How to use TSIG for dns zone transfer

TSIG stands for Transaction signatures, Which provides secure mechanism for cummunication usually between master and slave server but can be extended for dynamic updates as well.

Step-1 First you need to generate the encryption key on master dns server.

[ root @ server1~ ]#   dnssec-keygen  -a  HMAC-MD5  -b  128  -n  HOST  secret.key

( this command will generate to files, one with .private and another with .key )

[ root @ server1~ ]#  cat    Ksecret.key+157+50029.private

Private-key-format: v1.2

Algorithm:    157 (HMAC_MD5)

key:    cfepTknNESC4cSoup0e6pQ==

# Rename private key file

[ roo t@ server1~ ]#   mv    Ksecret.key+157+50029.private     /etc/transfer.key

# Now modify file and write content as follows

[ root @ server1~ ]#    vim    /etc/transfer.key

key   "secret.key"   {

algorithm    hmac-md5;

secret "cfepTknNESC4cSoup0e6pQ==";

};

ESC :wq!

# Copy key from master dns to slave dns server

[ root @ server1~ ]#   scp   /etc/transfer.key    192.168.0.2:/etc/transfer.key

 

Step-2  Now  include transfer.key file in Master Dns configuration file.

[ root @ server1~ ]#  vim   /etc/named.conf

 

include   "/etc/transfer.key";

options {

        listen-on port 53 { 127.0.0.1; 192.168.0.1; };

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        query-source    port 53;

        query-source-v6 port 53;

        allow-query    { localhost;  192.168.0.0/24; };

       allow-transfer {  key   "secret.key";  };

};

.........

 

[root@server1~ ]#  chkconfig   named   on

[root@server1~ ]#  service    named    restart

 

 

Step-3 Now include transfer.key file in Slave Dns server.

[ root @ server2~ ]#   vim   /etc/named.conf

 

include   "/etc/transfer.key";

servers 192.168.0.1  {

Keys  {  "secret.key";  };

};

 options {

        listen-on port 53 { 127.0.0.1; 192.168.0.2; };

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        query-source    port 53;

        query-source-v6 port 53;

        allow-query    { localhost; 192.168.0.0/24; };

};

............

 

[root@server2~ ]#  chkconfig   named   on

[root@server2~ ]#  service    named    restart

 

 

Cheer!!