Setting up DH key exchange
karthik kumar
karthik.kumar23 at gmail.com
Tue Nov 21 06:26:07 UTC 2006
Hi Bind Gurus,
I am trying to set a DH key exchange between client Linux terminal and DNS
Bind 9.3.2 serving running on Linux (Fedoro).
This is how I have done so far:
*Server Side Configurations:*
1. Created DH key using :
dnssec-keygen -a DH -b 128 -n host -g 2 testpc48key
I got the following files(keys) generated:
Ktestpc48key.+002+14250.key and Ktestpc48key.+002+14250.private
2. To authenticate TKEY queries with an established TSIG key authenticator
as recommended by RFC 2930 I created a Client key HMAC-MD5 key in my client
system and did the necessary TSIG configurations in my server
named.conffile as shown below:
key "clientkey." {
algorithm hmac-md5;
secret "ALp5Wa/rh43ckyPBJuNwFg==";
};
zone "bsr.com" {
type master;
notify no;
file "bsr.zone";
allow-query { any; };
update-policy { grant clientkey. subdomain bsr.com ANY; };
};
**
3. I kept my zone files and key files in /var/named/chroot/var/named
my /var/named/chroot/var/named directory structure is as below:
[root at testpc48 named]# pwd
/var/named/chroot/var/named
[root at testpc48 named]# ls
bsr.zone Ktestpc48key.+002+14250.key named.ca
_pdu.txt
bsr.zone.jnl Ktestpc48key.+002+14250.private
named.ip6.local
pdu.txt
data localdomain.zone
named.local slaves
del.txt localhost.zone
named.run
Help.txt named.broadcast
Key files are with default permissions when created.
In my /etc directory...i have the following soft link for named.conf
lrwxrwxrwx 1 root root 32 Nov 16 12:34 /etc/named.conf ->
/var/named/chroot/etc/named.conf
4. I configured my named.conf options section for tkey as below:
tkey-dhkey "testpc48key" 14250;
tkey-domain "bsr.com";
random-device "/dev/random";
My named.conf is below for your reference:
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
// dnssec-enable yes;
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
tkey-dhkey "testpc48key" 14250;
tkey-domain "bsr.com";
random-device "/dev/random";
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { 127.0.0.1; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
logging {
channel "bsr_log" {
// send most BIND logs to a dedicated log file
file "/var/log/bsr_log.log" versions 10 size 500k;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
};
key "clientkey." {
algorithm hmac-md5;
secret "ALp5Wa/rh43ckyPBJuNwFg==";
};
zone "bsr.com" {
type master;
notify no;
file "bsr.zone";
allow-query { any; };
update-policy { grant clientkey. subdomain bsr.com ANY; };
};
/*zone "115.31.172.in-addr.arpa"{
type master;
file "bsr.reverse.zone";
allow-query { any; };
allow-update { key shan;};
};*/
include "/etc/rndc.key";
I start my name server as below:
/root/bind-9.3.2/bin/named/named -u named -t /var/named/chroot/
[root at testpc48 named]# ps -ef |grep named
named 16417 1 0 Nov20 ? 00:00:00
/root/bind-9.3.2/bin/named/named
-u named -t /var/named/chroot/
root 18205 15873 0 11:55 pts/1 00:00:00 grep named
Now How do I proceed to do the DH key exchange.
Please advice.
Thanks & rgds
KK
More information about the bind-users
mailing list