BIND TRANSFER SECURITY ---------------------- We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones. ACL based security ------------------ To start with, we'll enable IP based ACLs -- on the MASTER host: 1. Start by editing /etc/namedb/named.conf, and in the "options" section, let's define who is allowed to transfer your zone. allow-transfer { 127.0.0.1; ::1; myslaves; }; Now we need to define the ACL "myslaves". To do so, AFTER the options section (find the '};' symbol at the end of the section), add something similar to this: (If the slave for your "MYTLD" domain is master.grp25, for example) acl myslaves { 10.10.25.1; 10.10.X.3; }; // ACL with IP of Group25 master This means "myslaves is an ACL consisting of the IP 10.10.25.1, and your NSD secondary 10.10.25.3. 2. Restart named # /etc/rc.d/named restart 3. Make sure that you didn't break the zone transfer by asking your slave partner to run a zone transfer against YOUR machine. From their server: # dig @master.grpX.ws.nsrc.org MYTLD axfr 4. Now try and ask someone else who is NOT in the ACL to try the same axfr command as above. Q: Do they succeed ? Q: What do you see in the logs in /etc/namedb/log/transfers ? KEY based security ------------------ Instead of using IP addresses, we'll now be using cryptographic keys to authenticate zone transfer -- this uses TSIG, a mechanism by which the communication between the master and slave server will be authenticated using this key. 1. Run: # cd /tmp/ # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.key You will see something like: Kmydomain.key.+157+32373 (the last number will change) Two files have been created: # ls -l K* Kmydomain.key.+157+32373.key Kmydomain.key.+157+32373.private 2. View the contents of the private key # cat Kmydomain.key.+157+32373.private You will see something similar: Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: tHTRSKKrmyGmPnzNCf2IRA== Bits: AAA= ... the "Key:" is the important here, so copy "tHTRSKKrmyGmPnzNCf2IRA==" (not THIS one, the one in YOUR file :) 3. Modify your named.conf # cd /etc/namedb/ Edit the file, and change the allow-transfer statement, so that it looks like this: options { ... allow-transfer { 127.0.0.1; ::1; }; // myslaves is removed! ... }; Note: We have removed "myslaves" Now, after the options (or at the bottom of the file), add a new declaration for the key key "mydomain-key" { algorithm hmac-md5; secret "tHTRSKKrmyGmPnzNCf2IRA=="; }; Change the definition for your zone: zone "MYTLD" { zone "mytld" { type master; ... }; allow-transfer { key mydomain-key; }; // <-- Add this! }; As you can see above, we've added an "allow-transfer" statement allowing transfer of the zone for holders of the "mydomain-key". Note that the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. 4. Restart named # /etc/rc.d/named restart 5. Try and make a zone transfer from ANOTER machine -- ask your neighbors: # dig @10.10.XX.1 MYTLD axfr Look at /etc/namedb/logs/general and /etc/namedb/logs/transfers Q: What do you notice ? 6. Try again with the key: # dig @10.10.XX.1 axfr mydomain -y mydomain-key:tHTRSKKrmyGmPnzNCf2IRA== Q: what happens now ? Check the logs again, especially /etc/namedb/log/transfers 7. On your slave: Start by deleting the copy of the slave zone: - Remove the zone from /etc/namedb/slave/MYTLD -- remember, this is on the machine of your SLAVE partner # rm /etc/namedb/slave/MYTLD - Restart named # /etc/rc.d/named restart Check that the zone is gone AND that the slave wasn't able to reload it. Q: What do you see in the MASTER logs (transfers and general) ? Q: What do you see in the SLAVE logs (transfers and general) ? 8. Still on the SLAVE: Find the statement for the zone: zone "MYTLD" { type slave; masters { 10.10.XX.1; }; file "slave/mydomain.dns"; }; ... and add the key, and a statement to tell which key to use when talking to "10.10.XXX.1" (the master): key mydomain-key { algorithm hmac-md5; secret "tHTRSKKrmyGmPnzNCf2IRA=="; }; server 10.10.XX.1 { keys { mydomain-key; }; }; 9. Restart named # /etc/rc.d/named restart On the SLAVE server: Q: Is the zone "MYTLD" back in the slave/ directory ? Q: What do you see in the MASTER logs (transfers and general) ? Q: What do you see in the SLAVE logs (transfers and general) ? Can you see a general benefit from using keys instead of IP ACLs ?