rndc key is not working with bind 9.2.3 on Solaris 9 Server - - f or Zone Transfer
Joseph S D Yao
jsdy at center.osis.gov
Tue Nov 22 16:32:52 UTC 2005
On Tue, Nov 22, 2005 at 05:00:29PM +0100, Borhade Ganesh (vMoksha) wrote:
> Dear Joseph,
>
> Thanks for valuable update.
>
> My rndc key is link as follows
>
> bash-2.05# ls -lrt /etc/rndc.key
> lrwxrwxrwx 1 root other 26 Nov 8 07:32 /etc/rndc.key ->
> /chroot/n
> amed/etc/rndc.key
>
>
> All zone files are also in /chroot/named/etc.
>
> I am able to transfer the zone from Primary DNS Server to Secondary DNS
> Server but without rndc key.
> My aim is to tranfer ZONE with rndc key ( security ).
Only zone information is transferred by a zone transfer [hence the
name]. The rndc key must be transferred separately.
However, if you mean that you wish to transfer the zone encrypted, you
must use another key. Look up TSIG in your Fourth Edition of DNS and
BIND (Albitz & Liu), or in RFC 2845, or in the RIPE NCC DISI's DNSSEC
HOWTO document <https://www.ripe.net/projects/disi//dnssec_howto/>,
or in Cricket Liu's
<http://www.linuxsecurity.com/resource_files/server_security/securing_an_internet_name_server.pdf>.
Why not the same key? (a) for security, (b) so as not to confuse uses,
as they are quite different functions. Otherwise, the keys are
represented the same way in the configuration file [and should be
include'd from external files that are readable only by the user ID
under which 'named' is running].
> How can i test it? because i change content of /etc/rndc.key on primary DNS
> to make sure rndc key will be different from Secondary DNS but still zone
> gets transfer.
The 'rndc' program uses the "controls" channel, quite different from the
zone transfer channel.
> I am littel confuse with your statement 2 different keys are available
> for named & rndc. I am intrested only in rndc key to improve security during
> zone transfer.
I didn't say that.
The same identical single "rndc" key must be available to the 'rndc'
program and to the 'named' program, which are two entirely completely
independently separate programs. [This ain't no cruddy everything-
intertwined-I-can't-take-out-anything-or-it-will-fall-to-pieces
MicroSoft-type system here.] You have indicated that you are making
this one single key available to both programs via symlinks, which is
what I had suggested.
However, by the same token, controlling the 'named' program by using the
'rndc' program, and improving security during zone transfer, are two
entirely completely independently separate functions. ;-) Look up
TSIG.
--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the bind-users
mailing list