After we have completed Master slave configuration now we will try to secure transactions between master and slave DNS servers. To achieve this we will use TSIG (Transaction SIGnature).
Master DNS, 192.168.0.10, mns1.ns.mka.in
Slave DNS, 192.168.0.11, sns1.ns.mka.in
On the master DNS server
Generate TSIG host Key in /etc/bind/corp/tsig directory
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key
This will generate two files
-rw------- 1 root bind 52 Aug 30 13:05 Krndc-key.+157+00458.key
-rw------- 1 root bind 165 Aug 30 13:05 Krndc-key.+157+00458.private
The private file contains some additional information
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: bAbXeukqCrgDDsoYEjtylw==
Bits: AAA=
Created: 20180830073520
Publish: 20180830073520
Activate: 20180830073520
We will be using bAbXeukqCrgDDsoYEjtylw== to build our secure master slave setup.
Create tsig.key file at /etc/bind/corp/tsig.key with keyname CORPTRANSFER
key "CORPTRANSFER" {
algorithm hmac-md5;
secret "bAbXeukqCrgDDsoYEjtylw==";
};
# Slave server IP # 1
server 192.168.0.11 {
keys {
CORPTRANSFER;
};
};
Include key file in /etc/bind/named.conf
include "/etc/bind/corp/tsig.key";
and add following line in /etc/bind/named.conf.options to enable this key for all zone transfers
allow-transfer { key CORPTRANSFER; };
Restart bind
root@mns1:/etc/bind/corp# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@mns1:/etc/bind/corp#
In logs /var/log/daemon.log, you will see messages using TSIG key CORPTRANSFER
Aug 31 08:50:25 mns1 named[7420]: client 10.91.118.29#52521/key corptransfer (test.mka.in): transfer of 'test.mka.in/IN': AXFR-style IXFR started: TSIG corptransfer (serial 7)
Aug 31 08:50:25 mns1 named[7420]: client 10.91.118.29#52521/key corptransfer (test.mka.in): transfer of 'test.mka.in/IN': AXFR-style IXFR ended
Aug 31 08:50:26 mns1 named[7420]: client 10.91.118.29#35898/key corptransfer: received notify for zone 'test.mka.in': TSIG 'corptransfer'
On the slave server
Create tsig.key file at /etc/bind/corp/tsig.key with keyname CORPTRANSFER
key "CORPTRANSFER" {
algorithm hmac-md5;
secret "bAbXeukqCrgDDsoYEjtylw==";
};
# Master server IP
server 192.168.0.10 {
keys { CORPTRANSFER; };
};
Include key file in /etc/bind/named.conf by adding following line
include "/etc/bind/corp/tsig.key";
Restart bind
root@sns1:/etc/bind/corp# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@sns1:/etc/bind/corp#
In logs tail -f /var/log/daemon.log, you will see zone transfer messages using TSIG key CORPTRANSFER
Aug 31 08:50:26 sns1 named[5111]: zone test.mka.in/IN: Transfer started.
Aug 31 08:50:26 sns1 named[5111]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: connected using 10.91.118.29#52521
Aug 31 08:50:26 sns1 named[5111]: zone test.mka.in/IN: transferred serial 7: TSIG 'corptransfer'
Aug 31 08:50:26 sns1 named[5111]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: Transfer status: success
Aug 31 08:50:26 sns1 named[5111]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: Transfer completed: 1 messages, 16 records, 505 bytes, 0.002 secs (252500 bytes/sec)
Aug 31 08:50:26 sns1 named[5111]: zone test.mka.in/IN: sending notifies (serial 7)