rndc key is not working with bind 9.2.3 on Solaris 9 Server - - f or Zone Transfer

Borhade Ganesh (vMoksha) Ganesh.Borhade at UCB-Group.com
Thu Nov 24 02:05:11 UTC 2005 

Dear Joseph,
   
  Once again thanks for update. Now zone transfer with rndc problem is
solved because i have  generated new rndc key & remove rndc.conf file both
from Primary & Sec DNS Server.
  Till now I haven't tried TSIG for Security during Zone transfer but i will
do it.
  
Best Regards
Ganesh Borhade
91-9880537357

-----Original Message-----
From: Joseph S D Yao [mailto:jsdy at center.osis.gov] 
Sent: Tuesday, November 22, 2005 5:33 PM
To: Borhade Ganesh (vMoksha)
Cc: bind-users at isc.org
Subject: Re: rndc key is not working with bind 9.2.3 on Solaris 9 Server - -
f or Zone Transfer


On Tue, Nov 22, 2005 at 05:00:29PM +0100, Borhade Ganesh (vMoksha) wrote:
> Dear Joseph,
> 
>    Thanks for valuable update. 
> 
> My rndc key is link as follows
> 
> bash-2.05# ls -lrt /etc/rndc.key
> lrwxrwxrwx   1 root     other         26 Nov  8 07:32 /etc/rndc.key ->
> /chroot/n
> amed/etc/rndc.key
> 
> 
>    All zone files are also in /chroot/named/etc.
> 
> I am able to transfer the zone from Primary DNS Server to Secondary DNS
> Server but without rndc key.
> My aim is to tranfer ZONE with rndc key ( security ). 

Only zone information is transferred by a zone transfer [hence the
name].  The rndc key must be transferred separately.

However, if you mean that you wish to transfer the zone encrypted, you
must use another key.  Look up TSIG in your Fourth Edition of DNS and
BIND (Albitz & Liu), or in RFC 2845, or in the RIPE NCC DISI's DNSSEC
HOWTO document <https://www.ripe.net/projects/disi//dnssec_howto/>,
or in Cricket Liu's
<http://www.linuxsecurity.com/resource_files/server_security/securing_an_int
ernet_name_server.pdf>.

Why not the same key?  (a) for security, (b) so as not to confuse uses,
as they are quite different functions.  Otherwise, the keys are
represented the same way in the configuration file [and should be
include'd from external files that are readable only by the user ID
under which 'named' is running].

> How can i test it? because i change content of /etc/rndc.key on primary
DNS
> to make sure rndc key will be different from Secondary DNS but still zone
> gets transfer.

The 'rndc' program uses the "controls" channel, quite different from the
zone transfer channel.

>     I am littel confuse with your statement 2 different keys are available
> for named & rndc. I am intrested only in rndc key to improve security
during
> zone transfer.

I didn't say that.

The same identical single "rndc" key must be available to the 'rndc'
program and to the 'named' program, which are two entirely completely
independently separate programs.  [This ain't no cruddy everything-
intertwined-I-can't-take-out-anything-or-it-will-fall-to-pieces
MicroSoft-type system here.]  You have indicated that you are making
this one single key available to both programs via symlinks, which is
what I had suggested.

However, by the same token, controlling the 'named' program by using the
'rndc' program, and improving security during zone transfer, are two
entirely completely independently separate functions.  ;-)  Look up
TSIG.

-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.


--------------------------------------------------------- 
Legal Notice: This electronic mail and its attachments are intended solely
for the person(s) to whom they are addressed and contain information which
is confidential or otherwise protected from disclosure, except for the
purpose for which they are intended. Dissemination, distribution, or
reproduction by anyone other than the intended recipients is prohibited and
may be illegal. If you are not an intended recipient, please immediately
inform the sender and return the electronic mail and its attachments and
destroy any copies which may be in your possession. UCB screens electronic
mails for viruses but does not warrant that this electronic mail is free of
any viruses. UCB accepts no liability for any damage caused by any virus
transmitted by this electronic mail. 
---------------------------------------------------------

More information about the bind-users mailing list