How to create the TSIG?
Michelle Konzack
linux4michelle at tamay-dogan.net
Fri Feb 6 16:47:42 UTC 2009
Hello Chris,
thank you for the "HOWTO"... now it is more clear.
OK, there are some stange things happen to my master DNS @home. Since I
it seems I had a "nsupdate" from my Laptop, an update from my work-
stations was working perfectly and now it comes:
I have never used:
Am 2009-02-05 16:58:27, schrieb Chris Buxton:
> Create a key:
>
> dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key
>
> (Note: Use something better than hmac-md5 if your BIND version supports
> it.) This creates two files, with similar names. Extract the secret from
> either of them (it is the same in both) and create a key statement:
>
> key "slave1.key" {
> algorithm hmac-md5;
> secret "put here the secret from the file";
> };
and this installed and was not looking into my local DNS since several
weeks... Today I have found
1) a modified file
/etc/bind/net.tamay-dogan.private
2) two new files
/etc/bind/net.tamay-dogan.private.njl
/etc/bind/rndc.key
where the last one has the key enty above.
Q: Does the "nsupdate" create/change this files?
Note: The rndc.key file is not included in any files, hence I
asume it is not alive and I have to include it into my.
/etc/bind/named.conf.local (Debian System)
> Put this statement into named.conf on both the master server and one of
> your slaves. Then, put this into the master server's named.conf:
>
> server 192.0.2.1 { // use the actual IP address of the slave here
> keys { slave1.key; };
> };
>
> On the slave:
>
> server 192.0.2.2 { // this should be the IP address of the master
> keys { slave1.key; };
> };
OK done.
> This will then secure all communication (except forwarded updates)
> between master and slave1. That includes notifies, SOA queries and
> responses, and zone transfers.
>
> Repeat the above for each slave. Use a different key for each slave.
> This means the master will have 5 keys defined (plus an RNDC key,
> hopefully), and 5 server statements. You may also want to create
> additional keys (and additional server statements) for use between
> slaves, just in case you ever need to promote one.
OK, now I have:
key "rndc-key" {
...
};
key "tdnet.key" {
...
};
key "hetzner.key" {
...
};
key "vallendor.key" {
...
};
and 5 entries like
server 192.168.0.194 {
keys { tdnet.key; };
};
> Next, create yet another key for dynamic updates. Put that key's name
> into your allow-update statement. Turn on update-forwarding on the
Done but...
> slaves, like this (in each slave zone):
>
> allow-update-forwarding { any; };
OK done.
> Since the master will only permit signed updates, and since the slaves
> will forward signed updates unmodified (signatures intact), you do not
> need to secure this ACL.
I have for testing only me second local DNS included and I call the key
"tdnet.key" since it is under my own control...
I have now (unneccesary lines striped)
----[ '/etc/bind/named.conf' ]------------------------------------------
include "/etc/bind/named.conf.options";
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
------------------------------------------------------------------------
----[ '/etc/bind/named.conf.options' ]----------------------------------
options {
directory "/var/cache/bind";
check-names master fail;
check-names slave warn;
check-names response ignore;
auth-nxdomain no;
listen-on-v6 { any; };
listen-on { 192.168.0.74; };
};
------------------------------------------------------------------------
----[ '/etc/bind/named.conf.local' ]------------------------------------
key "rndc-key" {
algorithm hmac-md5;
secret " ...very_short_key... ";
};
key "tdnet.key" {
algorithm hmac-md5;
secret " ...very_long_key... ";
};
server 192.168.0.194 {
keys { tdnet.key; };
};
zone "private.tamay-dogan.net" {
type master;
file "/etc/bind/net.tamay-dogan.private";
allow-transfer { 192.168.0.194; };
allow-update { tdnet.key; };
// allow-update { 192.168.0.91; 192.168.0.92; 192.168.0.93; 192.168.0.112; };
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.0";
allow-transfer { 192.168.0.194; };
};
------------------------------------------------------------------------
And my Intranet Zone looks like:
----[ '/etc/bind/net.tamay.dogan.private' ]-----------------------------
$ORIGIN .
$TTL 86400 ; 1 day
private.tamay-dogan.net IN SOA dns.private.tamay-dogan.net. hostmaster.tamay-dogan.net. (
1230807508 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.private.tamay-dogan.net.
MX 10 mail.private.tamay-dogan.net.
MX 20 server4.pinguin-hosting.de.
$ORIGIN private.tamay-dogan.net.
$TTL 300 ; 5 minutes
128 A 192.168.0.84
336 A 192.168.0.81
576 A 192.168.0.82
access A 192.168.0.80
aspire1350 A 192.168.0.115
clamav A 192.168.0.76
devel A 192.168.0.92
dns A 192.168.0.74
karima1 A 192.168.0.94
keyserver A 192.168.0.73
ledger A 192.168.0.75
lpd A 192.168.0.72
mail A 192.168.0.70
$TTL 86400 ; 1 day
TXT "v=spf1 a mx ~all"
$TTL 300 ; 5 minutes
michelle1 A 192.168.0.91
mobilix A 192.168.0.111
multimedia A 192.168.0.93
mysql A 192.168.0.66
pgsql A 192.168.0.66
r40 A 192.168.0.113
router A 192.168.0.65
samba1 A 192.168.0.67
TXT "sources archive; 258 GByte left"
samba2 A 192.168.0.68
TXT "Multimedia stuff; 1783 GByte left"
samba3 A 192.168.0.69
TXT "Some comment for bind-users"
syslog A 192.168.0.71
t72 A 192.168.0.114
tp570 A 192.168.0.112
------------------------------------------------------------------------
but if I restart bin I get:
----[ '/var/log/syslog' ]-----------------------------------------------
Feb 6 17:40:10 dns named[24020]: starting BIND 9.3.4-P1.1 -u bind
Feb 6 17:40:10 dns named[24020]: found 4 CPUs, using 4 worker threads
Feb 6 17:40:10 dns named[24020]: loading configuration from '/etc/bind/named.conf'
Feb 6 17:40:10 dns named[24020]: listening on IPv6 interfaces, port 53
Feb 6 17:40:10 dns named[24020]: listening on IPv4 interface eth0:4, 192.168.0.74#53
Feb 6 17:40:10 dns named[24020]: /etc/bind/named.conf.local:49: undefined ACL 'tdnet.key'
Feb 6 17:40:10 dns named[24020]: loading configuration: not found
Feb 6 17:40:10 dns named[24020]: exiting (due to fatal error)
------------------------------------------------------------------------
which looks not realy funn since I can not more send messages... :-/
if I restore the line
allow-update { tdnet.key; };
bach to the IPs it works fine:
----[ '/var/log/syslog' ]-----------------------------------------------
Feb 6 17:43:09 dns named[24170]: starting BIND 9.3.4-P1.1 -u bind
Feb 6 17:43:09 dns named[24170]: found 4 CPUs, using 4 worker threads
Feb 6 17:43:09 dns named[24170]: loading configuration from '/etc/bind/named.conf'
Feb 6 17:43:09 dns named[24170]: listening on IPv6 interfaces, port 53
Feb 6 17:43:09 dns named[24170]: listening on IPv4 interface eth0:4, 192.168.0.74#53
Feb 6 17:43:09 dns named[24170]: zone 'private.tamay-dogan.net' allows updates by IP address, which is insecure
Feb 6 17:43:09 dns named[24170]: command channel listening on 127.0.0.1#953
Feb 6 17:43:09 dns named[24170]: command channel listening on ::1#953
Feb 6 17:43:09 dns named[24170]: zone 0.in-addr.arpa/IN: loaded serial 1
Feb 6 17:43:09 dns named[24170]: zone 127.in-addr.arpa/IN: loaded serial 1
Feb 6 17:43:09 dns named[24170]: /etc/bind/db.192.168.0:3: using RFC 1035 TTL semantics
Feb 6 17:43:09 dns named[24170]: zone 0.168.192.in-addr.arpa/IN: loaded serial 1230468458
Feb 6 17:43:09 dns named[24170]: zone 255.in-addr.arpa/IN: loaded serial 1
Feb 6 17:43:09 dns named[24170]: zone localhost/IN: loaded serial 1
Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.cybercenter:3: using RFC 1035 TTL semantics
Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/IN: loaded serial 1220552501
Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.omega:3: using RFC 1035 TTL semantics
Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN: loaded serial 1220552501
Feb 6 17:43:09 dns named[24170]: zone private.tamay-dogan.net/IN: loaded serial 1230807508
Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.redhat:3: using RFC 1035 TTL semantics
Feb 6 17:43:09 dns named[24170]: zone redhat.tamay-dogan.net/IN: loaded serial 1220552501
Feb 6 17:43:09 dns named[24170]: running
Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/IN: sending notifies (serial 1220552501)
Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN: sending notifies (serial 1220552501)
------------------------------------------------------------------------
What I have doen wrong?
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> <http://www.can4linux.org/>
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.pgp
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090206/638c80c0/attachment-0001.bin>
More information about the bind-users
mailing list