The Posix Systems Secondary DNS Help System

Registering Masters and TSIG support

Nameservers that you use as Masters need to be registered before they can be used. This allows for a Drop-Down list to be used from the main page as well as providing other sanity controls.
This System also allows for the provision of TSIG (Transaction Signatures) support. TSIG is a mechanism to help guarantee that what you publish from your primary/master nameserver is the same as what the secondary/slave publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.

It is mandatory for the TSIG protocol to support HMAC-MD5. This is no longer considered safe enough. The algorithms that can be used are the 160 bit HMAC-SHA1, 224 bit HMAC-SHA224, HMAC-SHA256 (preferred), HMAC-SHA384 or HMAC-SHA512. These newer algorithms are stronger than HMAC-MD5 but may not be present in all versions of DNS software.
The following examples assume the use of the HMAC-SHA256 algorithm.

How to create

  • Register your Primary Nameserver and set the Algorithm to HMAC-SHA256 (or other)
  • In the Keypair field - add a key. The name is arbitrary but should be a legal domain name. It is suggested that a name identifies the trust pair of nameservers ie - if your nameserver is called ns1.mydom.co.za and the trust is with secdns1.posix.co.za - call it something like ns1-secdns1.mydom.co.za. Adding some "valid until" info is not a bad idea either - eg ns1-secdns1.mydom.co.za.feb.2011
  • If you leave the Secret field blank - on clicking the ['submit'] or [add now] box, the System will generate a secret key, or you can generate your own key and paste it in key yourself
  • to create your own key, run the tool dnssec-keygen with the complete command:
    dnssec-keygen -a HMAC-MD5 -b 256 -n HOST ns1-secdns1.mydom.co.za
    - this will create two files. In the file ending in .key, copy just the secret part - thats the last word on the line.

How to use

In your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Xfers from 160.124.208.81, 160.124.112.10 and 2001:42a0:1:ff02::81) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows", their order is importaint - as in firewall rules.
options {
    directory "/etc/bind";   // Where I keep my DNS stuff.

    allow-transfer {
	key ns1-secdns1.mydom.co.za;  // Explicitly allow TSIG XFers
	!160.124.112.10;              // ..and deny non TSIG from
	!160.124.208.81;	      // ..my trusted slave.
	!2001:42a0:1:112::10;        // ..might not need this line - IPv6 Address
	!2001:42a0:1:208::81;        // ..or this
	160.124.112.0/24;             // Others that I allow Xfer from.
	};
};

key ns1-secdns1.mydom.co.za {        // My Trusted Slave's key
    algorithm hmac-md5;
    secret "YourSecretProgramGeneratedKey=";  // dnssec-keygen generated key
};

server 160.124.112.10 {              // My TSIG Slave has multiple IP's so..
    keys { ns1-secdns1.mydom.co.za; };
};

server 160.124.208.81 {              // ..all are given here.
    keys { ns1-secdns1.mydom.co.za; };
};

server 2001:42a0:1:112::10 {              // ..but this is for IPv6
    keys { ns1-secdns1.mydom.co.za; };
};

server 2001:42a0:1:208::81 {              // ..as is this
    keys { ns1-secdns1.mydom.co.za; };
};
Of course - use your own secret and key names.
The Nameserver secdns1.posix.co.za has two possible IPv4 addresses and two possible IPv6 addresses from which it may request a transfer - so there needs to be a trused relationship from all of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave those addresses out.

If the secondary is one other than secdns1.posix.co.za (ie secdns2.posix.co.za) then use that nameservers IP addresses. That would look like....

options {
    directory "/etc/bind";   // Where I keep my DNS stuff.

    allow-transfer {
        key ns1-secdns2.mydom.co.za;  // Explicitly allow TSIG XFers
        !192.96.28.2;                 // ..and deny non TSIG from trusted Slave
        !2001:42a0:7000:28::2;       // ..might not need this line - IPv6 Address
        };
};

key ns1-secdns2.mydom.co.za {        // My Trusted Slave's key
    algorithm hmac-md5;
    secret "YourSecretProgramGeneratedKey=";  // dnssec-keygen generated key
};

server 192.96.28.2 {                 // My TSIG Slave has multiple IP's so..
    keys { ns1-secdns2.mydom.co.za; };
};

server 2001:42a0:7000:28::2 {             // This is for IPv6
    keys { ns1-secdns2.mydom.co.za; };
};
You can - of course - combine both of the above entries together - if you use both secondaries.

Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP/NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses GMT (or ZULU) time - and takes different zimezones into consideration.

The admin system will show you the Server time (which is GMT+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone.

After 12 months (or what you decide), the key will show with a red background. Its probably a good idea to update your keys on a regular basis.