Enabling transfer security using TSIG

We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones.

There are two ways to enable transfer security, so that you restrict who is allowed to transfer the zone from your primary.

  1. Use ACL based security

  2. Use TSIG

We are not going to be doing ACL based security in this lab, but for reference, this is how it could look:

   acl myslaves { 10.10.0.X; 10.10.0.Y; };
   allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; };

Note that the above statement could be GLOBAL (in the options section) of named.conf, or it can be specified per zone.

The problem with ACLs is that they have to be maintained, and you need to update them if the IP address of your secondaries change, for example.

Instead, we will encourage you to use TSIG based security, using shared keys, which will be used to encrypt - and authenticate - the data transfer.

Using TSIG

To do this, we're going to need to generate a private key. For this, we need to make sure the bind9utils package is installed. This should already be the case, but just in case:

sudo apt-get install bind9utils

Generate TSIG key

Once that is done, do the following (please copy paste, but replace myzone with YOUR zone)

cd /tmp
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST myzone.key

You will see output similar to:

Kmyzone.key.+157+48549

Let's look at the files that were created:

ls -l Kdk.key.+157+48549.*

Output:

-rw------- 1 sysadm sysadm  70 Jun  1 20:58 Kmyzone.key.+157+48549.key
-rw------- 1 sysadm sysadm 185 Jun  1 20:58 Kmyzone.key.+157+48549.private

We are interested in the private key, let's look at the content:

cat Kmyzone.key.+157+48549.private

The contents will be similar to:

Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA=
Bits: AAA=
Created: 20160601205816
Publish: 20160601205816
Activate: 20160601205816

The line we are interested in is Key: Wup...LejA=

COPY the string after Key: (in YOUR key).

Add key to BIND's config

Now, edit /etc/bind/named.conf.options, and at the BOTTOM of the file, add the following, but:

key "hostX-key" {
  algorithm hmac-md5;
  secret "Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA="; // Your key goes here!
};

Save the file, and exit.

Modify zone definition to use key for transfers

Now, edit /etc/bind/named.conf.local, and modify your zone definition, and add an allow-transfer statement, so that your zone statement looks like the following - but remember to replace hostX with the number of YOUR host:

zone "myzone" {
    type master;
    file "/home/sysadm/zones/db.

    allow-transfer { key hostX-key; };   // <-- Add this!
};

As you can see above, we've added an allow-transfer statement allowing transfer of the zone for holders of the hostX-key.

Note: the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. We prefer to control transfer for EACH zone individually.

Restart named

sudo service bind9 restart

Try a zone transfer

Try and make a zone transfer from your machine:

dig @localhost axfr myzone

You may see something similar to this:

02-Jun-2016 06:28:16.221 client 127.0.0.1#48060 (myzone): zone transfer 'myzone/AXFR/IN' denied

Ok, we're ready to move to part 2, where we set up the key on the slave host, and learn to make a zone transfer with dig + key.