root@opentodo#

GNU/Linux and Unix notes

Authenticate DNS Zone Transfer with TSIG

TSIG (Transaction Signatures) provides authentication and data integrity for the communication between servers. This communication includes zone transfers, notifications, recursive queries or dynamic updates. A shared secret will be generated in one of both servers and the same secret with the same name will be configured in them. Bear in mind that TSIG only provides authentication and data integrity and doesn’t provide encryption for the communication.

DNS Master

– Generate a new key:

# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom transfer

– Include the new key generated to the bind config files:

# cat Ktransfer.+165+09240.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==

# vi /etc/bind/transfer.key

key "transfer-key" {
algorithm HMAC-SHA512;
secret "umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==";
};

# vi /etc/bind/named.conf

include "/etc/bind/transfer.key";

– Assign the new key to the zone to be transfer:

# vi /etc/bind/named.conf.default-zones

zone "domain.local" {
type master;
file "/etc/bind/db.domain.local";
allow-transfer { key "transfer-key"; };
};

– Restart the daemon:

# service bind9 restart

DNS Slave

– Copy the same key on the master and include on the configuration zone:

# vi /etc/bind/transfer.key

key "transfer-key" {
algorithm HMAC-SHA512;
secret "umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==";
}

server 192.168.1.129 { keys "transfer-key";};

# vi /etc/bind/named.conf

include "/etc/bind/transfer.key";

– Configure the zone on the slave to transfer the information from the master:

# vi /etc/bind/named.conf.default-zones

zone "domain.local" {
        type slave;
        file "/etc/bind/db.domain.local";
        masters { 192.168.1.129; };
};

– Setup the correct permissions:

# chown -R bind:bind /etc/bind

– Restart the daemon:

# service bind9 restart

– Checking the transfer zone is completed successfully:

slave-transfer

Sources

http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#tsig

Authenticate DNS Zone Transfer with TSIG
Tagged on:     

2 thoughts on “Authenticate DNS Zone Transfer with TSIG

  • edrees
    August 4, 2013 at 04:51
    Permalink

    Thank you!
    How I can check the transfer in between is encrypted.

    Reply
    • nick
      November 15, 2013 at 18:47
      Permalink

      localhost# wireshark -k -i <(ssh -l root dumpcap -i eth0 -w – )
      but you will see the “Standard query response” SLAVE–>–MASTER (ixfr) zone transfer is not encrypted. it’s not fully clear how TSIG works.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers: