How to create the TSIG?
Chris Buxton
cbuxton at menandmice.com
Fri Feb 6 18:14:26 UTC 2009
Point 1: The rndc.key file is referenced automatically if its contents
are not included, because you do not have a controls statement. This
is confusing, so please read the section of the ARM on the controls
statement.
__
Point 2: Your 'allow-update' statement is wrong. You have:
allow-update { tdnet.key; };
Problem one is, you forgot the word "key".
allow-update { key tdnet.key; };
Problem two is, you're re-using a server-to-server key for dynamic
updates. This is bad practice. You should have one key for dynamic
updates to the zone, and another key for all communication with the
server at 192.168.0.194.
__
Point 3: Since you have an allow-transfer statement in the zone, you
should change it to this:
allow-transfer { key tdnet.key; };
Add all 5 slave server keys to that list. Furthermore, you can move
this list out of the zone statements and into the options statement,
so that you don't have to duplicate it once per zone.
__
Point 4: The reason your zone has been rewritten, and the reason for
the .jnl file, is that your zone has received a dynamic update. This
is normal behavior. nsupdate doesn't directly create the journal file,
nor does it directly modify the zone file; instead, named does this in
response to the dynamic update. The .jnl file is created immediately
upon receiving the first update, while the main zone file is rewritten
15 minutes later.
You should constrain the size of your journal files, in the options
statement, with something like this:
max-journal-size 5M;
The rndc.key file was created by the package installer for BIND, as
part of the post-processing. It was always there; you just didn't
notice it.
__
Point 5: Whenever you modify named.conf, before you restart named, run
named-checkconf over it, just to be sure.
Chris Buxton
Professional Services
Men & Mice
On Feb 6, 2009, at 8:47 AM, Michelle Konzack wrote:
> Hello Chris,
>
> thank you for the "HOWTO"... now it is more clear.
>
> OK, there are some stange things happen to my master DNS @home.
> Since I
> it seems I had a "nsupdate" from my Laptop, an update from my
> work-
> stations was working perfectly and now it comes:
>
> I have never used:
>
> Am 2009-02-05 16:58:27, schrieb Chris Buxton:
>> Create a key:
>>
>> dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key
>>
>> (Note: Use something better than hmac-md5 if your BIND version
>> supports
>> it.) This creates two files, with similar names. Extract the secret
>> from
>> either of them (it is the same in both) and create a key statement:
>>
>> key "slave1.key" {
>> algorithm hmac-md5;
>> secret "put here the secret from the file";
>> };
>
> and this installed and was not looking into my local DNS since
> several
> weeks... Today I have found
>
> 1) a modified file
> /etc/bind/net.tamay-dogan.private
>
> 2) two new files
> /etc/bind/net.tamay-dogan.private.njl
> /etc/bind/rndc.key
>
> where the last one has the key enty above.
>
> Q: Does the "nsupdate" create/change this files?
>
> Note: The rndc.key file is not included in any files, hence I
> asume it is not alive and I have to include it into my.
> /etc/bind/named.conf.local (Debian System)
>
>> Put this statement into named.conf on both the master server and
>> one of
>> your slaves. Then, put this into the master server's named.conf:
>>
>> server 192.0.2.1 { // use the actual IP address of the slave here
>> keys { slave1.key; };
>> };
>>
>> On the slave:
>>
>> server 192.0.2.2 { // this should be the IP address of the master
>> keys { slave1.key; };
>> };
>
> OK done.
>
>> This will then secure all communication (except forwarded updates)
>> between master and slave1. That includes notifies, SOA queries and
>> responses, and zone transfers.
>>
>> Repeat the above for each slave. Use a different key for each slave.
>> This means the master will have 5 keys defined (plus an RNDC key,
>> hopefully), and 5 server statements. You may also want to create
>> additional keys (and additional server statements) for use between
>> slaves, just in case you ever need to promote one.
>
> OK, now I have:
>
> key "rndc-key" {
> ...
> };
> key "tdnet.key" {
> ...
> };
> key "hetzner.key" {
> ...
> };
> key "vallendor.key" {
> ...
> };
>
> and 5 entries like
>
> server 192.168.0.194 {
> keys { tdnet.key; };
> };
>
>> Next, create yet another key for dynamic updates. Put that key's name
>> into your allow-update statement. Turn on update-forwarding on the
>
> Done but...
>
>> slaves, like this (in each slave zone):
>>
>> allow-update-forwarding { any; };
>
> OK done.
>
>> Since the master will only permit signed updates, and since the
>> slaves
>> will forward signed updates unmodified (signatures intact), you do
>> not
>> need to secure this ACL.
>
> I have for testing only me second local DNS included and I call the
> key
> "tdnet.key" since it is under my own control...
>
> I have now (unneccesary lines striped)
>
> ----[ '/etc/bind/
> named.conf' ]------------------------------------------
> include "/etc/bind/named.conf.options";
>
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> include "/etc/bind/named.conf.local";
> ------------------------------------------------------------------------
>
> ----[ '/etc/bind/
> named.conf.options' ]----------------------------------
> options {
> directory "/var/cache/bind";
> check-names master fail;
> check-names slave warn;
> check-names response ignore;
> auth-nxdomain no;
> listen-on-v6 { any; };
> listen-on { 192.168.0.74; };
> };
> ------------------------------------------------------------------------
>
> ----[ '/etc/bind/
> named.conf.local' ]------------------------------------
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ...very_short_key... ";
> };
>
> key "tdnet.key" {
> algorithm hmac-md5;
> secret " ...very_long_key... ";
> };
>
> server 192.168.0.194 {
> keys { tdnet.key; };
> };
>
> zone "private.tamay-dogan.net" {
> type master;
> file "/etc/bind/net.tamay-dogan.private";
> allow-transfer { 192.168.0.194; };
> allow-update { tdnet.key; };
> // allow-update { 192.168.0.91; 192.168.0.92; 192.168.0.93;
> 192.168.0.112; };
> };
>
> zone "0.168.192.in-addr.arpa" {
> type master;
> file "/etc/bind/db.192.168.0";
> allow-transfer { 192.168.0.194; };
> };
> ------------------------------------------------------------------------
>
> And my Intranet Zone looks like:
>
> ----[ '/etc/bind/
> net.tamay.dogan.private' ]-----------------------------
> $ORIGIN .
> $TTL 86400 ; 1 day
> private.tamay-dogan.net IN SOA dns.private.tamay-dogan.net.
> hostmaster.tamay-dogan.net. (
> 1230807508 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS dns.private.tamay-dogan.net.
> MX 10 mail.private.tamay-dogan.net.
> MX 20 server4.pinguin-hosting.de.
> $ORIGIN private.tamay-dogan.net.
> $TTL 300 ; 5 minutes
> 128 A 192.168.0.84
> 336 A 192.168.0.81
> 576 A 192.168.0.82
> access A 192.168.0.80
> aspire1350 A 192.168.0.115
> clamav A 192.168.0.76
> devel A 192.168.0.92
> dns A 192.168.0.74
> karima1 A 192.168.0.94
> keyserver A 192.168.0.73
> ledger A 192.168.0.75
> lpd A 192.168.0.72
> mail A 192.168.0.70
> $TTL 86400 ; 1 day
> TXT "v=spf1 a mx ~all"
> $TTL 300 ; 5 minutes
> michelle1 A 192.168.0.91
> mobilix A 192.168.0.111
> multimedia A 192.168.0.93
> mysql A 192.168.0.66
> pgsql A 192.168.0.66
> r40 A 192.168.0.113
> router A 192.168.0.65
> samba1 A 192.168.0.67
> TXT "sources archive; 258 GByte left"
> samba2 A 192.168.0.68
> TXT "Multimedia stuff; 1783 GByte left"
> samba3 A 192.168.0.69
> TXT "Some comment for bind-users"
> syslog A 192.168.0.71
> t72 A 192.168.0.114
> tp570 A 192.168.0.112
> ------------------------------------------------------------------------
>
> but if I restart bin I get:
>
> ----[ '/var/log/
> syslog' ]-----------------------------------------------
> Feb 6 17:40:10 dns named[24020]: starting BIND 9.3.4-P1.1 -u bind
> Feb 6 17:40:10 dns named[24020]: found 4 CPUs, using 4 worker threads
> Feb 6 17:40:10 dns named[24020]: loading configuration from '/etc/
> bind/named.conf'
> Feb 6 17:40:10 dns named[24020]: listening on IPv6 interfaces, port
> 53
> Feb 6 17:40:10 dns named[24020]: listening on IPv4 interface
> eth0:4, 192.168.0.74#53
> Feb 6 17:40:10 dns named[24020]: /etc/bind/named.conf.local:49:
> undefined ACL 'tdnet.key'
> Feb 6 17:40:10 dns named[24020]: loading configuration: not found
> Feb 6 17:40:10 dns named[24020]: exiting (due to fatal error)
> ------------------------------------------------------------------------
>
> which looks not realy funn since I can not more send messages... :-/
>
> if I restore the line
>
> allow-update { tdnet.key; };
>
> bach to the IPs it works fine:
>
> ----[ '/var/log/
> syslog' ]-----------------------------------------------
> Feb 6 17:43:09 dns named[24170]: starting BIND 9.3.4-P1.1 -u bind
> Feb 6 17:43:09 dns named[24170]: found 4 CPUs, using 4 worker threads
> Feb 6 17:43:09 dns named[24170]: loading configuration from '/etc/
> bind/named.conf'
> Feb 6 17:43:09 dns named[24170]: listening on IPv6 interfaces, port
> 53
> Feb 6 17:43:09 dns named[24170]: listening on IPv4 interface
> eth0:4, 192.168.0.74#53
> Feb 6 17:43:09 dns named[24170]: zone 'private.tamay-dogan.net'
> allows updates by IP address, which is insecure
> Feb 6 17:43:09 dns named[24170]: command channel listening on
> 127.0.0.1#953
> Feb 6 17:43:09 dns named[24170]: command channel listening on ::1#953
> Feb 6 17:43:09 dns named[24170]: zone 0.in-addr.arpa/IN: loaded
> serial 1
> Feb 6 17:43:09 dns named[24170]: zone 127.in-addr.arpa/IN: loaded
> serial 1
> Feb 6 17:43:09 dns named[24170]: /etc/bind/db.192.168.0:3: using
> RFC 1035 TTL semantics
> Feb 6 17:43:09 dns named[24170]: zone 0.168.192.in-addr.arpa/IN:
> loaded serial 1230468458
> Feb 6 17:43:09 dns named[24170]: zone 255.in-addr.arpa/IN: loaded
> serial 1
> Feb 6 17:43:09 dns named[24170]: zone localhost/IN: loaded serial 1
> Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-
> dogan.cybercenter:3: using RFC 1035 TTL semantics
> Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/
> IN: loaded serial 1220552501
> Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.omega:3:
> using RFC 1035 TTL semantics
> Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN:
> loaded serial 1220552501
> Feb 6 17:43:09 dns named[24170]: zone private.tamay-dogan.net/IN:
> loaded serial 1230807508
> Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.redhat:
> 3: using RFC 1035 TTL semantics
> Feb 6 17:43:09 dns named[24170]: zone redhat.tamay-dogan.net/IN:
> loaded serial 1220552501
> Feb 6 17:43:09 dns named[24170]: running
> Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/
> IN: sending notifies (serial 1220552501)
> Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN:
> sending notifies (serial 1220552501)
> ------------------------------------------------------------------------
>
> What I have doen wrong?
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 24V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> ##################### Debian GNU/Linux Consultant
> #####################
> <http://www.tamay-dogan.net/> <http://
> www.can4linux.org/>
> Michelle Konzack Apt. 917 ICQ #328449886
> +49/177/9351947 50, rue de Soultz MSN LinuxMichi
> +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list