BIND TRANSFER SECURITY ---------------------- We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones. ACL based security ------------------ To start with, we'll enable IP based ACLs -- on the AUTH1 host: 1. Start by editing /etc/namedb/named.conf, and in the "options" section, let's define who is allowed to transfer your zone. allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; }; ... replace "YOUR_OWN_IP" with the IP of your machine :) Now we need to define the ACL "myslaves". To do so, AFTER the options section (find the '};' symbol at the end of the section), add something similar to this: (If the slaves for your "MYTLD" domain are auth2.grp25 and auth2.grp26, for example) acl myslaves { 10.10.25.2; 10.10.26.2; }; // ACL with IP of Group25 slave servers This means "myslaves is an ACL consisting of the IPs 10.10.25.2 and 10.10.26.2. NOTE: remember to enter the correct values! You must write the IP of the machines who are your secondaries in the class - remember ! 2. Restart named $ sudo service named restart 3. Make sure that you didn't break the zone transfer, by getting your slave partners to run a zone transfer against YOUR machine. From those servers: $ dig @auth1.grpX.dns.nsrc.org MYTLD axfr Make sure that it still works. 4. Now try and ask someone else in the class whose server is NOT in the ACL to try the same axfr command as above. Q: Do they succeed ? Q: What do you see in the logs in /etc/namedb/log/general ? What do you see in the logs in /etc/namedb/log/transfers ? TSIG KEY based security ----------------------- Instead of using IP addresses, we'll now be using cryptographic keys to authenticate zone transfer -- this uses TSIG, a mechanism by which the communication between the master and slave server will be authenticated using this key. 1. Run: $ cd /tmp/ $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.key You will see something similar to this: Kmydomain.key.+157+32373 (the last number will change) Two files have been created: $ ls -l K* Kmydomain.key.+157+32373.key Kmydomain.key.+157+32373.private 2. View the contents of the private key $ cat Kmydomain.key.+157+32373.private You will see something similar to: Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: tHTRSKKrmyGmPnzNCf2IRA== Bits: AAA= ... the "Key:" is the important bit here, so copy "tHTRSKKrmyGmPnzNCf2IRA==", but of course not the one above, the one in YOUR file :) We will use this in the next steps. 3. Modify your named.conf $ cd /etc/namedb/ Edit the file, and change the allow-transfer statement, so that it looks like this: options { ... allow-transfer { 127.0.0.1; ::1; }; // myslaves is removed! ... }; Note: We have removed "myslaves" Now, after the options (or at the bottom of the file), add a new declaration for the key key "mydomain-key" { algorithm hmac-md5; secret "tHTRSKKrmyGmPnzNCf2IRA=="; // Your REAL key goes here! }; Don't forget to replace "mydomain" by the name of your domain! Change the definition for your zone: zone "MYTLD" { type master; file "/etc/namedb/master/mytld"; allow-transfer { key mydomain-key; }; // <-- Add this! }; As you can see above, we've added an "allow-transfer" statement allowing transfer of the zone for holders of the "mydomain-key". Note: the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. We could have chosen to allow transfers GLOBALLY (for all zones), by leaving the allow-transfer statement in the main "options" section. 4. Restart named $ sudo service named restart 5. Try and make a zone transfer from ANOTHER machine -- ask your neighbors to do: $ dig @10.10.XX.1 MYTLD axfr Look at /etc/namedb/log/general and /etc/namedb/log/transfers Q: What do you notice ? 6. Then, ask them to try again with the key: $ dig @10.10.XX.1 axfr mydomain -y mydomain-key:tHTRSKKrmyGmPnzNCf2IRA== Q: what happens now ? Check the logs again, especially /etc/namedb/log/transfers 7. Now, do the setup for your NSD "auth2" server ... since you have disabled IP ACLs, your AUTH NSD server is not able to get the zone! Read the NSD manual page (man nsd.conf) if you are in doubt about how to specify the key format in NSD for zone transfers. Update update the "zone:" definition for MYTLD, so that it now uses a KEY instead of NOKEY to transfer the zone from your MASTER (auth1). After, you will need to run "nsdc restart". Does the zone get transferred ? Remember to check the logs on the MASTER (auth1) as well!