Configuring TSIG keys and ACL's on slave server
Phusion
phusion2k at gmail.com
Tue Apr 17 20:20:53 UTC 2007
On 4/16/07, Curt Sampson <cjs at cynic.net> wrote:
> On Mon, 16 Apr 2007, Phusion wrote:
>
> > I need help configuring TSIG keys and ACL's on a slave server.
>
> Your key statements look fine, but your ACLs don't seem right.
> You probably want something that includes things similar to the following:
>
> transfer-keys.conf:
>
> key transfer.key. {
> algorithm hmac-md5;
> secret "...";
> };
>
> named-master.conf:
>
> include "transfer-keys.conf";
> options {
> allow-transfer {
> localhost;
> key transfer.key.;
> };
> };
>
> name-slave.conf:
>
> include "transfer-keys.conf";
> masters my_masters {
> 10.1.1.2 key transfer.key.;
> };
> zone foo.com. {
> type slave;
> file "slave/foo.com";
> masters { my_masters; };
> };
>
>
> Also, you don't want recursion on (except for maybe local queries, if
> the machine and all its users are trusted--I still have doubts about
> even that) in your slave servers; they're still authoratative servers.
>
> As well, it appears to me (though I've not yet played with this
> seriously) that you can put some or all of your slaves in you slave file
> master list and they'll co-ordinate properly, pulling down the data from
> the "master" with the highest serial number. Thus, if you completely
> lose your master (e.g., it falls off the Internet) and you need to
> update a zone, you can use a copy of the master files on the slave (I
> keep all mine in version control on a separate machine, and have extra
> checkouts handy on slaves just in case) change the slave to use the
> master config file, make your changes, reload, and you're set.
>
>
> cjs
> --
> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
> The power of accurate observation is commonly called cynicism
> by those who have not got it. --George Bernard Shaw
>
I made some changes and now my config files look like the following.
====================
named.conf.master
====================
/* TSIG keys ======================= */
key smdndnsp1-smdndnsp2.test.com. {
algorithm hmac-md5;
secret
"iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
};
/* ACLs ============================ */
acl lan {
127/8; 10.1.1/24; 10.1.101/24;
};
acl transfer {
key smdndnsp1-smdndnsp2.test.com.;
};
/* rndc configuration ============== */
key "rndc-key" {
algorithm hmac-md5;
secret
"Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
/* Options ========================= */
options {
directory "/";
version ""; // remove this to allow version queries
allow-query { "lan"; };
allow-transfer { "transfer"; };
};
...
...
...
/* Authoritative zones ============= */
zone "." {
type hint;
file "standard/root.hint";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "standard/loopback";
};
zone "1.1.10.in-addr.arpa" {
type master;
file "master/db.10.1.1";
allow-update { key mdnlan; };
notify yes;
};
zone "localhost" {
type master;
file "standard/localhost";
};
zone "mdnlan.test.com" {
type master;
file "master/db.mdnlan.test.com";
allow-update { key mdnlan; };
notify yes;
};
zone "test.com" {
type master;
file "master/db.test.com";
};
> Your key statements look fine, but your ACLs don't seem right.
> You probably want something that includes things similar to the following:
>
> transfer-keys.conf:
>
> key transfer.key. {
> algorithm hmac-md5;
> secret "...";
> };
>
> named-master.conf:
>
> include "transfer-keys.conf";
> options {
> allow-transfer {
> localhost;
> key transfer.key.;
> };
> };
>
> name-slave.conf:
>
> include "transfer-keys.conf";
> masters my_masters {
> 10.1.1.2 key transfer.key.;
> };
> zone foo.com. {
> type slave;
> file "slave/foo.com";
> masters { my_masters; };
> };
>
>
> Also, you don't want recursion on (except for maybe local queries, if
> the machine and all its users are trusted--I still have doubts about
> even that) in your slave servers; they're still authoratative servers.
>
> As well, it appears to me (though I've not yet played with this
> seriously) that you can put some or all of your slaves in you slave file
> master list and they'll co-ordinate properly, pulling down the data from
> the "master" with the highest serial number. Thus, if you completely
> lose your master (e.g., it falls off the Internet) and you need to
> update a zone, you can use a copy of the master files on the slave (I
> keep all mine in version control on a separate machine, and have extra
> checkouts handy on slaves just in case) change the slave to use the
> master config file, make your changes, reload, and you're set.
>
>
> cjs
> --
> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
> The power of accurate observation is commonly called cynicism
> by those who have not got it. --George Bernard Shaw
>
I made some changes and now my config files look like the following.
====================
named.conf.master
====================
/* TSIG keys ======================= */
key smdndnsp1-smdndnsp2.test.com. {
algorithm hmac-md5;
secret
"iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
};
/* ACLs ============================ */
acl lan {
127/8; 10.1.1/24; 10.1.101/24;
};
acl transfer {
key smdndnsp1-smdndnsp2.test.com.;
};
/* rndc configuration ============== */
key "rndc-key" {
algorithm hmac-md5;
secret
"Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
/* Options ========================= */
options {
directory "/";
version ""; // remove this to allow version queries
allow-query { "lan"; };
allow-transfer { "transfer"; };
};
...
...
...
/* Authoritative zones ============= */
zone "." {
type hint;
file "standard/root.hint";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "standard/loopback";
};
zone "1.1.10.in-addr.arpa" {
type master;
file "master/db.10.1.1";
allow-update { key mdnlan; };
notify yes;
};
zone "localhost" {
type master;
file "standard/localhost";
};
zone "mdnlan.test.com" {
type master;
file "master/db.mdnlan.test.com";
allow-update { key mdnlan; };
notify yes;
};
zone "test.com" {
type master;
file "master/db.test.com";
};
====================
named.conf.slave
====================
/* TSIG keys ======================= */
key smdndnsp1-smdndnsp2.test.com. {
algorithm hmac-md5;
secret
"iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
};
server 10.1.1.2 {
keys { smdndnsp1-smdndnsp2.test.com.; };
};
/* ACLs ============================ */
acl lan {
127/8; 10.1.1/24; 10.1.101/24;
};
acl transfer {
key smdndnsp1-smdndnsp2.test.com.;
};
/* rndc configuration ============== */
key "rndc-key" {
algorithm hmac-md5;
secret
"wejqinaDNIMyTQ/DEObjVfRLbO1mOxughAefMgzenKX2zF7JwcpBJbR3zaIl3EX7T3IG9wMHHfS4I+SBuubXvg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { rndc-key; };
};
/* Options ========================= */
options {
directory "/";
version ""; // remove this to allow version queries
allow-query { "lan"; };
allow-transfer { none; };
};
...
...
...
/* Authoritative zones ============= */
zone "." {
type hint;
file "standard/root.hint";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "standard/loopback";
};
zone "1.1.10.in-addr.arpa" {
type slave;
masters { 10.1.1.2; };
file "slave/bak.10.1.1";
};
zone "localhost" {
type master;
file "standard/localhost";
};
zone "mdnlan.test.com" {
type slave;
masters { 10.1.1.2; };
file "slave/bak.mdnlan.test.com";
};
zone "test.com" {
type slave;
masters { 10.1.1.2; };
file "slave/bak.test.com";
};
I think there are still problems with the ACL's. Let me know.
Phusion
More information about the bind-users
mailing list