User Tools

Site Tools


Lab Exercise 4 – TSIG for Secure Zone Transfer


Be able to secure zone transfer between master & slave name server using TSIG keys.


  1. All the master server will derive a key using dnssec-keygen statement in /etc/bind directory
    tsig-keygen >> /etc/bind/

    Check that this generates file

    ls -la /etc/bind/

    Note: Make sure that the key name is as descriptive as possible. In our example, the name chosen is to show that it is for the domain `` and the TSIG key is to be exchanged between `ns1` (the primary server) and `ns2` (the secondary server).

  2. Update the primary server’s named.conf.local` with this key.
    1. Edit named.conf.local and add the #include statement
      include "/etc/bind/";
      server <ip-of-slave> {
      	keys { ns.groupXX; }; 
    2. Continue editing named.conf.local to allow zone transfer from slave servers with the generated key instead of IP addresses. So for the domain `` the zone file look like this
      zone "" {
      	type master;
      	file "";
      	allow-transfer {
      		key;   //use keys for secure zone transfer
  3. Send the key off-band to your slave name server administrator so they could configure their slave name server to use the key. To do this
    1. Copy the key to the slave server securely. For example from server1 to server2
      scp [email protected]:/home/apnic/
      mv /home/apnic/ /etc/bind/
    2. Update the secondary server’s `named.conf` to reflect the same changes as the primary.
      	include "/etc/bind/";
      	server <ip-of-master> {
      		keys {; }; 
  4. Run both master & slave nameserver and see if zone transfers happen. For successful transfer log will look:
    12-May-2016 17:30:34.147 zone Transfer started.
    12-May-2016 17:30:34.147 transfer of '' from 192.168.1XX.1#53: connected using
    12-May-2016 17:30:34.147 zone transferred serial 201600201: TSIG 'ns1-ns2.groupXX'
    12-May-2016 17:30:34.147 transfer of '' from 192.168.1XX.1#53: Transfer status: success
    12-May-2016 17:30:34.147 transfer of '' from 192.168.1XX.1#53: Transfer completed: 1 messages, 10 records, 345 bytes, 0.001 secs (345000 bytes/sec)
    12-May-2016 17:30:34.147 zone sending notifies (serial 201600201)
  5. Zone transfer can also be tested using dig command, try using it with a key.
    Example: Without the key, transfer is expected to fail.
    dig @192.168.30.XX axfr
    ; <<>> DiG 9.9.8-P4 <<>> @192.168.30.XX axfr
    ; (1 server found)
    ;; global options: +cmd
    ; Transfer failed.

    Example: with a key

    dig @server domain axfr -k <key_file>

    So for from slave server try the following:

    dig @192.168.30.XX axfr -k

    Note: If the time difference between master & slave is more than 3 minutes, the zone transfer will fail even if you have the correct key.

bdnog11/netsec/bind-tsig.txt · Last modified: 2020/01/13 11:08 by Muhammad Moinur Rahman