TSIG Management Services - Help System

Managing TSIG between a Primary and Secondary Nameserver

This System provides TSIG (Transaction Signatures) Management support. TSIG is a mechanism to help guarantee that what you publish from a primary nameserver is what the secondary publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.

It is mandatory in the TSIG protocol to support HMAC-MD5. However there is a feeling that it should be replaced with a stronger algorithm such as HMAC-SHA224 or better. The current algorithms that can be used are 160 bit HMAC-SHA1, 224 bit HMAC-SHA224, HMAC-SHA256 (preferred), HMAC-SHA384 or HMAC-SHA512. These newer algorithms are stronger than HMAC-MD5 but may not be present in all versions of DNS software.
The following examples assume the use of the HMAC-SHA256 algorithm.

How to create

  • Select the Primary and your Secondary Nameserver and set the Algorithm to HMAC-SHA256 (or other)
  • In the Keypair field - add a key. The name is arbitrary but should be a legal domain name. It is suggested that a name identifies the trust pair of nameservers ie - if the Primary Nameserver is ns0.registry.com and your secondary nameserver is called ns1.mydom.com - call it something like registry-ns1.mydom.com. Adding some "valid until" info is not a bad idea either - eg registry-ns1.mydom.com.feb.2013
  • You can leave the Secret field blank - and on clicking on the [submit] or [add now] box, the System will generate a secret key, or you can generate your own key and paste it in key yourself
  • to create your own key, run the tool dnssec-keygen with the complete command:
    dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST registry-ns1.mydom.comDEPRECIATED
    tsig-keygen -a HMAC-SHA256 registry-ns1.mydom.com - this will generate the information to go into your named.conf file.

How to use

In your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Transfers from the IP addresses of the Primary) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows", their order is importaint - as in firewall rules. 
options {
    directory "/etc/bind";             // Where I keep my DNS stuff.

    allow-transfer {
	key registry-ns1.mydom.com;    // Explicitly allow TSIG XFers
	!192.96.24.81;                 // ..and deny non TSIG from my primary
	!2001:42a0::81;                // ..from ALL the addresses they have
	};
};

key registry-ns1.mydom.com {           // Key for this relationship
    algorithm hmac-sha256;
    secret "YourSecretGeneratedKey=";  // tsig-keygen generated key
};

server 192.96.24.81 {                  // My primary has multiple IP addresses
    keys { registry-ns1.mydom.com; };
};

server 2001:42a0::81 {                 // ..so specify all of them
    keys { registry-ns1.mydom.com; };
};
Of course - use your own secret and key names.
The Nameserver in the above example has both IPv4 and IPv6 addresses and either may request a transfer - so there needs to be a trused relationship from all of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave that address out.

Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP, NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses GMT (or ZULU) time - and takes different zimezones into consideration.

The admin system will show you the Server time (which is GMT+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone.

After 12 months, the key will show with a red background and this system will send out weekly e-mail warnings. Its probably a good idea to update your keys on a regular basis (yearly).