grok.org.uk:/#
[ docs | tools | advisories | full-disclosure | about ]

Securing Zone Transfers With Bind 9

John Cartwright | Published: 16th July 2002 | Originally published at netsys.com

This brief article explains how to enable cryptographically-signed zone transfers when using Bind 9.

Introduction

With version 9 of the popular Bind daemon came crypto support for zone transfers. Here we explain how to modify a master-slave relationship to permit only signed zone transfers, with authentication of the servers in question.

Initial Situation

For the purposes of explanation, we start with two DNS servers, which we will refer to as ns1 (10.1.1.1) and ns2 (10.1.1.2). ns1 serves as the master for the 'foo.com' zone, and ns2 slaves this zone off the primary. Our initial configuration looks something like this:

Master:

acl "xfer" {
    10.1.1.2;
};

zone "foo.com" IN {
    type master;
    file "db.foo.com";
    notify yes;
    allow-update { none; };
    allow-query { any; };
    allow-transfer { xfer; };
};
Slave:

zone "foo.com" IN {
    type slave;
    masters { 10.1.1.1; };
    file "db.foo.com";
    notify no;
    allow-query { any; };
    allow-transfer { none; };
};

Step 1 – Generate a key

The first thing that must be established is a shared secret. This is in the form of an HMAC-MD5 key that is generated using the Bind9 tool dnssec-keygen as follows:

bash-2.03# ./dnssec-keygen -a HMAC-MD5 -n HOST -b 128 signed_comms
Ksigned_comms.+157+56812
bash-2.03# ls -l Ksigned_comms.+157+56812.*
-rw-------   1 root     other         56 Jul 16 21:31 Ksigned_comms.+157+56812.key
-rw-------   1 root     other         81 Jul 16 21:31 Ksigned_comms.+157+56812.private

This will create two files, a .key and a .private. The secret we are interested in appears in the .key file:

bash-2.03# cat Ksigned_comms.+157+56812.key
signed_comms. IN KEY 512 3 157 s1PBD3jCHmteOzN80LBqVg==

Step 2 – Add keys to the named.conf file

The keys are simply added in a line such as this in the same way you would add any global configuration command:

key signed_comms { algorithm hmac-md5; secret "s1PBD3jCHmteOzN80LBqVg=="; };

This key must be added in the same manner to both master and slave.

Alternatively, the key can be referenced using the include statement so that the main config file remains world-readable if desirable.

Step 3 – Enable signed transfers

Finally, you must add an entry such as this to your master:

server 10.1.1.2 {
  transfer-format many-answers;
  keys { signed_comms.; };
};

and similarly on the slave:

server 10.1.1.1 {
  transfer-format many-answers;
  keys { signed_comms.; };
};

Transfers between the two servers will now use this authorization and signing technique, known as TSIG.

Caveats

The shared secret must be kept safe. The .key and .private files created above should be removed, and permissions on named.conf reviewed. The time on the two servers should also be synchronised using NTP.

By default, Bind will only send notification messages to nameservers with an appropriate NS record or those explicitly configured via the also-notify option. (Thanks, Han!)

Conclusion

Utilising the TSIG feature of Bind9, we can quickly and effectively secure zone transfers in a master-slave relationship.

John Cartwright <johnc@grok.org.uk>