1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
---|
2 | <html xmlns="http://www.w3.org/1999/xhtml"> |
---|
3 | <head> |
---|
4 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
---|
5 | <meta http-equiv="Content-Style-Type" content="text/css" /> |
---|
6 | <meta name="generator" content="pandoc" /> |
---|
7 | <title></title> |
---|
8 | <style type="text/css">code{white-space: pre;}</style> |
---|
9 | <link href="data:text/css;charset=utf-8,%0A%0A%0A%0Adiv%23header%2C%20header%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%2Etitle%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%2Eauthor%2C%20%2Edate%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%40media%20print%0A%7B%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0A%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0Afont%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%0A%0Apage%2Dbreak%2Dafter%3A%20avoid%3B%20%0A%7D%0A%0Adiv%20div%2C%20section%20section%20%0A%7B%0Amargin%2Dleft%3A%202em%3B%20%0A%7D%0Ap%20%7B%7D%0Ablockquote%0A%7B%20font%2Dstyle%3A%20italic%3B%0A%7D%0Ali%20%0A%7B%0A%7D%0Ali%20%3E%20p%20%0A%7B%0Amargin%2Dtop%3A%201em%3B%20%0A%7D%0Aul%20%0A%7B%0A%7D%0Aul%20li%20%0A%7B%0A%7D%0Aol%20%0A%7B%0A%7D%0Aol%20li%20%0A%7B%0A%7D%0Ahr%20%7B%7D%0A%0Asub%20%0A%7B%0A%7D%0Asup%20%0A%7B%0A%7D%0Aem%20%0A%7B%0A%7D%0Aem%20%3E%20em%20%0A%7B%0Afont%2Dstyle%3A%20normal%3B%0A%7D%0Astrong%20%0A%7B%0A%7D%0A%0Aa%20%0A%7B%0A%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%40media%20screen%0A%7B%0Aa%3Ahover%0A%7B%0A%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0A%7D%0A%40media%20print%0A%7B%0Aa%20%7B%0A%0Acolor%3A%20black%3B%0Abackground%3A%20transparent%3B%0A%7D%0Aa%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%7B%0A%0Acontent%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0Afont%2Dsize%3A%2090%25%3B%0A%7D%0A%7D%0A%0Aimg%0A%7B%0A%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0Adiv%2Efigure%20%0A%7B%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0Atext%2Dalign%3A%20center%3B%0Afont%2Dstyle%3A%20italic%3B%0A%7D%0Ap%2Ecaption%20%0A%7B%0A%0A%7D%0A%0Apre%2C%20code%20%7B%0Abackground%2Dcolor%3A%20%23fdf7ee%3B%0A%0A%0A%0Awhite%2Dspace%3A%20pre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%0Awhite%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%0Aword%2Dwrap%3A%20break%2Dword%3B%20%0A%0A%7D%0Apre%20%0A%7B%0A%0Apadding%3A%200%2E5em%3B%20%0Aborder%2Dradius%3A%205px%3B%20%0A%0Aborder%3A%201px%20solid%20%23aaa%3B%0A%0Amargin%2Dleft%3A%200%2E5em%3B%0Amargin%2Dright%3A%200%2E5em%3B%0A%7D%0A%40media%20screen%0A%7B%0Apre%0A%7B%0A%0Awhite%2Dspace%3A%20pre%3B%0Aoverflow%3A%20auto%3B%0A%0Aborder%3A%201px%20dotted%20%23777%3B%0A%7D%0A%7D%0Acode%20%0A%7B%0A%7D%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%0A%7B%0A%0Apadding%2Dleft%3A%202px%3B%0Apadding%2Dright%3A%202px%3B%0A%7D%0Ali%20%3E%20p%20code%20%0A%7B%0A%0Apadding%3A%202px%3B%0A%7D%0A%0Aspan%2Emath%20%0A%7B%0A%0A%7D%0Adiv%2Emath%20%0A%7B%0A%7D%0Aspan%2ELaTeX%20%0A%7B%0A%7D%20eq%20%0A%7B%0A%7D%20%0A%0Atable%0A%7B%0Aborder%2Dcollapse%3A%20collapse%3B%0Aborder%2Dspacing%3A%200%3B%20%0Aborder%2Dbottom%3A%202pt%20solid%20%23000%3B%0Aborder%2Dtop%3A%202pt%20solid%20%23000%3B%20%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0A%7D%0Athead%20%0A%7B%0Aborder%2Dbottom%3A%201pt%20solid%20%23000%3B%0Abackground%2Dcolor%3A%20%23eee%3B%20%0A%7D%0Atr%2Eheader%20%0A%7B%0A%7D%20tbody%20%0A%7B%0A%7D%0A%0Atr%20%7B%0A%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%0A%7B%0Abackground%2Dcolor%3A%20%23eee%3B%0A%7D%0A%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0Atd%2C%20th%20%0A%7B%20vertical%2Dalign%3A%20top%3B%20%0Avertical%2Dalign%3A%20baseline%3B%20%0Apadding%2Dleft%3A%200%2E5em%3B%0Apadding%2Dright%3A%200%2E5em%3B%0Apadding%2Dtop%3A%200%2E2em%3B%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0A%0Ath%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%20%7D%0Atfoot%20%0A%7B%0A%7D%0Acaption%20%0A%7B%0Acaption%2Dside%3A%20top%3B%0Aborder%3A%20none%3B%0Afont%2Dsize%3A%200%2E9em%3B%0Afont%2Dstyle%3A%20italic%3B%0Atext%2Dalign%3A%20center%3B%0Amargin%2Dbottom%3A%200%2E3em%3B%20%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0Adl%20%0A%7B%0Aborder%2Dtop%3A%202pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0Aborder%2Dbottom%3A%202pt%20solid%20black%3B%0A%7D%0Adt%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%0A%7D%0Add%2Bdt%20%0A%7B%0Aborder%2Dtop%3A%201pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0A%7D%0Add%20%0A%7B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0Add%2Bdd%20%0A%7B%0Aborder%2Dtop%3A%201px%20solid%20black%3B%20%0A%7D%0A%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%0Afont%2Dsize%3A%20small%3B%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%7D%0A%40media%20print%0A%7B%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0Adiv%2Efootnotes%20%0A%7B%0A%7D%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%0A%7B%0A%7D%0A%0A%40media%20print%0A%7B%0A%2Enoprint%0A%7B%0Adisplay%3Anone%3B%0A%7D%0A%7D%0A" rel="stylesheet" type="text/css" /> |
---|
10 | </head> |
---|
11 | <body> |
---|
12 | <h1 id="enabling-transfer-security-using-tsig---part-ii">Enabling transfer security using TSIG - part II</h1> |
---|
13 | <p>Now we have the key installed.</p> |
---|
14 | <p>A couple of observations:</p> |
---|
15 | <ul> |
---|
16 | <li>you can't do a zone transfer using <code>dig</code> anymore!</li> |
---|
17 | <li>can your partner do a zone transfer ?</li> |
---|
18 | </ul> |
---|
19 | <p>Ask your partner to attempt a zone transfer of your zone from THEIR machine. Does it work ? What do you see in <code>/var/log/bind/general</code> ?</p> |
---|
20 | <h2 id="using-dig-with-a-tsig-key">Using dig with a TSIG key</h2> |
---|
21 | <p>We can get zone transfers working with <code>dig</code>, if we tell <code>dig</code> which key to use!</p> |
---|
22 | <p>Try this, but:</p> |
---|
23 | <ul> |
---|
24 | <li>replace <code>myzone</code> with YOUR zone,</li> |
---|
25 | <li>hostX -> YOUR host key name</li> |
---|
26 | <li>Wup...LejA= -> YOUR key</li> |
---|
27 | </ul> |
---|
28 | <p>For example:</p> |
---|
29 | <pre><code>dig @localhost axfr myzone -y hostX-key:Wup...LejA=</code></pre> |
---|
30 | <p>If everything goes well, you should be able to transfer the zone...</p> |
---|
31 | <p>Check <code>/var/log/bind/transfers</code> - what does it say (use <code>tail</code>)</p> |
---|
32 | <p>Now, you can tell your partner to try it from THEIR machine - but you will need to communicate the KEY to your partner - it's too long to type!</p> |
---|
33 | <h2 id="getting-your-partner-to-use-the-same-tsig-key-to-transfer">Getting your partner to use the same TSIG key to transfer</h2> |
---|
34 | <p>To do this, we're going to need to transfer the TSIG key from your machine to theirs.</p> |
---|
35 | <p>We can use Secure Copy for this.</p> |
---|
36 | <p>We can copy the PRIVATE key file we generated earlier, to their machine.</p> |
---|
37 | <p>To do this, it's easiest to COPY the key with your mouse, then SSH into the PARTNER machine and copy the key there.</p> |
---|
38 | <p>So, at the bottom of <code>/etc/bind/named.conf.options</code>, find your TSIG key:</p> |
---|
39 | <pre><code>key "host25-key" { |
---|
40 | algorithm hmac-md5; |
---|
41 | secret "Wup...LejA="; // Copy YOUR key |
---|
42 | goes here! |
---|
43 | };</code></pre> |
---|
44 | <p>Once you have done this, you can paste the key into Notepad or any text editor, and keep it ready, for the next part.</p> |
---|
45 | <p>Once you have done this, help your partner update their BIND config to use the key for TSIG. The easiest is to open a new SSH connection and log into your partner's host - talk to them about it!</p> |
---|
46 | <h2 id="on-your-partners-host">On your partner's host</h2> |
---|
47 | <p>You should have the key ready to paste. Make sure you are logged in to your partner's host using SSH (use the <code>hostname</code> command) just in case.</p> |
---|
48 | <h3 id="add-tsig-key-to-bind-configuration">Add TSIG key to BIND configuration</h3> |
---|
49 | <p>Now, on your PARTNER's host, edit <code>/etc/bind/named.conf.options</code>, and we'll add the key and a statement that it should be used with the MASTER host:</p> |
---|
50 | <pre><code>sudo vi /etc/bind/named.conf.options</code></pre> |
---|
51 | <p>Go all the way to the bottom, and add this:</p> |
---|
52 | <pre><code>key hostX-key { |
---|
53 | algorithm hmac-md5; |
---|
54 | secret "Wu...A="; // PASTE they key between " and " |
---|
55 | }; |
---|
56 | server 10.10.0.25 { |
---|
57 | keys { host25-key; }; |
---|
58 | };</code></pre> |
---|
59 | <p>One last thing - to make sure that zone transfer works, we need to remove the existing slave copy - otherwise we won't see if BIND on the slave was able to transfer the zone!</p> |
---|
60 | <p>start by deleting the SLAVE copy- to do this, look at the zone definition (normally, in named.conf.local, but they may have put it somewhere else), and find the "file" line, for example:</p> |
---|
61 | <pre><code> file "/var/cache/bind/db.zone_of_your_partner.slave";</code></pre> |
---|
62 | <p>Find the file and REMOVE it:</p> |
---|
63 | <pre><code> sudo rm /var/cache/bind/db.zone_of_your_partner.slave</code></pre> |
---|
64 | <h3 id="restart-named">Restart named</h3> |
---|
65 | <p>If all went well, it's time to restart named (still on your PARTNER's host)</p> |
---|
66 | <pre><code>sudo service bind9 restart</code></pre> |
---|
67 | <p>Now, please check:</p> |
---|
68 | <ul> |
---|
69 | <li>on the MASTER host: <code>/var/log/bind/transfers</code> and <code>/var/log/bind/general</code></li> |
---|
70 | <li>on the SLAVE host: see if the zone was successfully transfered</li> |
---|
71 | <li>test with dig on both MASTER and SLAVE - you don't need to TSIG for simple queries, so you can query the slave for "myzone SOA" and see what you get.</li> |
---|
72 | </ul> |
---|
73 | </body> |
---|
74 | </html> |
---|