Agenda: lab5-tsig-part1.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title></title>
  <style type="text/css">code{white-space: pre;}</style>
  <link href="data:text/css;charset=utf-8,%0A%0A%0A%0Adiv%23header%2C%20header%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%2Etitle%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%2Eauthor%2C%20%2Edate%20%0A%7B%0Atext%2Dalign%3A%20center%3B%0A%7D%0A%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Aborder%2Dbottom%3A%201px%20solid%20%23aaa%3B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0A%40media%20print%0A%7B%0Adiv%23TOC%2C%20nav%23TOC%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0A%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0Afont%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%0A%0Apage%2Dbreak%2Dafter%3A%20avoid%3B%20%0A%7D%0A%0Adiv%20div%2C%20section%20section%20%0A%7B%0Amargin%2Dleft%3A%202em%3B%20%0A%7D%0Ap%20%7B%7D%0Ablockquote%0A%7B%20font%2Dstyle%3A%20italic%3B%0A%7D%0Ali%20%0A%7B%0A%7D%0Ali%20%3E%20p%20%0A%7B%0Amargin%2Dtop%3A%201em%3B%20%0A%7D%0Aul%20%0A%7B%0A%7D%0Aul%20li%20%0A%7B%0A%7D%0Aol%20%0A%7B%0A%7D%0Aol%20li%20%0A%7B%0A%7D%0Ahr%20%7B%7D%0A%0Asub%20%0A%7B%0A%7D%0Asup%20%0A%7B%0A%7D%0Aem%20%0A%7B%0A%7D%0Aem%20%3E%20em%20%0A%7B%0Afont%2Dstyle%3A%20normal%3B%0A%7D%0Astrong%20%0A%7B%0A%7D%0A%0Aa%20%0A%7B%0A%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%40media%20screen%0A%7B%0Aa%3Ahover%0A%7B%0A%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0A%7D%0A%40media%20print%0A%7B%0Aa%20%7B%0A%0Acolor%3A%20black%3B%0Abackground%3A%20transparent%3B%0A%7D%0Aa%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%7B%0A%0Acontent%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0Afont%2Dsize%3A%2090%25%3B%0A%7D%0A%7D%0A%0Aimg%0A%7B%0A%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0Adiv%2Efigure%20%0A%7B%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0Atext%2Dalign%3A%20center%3B%0Afont%2Dstyle%3A%20italic%3B%0A%7D%0Ap%2Ecaption%20%0A%7B%0A%0A%7D%0A%0Apre%2C%20code%20%7B%0Abackground%2Dcolor%3A%20%23fdf7ee%3B%0A%0A%0A%0Awhite%2Dspace%3A%20pre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%0Awhite%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%0Awhite%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%0Aword%2Dwrap%3A%20break%2Dword%3B%20%0A%0A%7D%0Apre%20%0A%7B%0A%0Apadding%3A%200%2E5em%3B%20%0Aborder%2Dradius%3A%205px%3B%20%0A%0Aborder%3A%201px%20solid%20%23aaa%3B%0A%0Amargin%2Dleft%3A%200%2E5em%3B%0Amargin%2Dright%3A%200%2E5em%3B%0A%7D%0A%40media%20screen%0A%7B%0Apre%0A%7B%0A%0Awhite%2Dspace%3A%20pre%3B%0Aoverflow%3A%20auto%3B%0A%0Aborder%3A%201px%20dotted%20%23777%3B%0A%7D%0A%7D%0Acode%20%0A%7B%0A%7D%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%0A%7B%0A%0Apadding%2Dleft%3A%202px%3B%0Apadding%2Dright%3A%202px%3B%0A%7D%0Ali%20%3E%20p%20code%20%0A%7B%0A%0Apadding%3A%202px%3B%0A%7D%0A%0Aspan%2Emath%20%0A%7B%0A%0A%7D%0Adiv%2Emath%20%0A%7B%0A%7D%0Aspan%2ELaTeX%20%0A%7B%0A%7D%20eq%20%0A%7B%0A%7D%20%0A%0Atable%0A%7B%0Aborder%2Dcollapse%3A%20collapse%3B%0Aborder%2Dspacing%3A%200%3B%20%0Aborder%2Dbottom%3A%202pt%20solid%20%23000%3B%0Aborder%2Dtop%3A%202pt%20solid%20%23000%3B%20%0A%0Amargin%2Dleft%3A%20auto%3B%0Amargin%2Dright%3A%20auto%3B%0A%7D%0Athead%20%0A%7B%0Aborder%2Dbottom%3A%201pt%20solid%20%23000%3B%0Abackground%2Dcolor%3A%20%23eee%3B%20%0A%7D%0Atr%2Eheader%20%0A%7B%0A%7D%20tbody%20%0A%7B%0A%7D%0A%0Atr%20%7B%0A%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%0A%7B%0Abackground%2Dcolor%3A%20%23eee%3B%0A%7D%0A%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0Atd%2C%20th%20%0A%7B%20vertical%2Dalign%3A%20top%3B%20%0Avertical%2Dalign%3A%20baseline%3B%20%0Apadding%2Dleft%3A%200%2E5em%3B%0Apadding%2Dright%3A%200%2E5em%3B%0Apadding%2Dtop%3A%200%2E2em%3B%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0A%0Ath%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%20%7D%0Atfoot%20%0A%7B%0A%7D%0Acaption%20%0A%7B%0Acaption%2Dside%3A%20top%3B%0Aborder%3A%20none%3B%0Afont%2Dsize%3A%200%2E9em%3B%0Afont%2Dstyle%3A%20italic%3B%0Atext%2Dalign%3A%20center%3B%0Amargin%2Dbottom%3A%200%2E3em%3B%20%0Apadding%2Dbottom%3A%200%2E2em%3B%0A%7D%0A%0Adl%20%0A%7B%0Aborder%2Dtop%3A%202pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0Aborder%2Dbottom%3A%202pt%20solid%20black%3B%0A%7D%0Adt%20%0A%7B%0Afont%2Dweight%3A%20bold%3B%0A%7D%0Add%2Bdt%20%0A%7B%0Aborder%2Dtop%3A%201pt%20solid%20black%3B%0Apadding%2Dtop%3A%200%2E5em%3B%0A%7D%0Add%20%0A%7B%0Amargin%2Dbottom%3A%200%2E5em%3B%0A%7D%0Add%2Bdd%20%0A%7B%0Aborder%2Dtop%3A%201px%20solid%20black%3B%20%0A%7D%0A%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%0Afont%2Dsize%3A%20small%3B%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%7D%0A%40media%20print%0A%7B%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%0A%7B%0A%0Adisplay%3A%20none%3B%0A%7D%0A%7D%0Adiv%2Efootnotes%20%0A%7B%0A%7D%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%0A%7B%0A%7D%0A%0A%40media%20print%0A%7B%0A%2Enoprint%0A%7B%0Adisplay%3Anone%3B%0A%7D%0A%7D%0A" rel="stylesheet" type="text/css" />
</head>
<body>
<h1 id="enabling-transfer-security-using-tsig">Enabling transfer security using TSIG</h1>
<p>We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones.</p>
<p>There are two ways to enable transfer security, so that you restrict who is allowed to transfer the zone from your primary.</p>
<ol style="list-style-type: decimal">
<li><p>Use ACL based security</p></li>
<li><p>Use TSIG</p></li>
</ol>
<p>We are <em>not</em> going to be doing ACL based security in this lab, but for reference, this is how it could look:</p>
<pre><code>   acl myslaves { 10.10.0.X; 10.10.0.Y; };
   allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; };</code></pre>
<p>Note that the above statement could be GLOBAL (in the <code>options</code> section) of <code>named.conf</code>, or it can be specified <em>per zone</em>.</p>
<p>The problem with ACLs is that they have to be maintained, and you need to update them if the IP address of your secondaries change, for example.</p>
<p>Instead, we will encourage you to use <code>TSIG</code> based security, using shared keys, which will be used to encrypt - and authenticate - the data transfer.</p>
<h2 id="using-tsig">Using TSIG</h2>
<p>To do this, we're going to need to generate a private key. For this, we need to make sure the <code>bind9utils</code> package is installed. This should already be the case, but just in case:</p>
<pre><code>sudo apt-get install bind9utils</code></pre>
<h3 id="generate-tsig-key">Generate TSIG key</h3>
<p>Once that is done, do the following (<em>please</em> copy paste, but replace <code>myzone</code> with <em>YOUR</em> zone)</p>
<pre><code>cd /tmp
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST myzone.key</code></pre>
<p>You will see output similar to:</p>
<pre><code>Kmyzone.key.+157+48549</code></pre>
<p>Let's look at the files that were created:</p>
<pre><code>ls -l Kdk.key.+157+48549.*</code></pre>
<p>Output:</p>
<pre><code>-rw------- 1 sysadm sysadm  70 Jun  1 20:58 Kmyzone.key.+157+48549.key
-rw------- 1 sysadm sysadm 185 Jun  1 20:58 Kmyzone.key.+157+48549.private</code></pre>
<p>We are interested in the <code>private</code> key, let's look at the content:</p>
<pre><code>cat Kmyzone.key.+157+48549.private</code></pre>
<p>The contents will be similar to:</p>
<pre><code>Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA=
Bits: AAA=
Created: 20160601205816
Publish: 20160601205816
Activate: 20160601205816</code></pre>
<p>The line we are interested in is <code>Key: Wup...LejA=</code></p>
<p><em>COPY</em> the string after Key: (in <em>YOUR</em> key).</p>
<h3 id="add-key-to-binds-config">Add key to BIND's config</h3>
<p>Now, edit <code>/etc/bind/named.conf.options</code>, and at the <em>BOTTOM</em> of the file, add the following, but:</p>
<ul>
<li>replace hostX with the number of YOUR host</li>
<li>replace secret &quot;...&quot; with YOUR key, copied above</li>
</ul>
<pre><code>key &quot;hostX-key&quot; {
  algorithm hmac-md5;
  secret &quot;Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA=&quot;; // Your key goes here!
};</code></pre>
<p>Save the file, and exit.</p>
<h3 id="modify-zone-definition-to-use-key-for-transfers">Modify zone definition to use key for transfers</h3>
<p>Now, edit <code>/etc/bind/named.conf.local</code>, and modify your zone definition, and add an <code>allow-transfer</code> statement, so that your zone statement looks like the following - but remember to replace <code>hostX</code> with the number of YOUR host:</p>
<pre><code>zone &quot;myzone&quot; {
    type master;
    file &quot;/home/sysadm/zones/db.

    allow-transfer { key hostX-key; };   // &lt;-- Add this!
};</code></pre>
<p>As you can see above, we've added an <code>allow-transfer</code> statement allowing transfer of the zone for holders of the <code>hostX-key</code>.</p>
<p>Note: the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. We prefer to control transfer for EACH zone individually.</p>
<h3 id="restart-named">Restart named</h3>
<pre><code>sudo service bind9 restart</code></pre>
<h3 id="try-a-zone-transfer">Try a zone transfer</h3>
<p>Try and make a zone transfer from your machine:</p>
<pre><code>dig @localhost axfr myzone</code></pre>
<ul>
<li>What do you notice ?</li>
<li>Look at <code>/var/log/bind/general</code> (tail /var/log/bind/general) - what do you see ?</li>
</ul>
<p>You may see something similar to this:</p>
<pre><code>02-Jun-2016 06:28:16.221 client 127.0.0.1#48060 (myzone): zone transfer 'myzone/AXFR/IN' denied</code></pre>
<p>Ok, we're ready to move to part 2, where we set up the key on the slave host, and learn to make a zone transfer with dig + key.</p>
</body>
</html>