How to create the TSIG?
Chris Buxton
cbuxton at menandmice.com
Fri Feb 6 00:58:27 UTC 2009
Create a key:
dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key
(Note: Use something better than hmac-md5 if your BIND version
supports it.) This creates two files, with similar names. Extract the
secret from either of them (it is the same in both) and create a key
statement:
key "slave1.key" {
algorithm hmac-md5;
secret "put here the secret from the file";
};
Put this statement into named.conf on both the master server and one
of your slaves. Then, put this into the master server's named.conf:
server 192.0.2.1 { // use the actual IP address of the slave here
keys { slave1.key; };
};
On the slave:
server 192.0.2.2 { // this should be the IP address of the master
keys { slave1.key; };
};
This will then secure all communication (except forwarded updates)
between master and slave1. That includes notifies, SOA queries and
responses, and zone transfers.
Repeat the above for each slave. Use a different key for each slave.
This means the master will have 5 keys defined (plus an RNDC key,
hopefully), and 5 server statements. You may also want to create
additional keys (and additional server statements) for use between
slaves, just in case you ever need to promote one.
Next, create yet another key for dynamic updates. Put that key's name
into your allow-update statement. Turn on update-forwarding on the
slaves, like this (in each slave zone):
allow-update-forwarding { any; };
Since the master will only permit signed updates, and since the slaves
will forward signed updates unmodified (signatures intact), you do not
need to secure this ACL.
Chris Buxton
Professional Services
Men & Mice
On Feb 4, 2009, at 2:23 PM, Michelle Konzack wrote:
> Hello,
>
> since the french authorities (current government has shutdown my
> network
> in paris) I am installing my system on some root servers at
> different
> ISPs all over the world...
>
> So while reding the bind9 manual, it is not clear for me, HOW to
> create
> the TSIG and use it, because I will instal on one of my root
> servers
> bind9 as master ant then let the 5 slaves up date from it.
>
> But I have the need for dynamicaly updation the zones.
>
> So, what must I do to use TSIG?
> (as from the manual, "allow-update" with IP addresses is suicide)
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 24V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> ##################### Debian GNU/Linux Consultant
> #####################
> <http://www.tamay-dogan.net/> <http://
> www.can4linux.org/>
> Michelle Konzack Apt. 917 ICQ #328449886
> +49/177/9351947 50, rue de Soultz MSN LinuxMichi
> +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list