User Tools

Site Tools


bdnog11:netsec:bind-tsig

Lab Exercise 4 – TSIG for Secure Zone Transfer

Objectives

Be able to secure zone transfer between master & slave name server using TSIG keys.

Steps

  1. All the master server will derive a key using dnssec-keygen statement in /etc/bind directory
    tsig-keygen groupXX.net >> /etc/bind/groupXX.net.key


    Check that this generates file

    ls -la /etc/bind/groupXX.net.key


    Note: Make sure that the key name is as descriptive as possible. In our example, the name chosen is groupXX.net to show that it is for the domain `groupXX.net` and the TSIG key is to be exchanged between `ns1` (the primary server) and `ns2` (the secondary server).

  2. Update the primary server’s named.conf.local` with this key.
    1. Edit named.conf.local and add the #include statement
      include "/etc/bind/groupXX.net.key";
      server <ip-of-slave> {
      	keys { ns.groupXX; }; 
      };
    2. Continue editing named.conf.local to allow zone transfer from slave servers with the generated key instead of IP addresses. So for the domain `groupXX.net` the zone file look like this
      zone "groupXX.net" {
      	type master;
      	file "db.groupXX.net";
      	allow-transfer {
      		//192.168.30.XX
      		key groupXX.net;   //use keys for secure zone transfer
      	};
      };
  3. Send the key off-band to your slave name server administrator so they could configure their slave name server to use the key. To do this
    1. Copy the key to the slave server securely. For example from server1 to server2
      scp groupXX.net.key [email protected]:/home/apnic/
      mv /home/apnic/groupXX.net.key /etc/bind/
    2. Update the secondary server’s `named.conf` to reflect the same changes as the primary.
      	include "/etc/bind/groupXX.net.keys";
      	server <ip-of-master> {
      		keys { groupXX.net; }; 
      	};
  4. Run both master & slave nameserver and see if zone transfers happen. For successful transfer log will look:
    12-May-2016 17:30:34.147 zone groupXX.net/IN: Transfer started.
    12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: connected using 192.168.102.1#45052
    12-May-2016 17:30:34.147 zone groupXX.net/IN: transferred serial 201600201: TSIG 'ns1-ns2.groupXX'
    12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: Transfer status: success
    12-May-2016 17:30:34.147 transfer of 'groupXX.net/IN' from 192.168.1XX.1#53: Transfer completed: 1 messages, 10 records, 345 bytes, 0.001 secs (345000 bytes/sec)
    12-May-2016 17:30:34.147 zone groupXX.net/IN: sending notifies (serial 201600201)
  5. Zone transfer can also be tested using dig command, try using it with a key.
    Example: Without the key, transfer is expected to fail.
    dig @192.168.30.XX groupXX.net axfr
    
    ; <<>> DiG 9.9.8-P4 <<>> @192.168.30.XX groupXX.net axfr
    ; (1 server found)
    ;; global options: +cmd
    ; Transfer failed.


    Example: with a key

    dig @server domain axfr -k <key_file>


    So for groupXX.net from slave server try the following:

    dig @192.168.30.XX groupXX.net axfr -k groupXX.net.key


    Note: If the time difference between master & slave is more than 3 minutes, the zone transfer will fail even if you have the correct key.

bdnog11/netsec/bind-tsig.txt · Last modified: 2020/01/13 11:08 by Muhammad Moinur Rahman