Registering Masters and TSIG supportNameservers that you use as Masters need to be registered before they can be used. This allows for a Drop-Down list to be used from the main page as well as providing other sanity controls.This System also allows for the provision of TSIG (Transaction Signatures) support. TSIG is a mechanism to help guarantee that what you publish from your primary/master nameserver is the same as what the secondary/slave publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.
It is mandatory for the TSIG protocol to support HMAC-MD5.
This is no longer considered safe enough.
The algorithms that can be used are the 160 bit HMAC-SHA1,
224 bit HMAC-SHA224, HMAC-SHA256 (preferred), HMAC-SHA384 or
HMAC-SHA512. These newer algorithms are stronger than HMAC-MD5
but may not be present in all versions of DNS software. How to create
How to useIn your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Xfers from 192.96.24.81 and 2001:42a0::81) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows", their order is importaint - as in firewall rules. |
options {
directory "/etc/bind"; // Where I keep my DNS stuff.
allow-transfer {
key ns1-secdns1.mydom.co.za; // Explicitly allow TSIG XFers
!192.96.24.81; // ..and deny "non TSIG" from my slave
!2001:42a0::81; // ..might not need this line - IPv6 Address
192.96.24.0/24; // Others that I allow Xfer from.
2001:42a0::0/64;
};
};
key ns1-secdns1.mydom.co.za { // My Trusted Slave's key
algorithm hmac-sha256;
secret "YourSecretProgramGeneratedKey="; // tsig-keygen generated key
};
server 192.96.24.81 { // My TSIG slave
keys { ns1-secdns1.mydom.co.za; };
};
server 2001:42a0::81 { // runs IPv6 as well
keys { ns1-secdns1.mydom.co.za; };
};
|
|
Of course - use your own secret and key names. The Nameserver secdns1.posix.co.za has both IPv4 and IPv6 addresses from which it may request a transfer - so there needs to be a trused relationship from both of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave that address out. If the secondary is one other than secdns1.posix.co.za (ie secdns2.posix.co.za) then use that nameservers IP addresses. That would look like.... |
options {
directory "/etc/bind"; // Where I keep my DNS stuff.
allow-transfer {
key ns1-secdns2.mydom.co.za; // Explicitly allow TSIG XFers
!94.30.102.18; // ..and deny non TSIG from trusted Slave
};
};
key ns1-secdns2.mydom.co.za { // My Trusted Slave's key
algorithm hmac-sha256;
secret "YourSecretProgramGeneratedKey="; // tsig-keygen generated key
};
server 94.30.102.18 {
keys { ns1-secdns2.mydom.co.za; };
};
|
| You can - of course - combine both of the above entries together - if you use both secondaries. |
|
Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP/NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses GMT (or ZULU) time - and takes different zimezones into consideration. |
|
The admin system will show you the Server time (which is GMT+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone. After 12 months (or what you decide), the key will show with a red background. Its probably a good idea to update your keys on a regular basis. |