1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
---|
2 | <html xmlns="http://www.w3.org/1999/xhtml"> |
---|
3 | <head> |
---|
4 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
---|
5 | <meta http-equiv="Content-Style-Type" content="text/css" /> |
---|
6 | <meta name="generator" content="pandoc" /> |
---|
7 | <title></title> |
---|
8 | <style type="text/css">code{white-space: pre;}</style> |
---|
9 | <link href="data:text/css;charset=utf-8,%0A%0A%0A%0Adiv%23header%2C%20header%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%2Etitle%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%2Eauthor%2C%20%2Edate%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%40media%20print%0A%7B%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0A%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0Afont%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%0A%0Apage%2Dbreak%2Dafter%3A%20avoid%3B%20%0A%7D%0A%0Adiv%20div%2C%20section%20section%20%0A%7B%0Amargin%2Dleft%3A%202em%3B%20%0A%7D%0Ap%20%7B%7D%0Ablockquote%0A%7B%20font%2Dstyle%3A%20italic%3B%0A%7D%0Ali%20%0A%7B%0A%7D%0Ali%20%3E%20p%20%0A%7B%0Amargin%2Dtop%3A%201em%3B%20%0A%7D%0Aul%20%0A%7B%0A%7D%0Aul%20li%20%0A%7B%0A%7D%0Aol%20%0A%7B%0A%7D%0Aol%20li%20%0A%7B%0A%7D%0Ahr%20%7B%7D%0A%0Asub%20%0A%7B%0A%7D%0Asup%20%0A%7B%0A%7D%0Aem%20%0A%7B%0A%7D%0Aem%20%3E%20em%20%0A%7B%0Afont%2Dstyle%3A%20normal%3B%0A%7D%0Astrong%20%0A%7B%0A%7D%0A%0Aa%20%0A%7B%0A%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%40media%20screen%0A%7B%0Aa%3Ahover%0A%7B%0A%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0A%7D%0A%40media%20print%0A%7B%0Aa%20%7B%0A%0Acolor%3A%20black%3B%0Abackground%3A%20transparent%3B%0A%7D%0Aa%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%7B%0A%0Acontent%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0Afont%2Dsize%3A%2090%25%3B%0A%7D%0A%7D%0A%0Aimg%0A%7B%0A%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0Adiv%2Efigure%20%0A%7B%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0Atext%2Dalign%3A%20center%3B%0Afont%2Dstyle%3A%20italic%3B%0A%7D%0Ap%2Ecaption%20%0A%7B%0A%0A%7D%0A%0Apre%2C%20code%20%7B%0Abackground%2Dcolor%3A%20%23fdf7ee%3B%0A%0A%0A%0Awhite%2Dspace%3A%20pre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%0Awhite%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%0Aword%2Dwrap%3A%20break%2Dword%3B%20%0A%0A%7D%0Apre%20%0A%7B%0A%0Apadding%3A%200%2E5em%3B%20%0Aborder%2Dradius%3A%205px%3B%20%0A%0Aborder%3A%201px%20solid%20%23aaa%3B%0A%0Amargin%2Dleft%3A%200%2E5em%3B%0Amargin%2Dright%3A%200%2E5em%3B%0A%7D%0A%40media%20screen%0A%7B%0Apre%0A%7B%0A%0Awhite%2Dspace%3A%20pre%3B%0Aoverflow%3A%20auto%3B%0A%0Aborder%3A%201px%20dotted%20%23777%3B%0A%7D%0A%7D%0Acode%20%0A%7B%0A%7D%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%0A%7B%0A%0Apadding%2Dleft%3A%202px%3B%0Apadding%2Dright%3A%202px%3B%0A%7D%0Ali%20%3E%20p%20code%20%0A%7B%0A%0Apadding%3A%202px%3B%0A%7D%0A%0Aspan%2Emath%20%0A%7B%0A%0A%7D%0Adiv%2Emath%20%0A%7B%0A%7D%0Aspan%2ELaTeX%20%0A%7B%0A%7D%20eq%20%0A%7B%0A%7D%20%0A%0Atable%0A%7B%0Aborder%2Dcollapse%3A%20collapse%3B%0Aborder%2Dspacing%3A%200%3B%20%0Aborder%2Dbottom%3A%202pt%20solid%20%23000%3B%0Aborder%2Dtop%3A%202pt%20solid%20%23000%3B%20%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0A%7D%0Athead%20%0A%7B%0Aborder%2Dbottom%3A%201pt%20solid%20%23000%3B%0Abackground%2Dcolor%3A%20%23eee%3B%20%0A%7D%0Atr%2Eheader%20%0A%7B%0A%7D%20tbody%20%0A%7B%0A%7D%0A%0Atr%20%7B%0A%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%0A%7B%0Abackground%2Dcolor%3A%20%23eee%3B%0A%7D%0A%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0Atd%2C%20th%20%0A%7B%20vertical%2Dalign%3A%20top%3B%20%0Avertical%2Dalign%3A%20baseline%3B%20%0Apadding%2Dleft%3A%200%2E5em%3B%0Apadding%2Dright%3A%200%2E5em%3B%0Apadding%2Dtop%3A%200%2E2em%3B%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0A%0Ath%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%20%7D%0Atfoot%20%0A%7B%0A%7D%0Acaption%20%0A%7B%0Acaption%2Dside%3A%20top%3B%0Aborder%3A%20none%3B%0Afont%2Dsize%3A%200%2E9em%3B%0Afont%2Dstyle%3A%20italic%3B%0Atext%2Dalign%3A%20center%3B%0Amargin%2Dbottom%3A%200%2E3em%3B%20%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0Adl%20%0A%7B%0Aborder%2Dtop%3A%202pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0Aborder%2Dbottom%3A%202pt%20solid%20black%3B%0A%7D%0Adt%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%0A%7D%0Add%2Bdt%20%0A%7B%0Aborder%2Dtop%3A%201pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0A%7D%0Add%20%0A%7B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0Add%2Bdd%20%0A%7B%0Aborder%2Dtop%3A%201px%20solid%20black%3B%20%0A%7D%0A%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%0Afont%2Dsize%3A%20small%3B%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%7D%0A%40media%20print%0A%7B%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0Adiv%2Efootnotes%20%0A%7B%0A%7D%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%0A%7B%0A%7D%0A%0A%40media%20print%0A%7B%0A%2Enoprint%0A%7B%0Adisplay%3Anone%3B%0A%7D%0A%7D%0A" rel="stylesheet" type="text/css" /> |
---|
10 | </head> |
---|
11 | <body> |
---|
12 | <h1 id="enabling-transfer-security-using-tsig">Enabling transfer security using TSIG</h1> |
---|
13 | <p>We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones.</p> |
---|
14 | <p>There are two ways to enable transfer security, so that you restrict who is allowed to transfer the zone from your primary.</p> |
---|
15 | <ol style="list-style-type: decimal"> |
---|
16 | <li><p>Use ACL based security</p></li> |
---|
17 | <li><p>Use TSIG</p></li> |
---|
18 | </ol> |
---|
19 | <p>We are <em>not</em> going to be doing ACL based security in this lab, but for reference, this is how it could look:</p> |
---|
20 | <pre><code> acl myslaves { 10.10.0.X; 10.10.0.Y; }; |
---|
21 | allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; };</code></pre> |
---|
22 | <p>Note that the above statement could be GLOBAL (in the <code>options</code> section) of <code>named.conf</code>, or it can be specified <em>per zone</em>.</p> |
---|
23 | <p>The problem with ACLs is that they have to be maintained, and you need to update them if the IP address of your secondaries change, for example.</p> |
---|
24 | <p>Instead, we will encourage you to use <code>TSIG</code> based security, using shared keys, which will be used to encrypt - and authenticate - the data transfer.</p> |
---|
25 | <h2 id="using-tsig">Using TSIG</h2> |
---|
26 | <p>To do this, we're going to need to generate a private key. For this, we need to make sure the <code>bind9utils</code> package is installed. This should already be the case, but just in case:</p> |
---|
27 | <pre><code>sudo apt-get install bind9utils</code></pre> |
---|
28 | <h3 id="generate-tsig-key">Generate TSIG key</h3> |
---|
29 | <p>Once that is done, do the following (<em>please</em> copy paste, but replace <code>myzone</code> with <em>YOUR</em> zone)</p> |
---|
30 | <pre><code>cd /tmp |
---|
31 | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST myzone.key</code></pre> |
---|
32 | <p>You will see output similar to:</p> |
---|
33 | <pre><code>Kmyzone.key.+157+48549</code></pre> |
---|
34 | <p>Let's look at the files that were created:</p> |
---|
35 | <pre><code>ls -l Kdk.key.+157+48549.*</code></pre> |
---|
36 | <p>Output:</p> |
---|
37 | <pre><code>-rw------- 1 sysadm sysadm 70 Jun 1 20:58 Kmyzone.key.+157+48549.key |
---|
38 | -rw------- 1 sysadm sysadm 185 Jun 1 20:58 Kmyzone.key.+157+48549.private</code></pre> |
---|
39 | <p>We are interested in the <code>private</code> key, let's look at the content:</p> |
---|
40 | <pre><code>cat Kmyzone.key.+157+48549.private</code></pre> |
---|
41 | <p>The contents will be similar to:</p> |
---|
42 | <pre><code>Private-key-format: v1.3 |
---|
43 | Algorithm: 157 (HMAC_MD5) |
---|
44 | Key: Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA= |
---|
45 | Bits: AAA= |
---|
46 | Created: 20160601205816 |
---|
47 | Publish: 20160601205816 |
---|
48 | Activate: 20160601205816</code></pre> |
---|
49 | <p>The line we are interested in is <code>Key: Wup...LejA=</code></p> |
---|
50 | <p><em>COPY</em> the string after Key: (in <em>YOUR</em> key).</p> |
---|
51 | <h3 id="add-key-to-binds-config">Add key to BIND's config</h3> |
---|
52 | <p>Now, edit <code>/etc/bind/named.conf.options</code>, and at the <em>BOTTOM</em> of the file, add the following, but:</p> |
---|
53 | <ul> |
---|
54 | <li>replace hostX with the number of YOUR host</li> |
---|
55 | <li>replace secret "..." with YOUR key, copied above</li> |
---|
56 | </ul> |
---|
57 | <pre><code>key "hostX-key" { |
---|
58 | algorithm hmac-md5; |
---|
59 | secret "Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA="; // Your key goes here! |
---|
60 | };</code></pre> |
---|
61 | <p>Save the file, and exit.</p> |
---|
62 | <h3 id="modify-zone-definition-to-use-key-for-transfers">Modify zone definition to use key for transfers</h3> |
---|
63 | <p>Now, edit <code>/etc/bind/named.conf.local</code>, and modify your zone definition, and add an <code>allow-transfer</code> statement, so that your zone statement looks like the following - but remember to replace <code>hostX</code> with the number of YOUR host:</p> |
---|
64 | <pre><code>zone "myzone" { |
---|
65 | type master; |
---|
66 | file "/home/sysadm/zones/db. |
---|
67 | |
---|
68 | allow-transfer { key hostX-key; }; // <-- Add this! |
---|
69 | };</code></pre> |
---|
70 | <p>As you can see above, we've added an <code>allow-transfer</code> statement allowing transfer of the zone for holders of the <code>hostX-key</code>.</p> |
---|
71 | <p>Note: the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. We prefer to control transfer for EACH zone individually.</p> |
---|
72 | <h3 id="restart-named">Restart named</h3> |
---|
73 | <pre><code>sudo service bind9 restart</code></pre> |
---|
74 | <h3 id="try-a-zone-transfer">Try a zone transfer</h3> |
---|
75 | <p>Try and make a zone transfer from your machine:</p> |
---|
76 | <pre><code>dig @localhost axfr myzone</code></pre> |
---|
77 | <ul> |
---|
78 | <li>What do you notice ?</li> |
---|
79 | <li>Look at <code>/var/log/bind/general</code> (tail /var/log/bind/general) - what do you see ?</li> |
---|
80 | </ul> |
---|
81 | <p>You may see something similar to this:</p> |
---|
82 | <pre><code>02-Jun-2016 06:28:16.221 client 127.0.0.1#48060 (myzone): zone transfer 'myzone/AXFR/IN' denied</code></pre> |
---|
83 | <p>Ok, we're ready to move to part 2, where we set up the key on the slave host, and learn to make a zone transfer with dig + key.</p> |
---|
84 | </body> |
---|
85 | </html> |
---|