA384 or HMAC-SHA512. These
newer algorithms are stronger than HMAC-MD5 but may not be present in
all versions of DNS software. How to create
How to useIn your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Transfers from the IP addresses of the Primary/Master) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows", their order is importaint - as in firewall rules. |
options { directory "/etc/bind"; // Where I keep my DNS stuff. allow-transfer { key registry-ns1.mydom.com; // Explicitly allow TSIG XFers !192.96.24.81; // ..and deny non TSIG from my master !2001:42a0::81; // ..from ALL the addresses they have }; }; key registry-ns1.mydom.com { // Key for this relationship algorithm hmac-sha256; secret "YourSecretGeneratedKey="; // tsig-keygen generated key }; server 192.96.24.81 { // My Master has multiple IP addresses keys { registry-ns1.mydom.com; }; }; server 2001:42a0::81 { // ..so specify all of them keys { registry-ns1.mydom.com; }; }; |
Of course - use your own secret and key names. The Nameserver in the above example has both IPv4 and IPv6 addresses and either may request a transfer - so there needs to be a trused relationship from all of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave that address out. |
Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP, NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses GMT (or ZULU) time - and takes different zimezones into consideration. |
The admin system will show you the Server time (which is GMT+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone. After 12 months, the key will show with a red background and this system will send out weekly e-mail warnings. Its probably a good idea to update your keys on a regular basis (yearly). |