[ Docs | Tools | Advisories | Full-Disclosure ]
With version 9 of the popular Bind daemon came crypto support for zone transfers. Here we explain how to modify a master-slave relationship to permit only signed zone transfers, with authentication of the servers in question.
For the purposes of explanation, we start with two DNS servers, which we will refer to as ns1 (10.1.1.1) and ns2 (10.1.1.2). ns1 serves as the master for the 'foo.com' zone, and ns2 slaves this zone off the primary. Our initial configuration looks something like this:
Master:
acl "xfer" { 10.1.1.2; }; zone "foo.com" IN { type master; file "db.foo.com"; notify yes; allow-update { none; }; allow-query { any; }; allow-transfer { xfer; }; }; Slave: zone "foo.com" IN { type slave; masters { 10.1.1.1; }; file "db.foo.com"; notify no; allow-query { any; }; allow-transfer { none; }; };
The first thing that must be established is a shared secret. This is in the form of an HMAC-MD5 key that is generated using the Bind9 tool 'dnssec-keygen' as follows:
bash-2.03# ./dnssec-keygen -a HMAC-MD5 -n HOST -b 128 signed_comms Ksigned_comms.+157+56812 bash-2.03# ls -l Ksigned_comms.+157+56812.* -rw------- 1 root other 56 Jul 16 21:31 Ksigned_comms.+157+56812.key -rw------- 1 root other 81 Jul 16 21:31 Ksigned_comms.+157+56812.private
...this will create two files, a .key and a .private. The secret we are interested in appears in the .key file:
bash-2.03# cat Ksigned_comms.+157+56812.key signed_comms. IN KEY 512 3 157 s1PBD3jCHmteOzN80LBqVg==
The keys are simply added in a line such as this in the same way you would add any global configuration command:
key signed_comms { algorithm hmac-md5; secret "s1PBD3jCHmteOzN80LBqVg=="; };
This key must be added in the same manner to both master and slave.
Alternatively the key can be referenced using the 'include' statement so that the main config file remains world-readable if this is desirable.
Finally, you must add an entry such as this to your master:
server 10.1.1.2 { transfer-format many-answers; keys { signed_comms.; }; };
and similarly on the slave:
server 10.1.1.1 { transfer-format many-answers; keys { signed_comms.; }; };
Transfers between the two servers will now use this authorization and signing technique, known as TSIG.
Obviously, the shared secret must be kept safe. The .key and .private files created in the above steps should be removed, and the permissions on the named.conf files reviewed. In addition, the time on the two servers should be synchronised (ie through the use of NTP).
It is also worth pointing out (thanks, Han!) that by default Bind will only send notification messages to nameservers with an appropriate NS record or those explicitly configured via the 'also-notify' option.
Utilising the TSIG feature of Bind9, we can quickly and effectively secure zone transfers in a master-slave relationship.
John Cartwright <johnc@grok.org.uk>