Zone transfer over VPN
Michael De Roover
isc at nixmagic.com
Wed Sep 7 07:33:02 UTC 2022
On Wednesday, September 7, 2022 1:14:00 AM WEST John Thurston wrote:
> If you are dealing with two totally private networks, do you even need
> the ACL?
>
> But if you do need to limit access, then I suggest using TSIG to
> identify and authorize. This avoids the whole question of
> source/destination IP addresses. If the transfer request is made using
> the correct key, it will work.
>
> I do this by defining a specific key for each secondary server. Then, in
> the appropriate view on the hidden primary, I use:
>
> match-clients { none; };
> allow-transfer { key nameofkeyhere; };
>
> and on each secondary, I define a 'primaries' and use that in the zone
> definitions:
>
> primaries hiddenprimary { 10.20.30.40 key nameofkeyhere; };
> zone "foo.bar.com" { type secondary; primaries { hiddenprimary; }; };
>
> The address of the secondary does not matter. As long as it makes the
> connection to the primary using the key 'nameofkeyhere', it can do the
> zone transfers.
Hi John,
Thank you so much for getting back to me, I really appreciate it. I have used
your advice and looked further into how to configure TSIG, and came across this
article on nixCraft [1]. However, while the setup seems like it is fairly
straightforward, the usage of HMAC-MD5 they mention seems to be deprecated. I
have checked which ciphers dnssec-keygen supports in 9.18.5 (I have taken the
time to upgrade the Alpine boxes while I was at it) and it seems like ED25519
is supported, which I like and use extensively in SSH already. But when using
the command below, it doesn't seem to work properly, exiting with the error
message below that.
ns1:~# cd /etc/bind
ns1:/etc/bind# dnssec-keygen -a ED25519 -n HOST rndc-key
dnssec-keygen: fatal: invalid DNSKEY nametype HOST
Using this command without the -n parameter works fine, but (as per defaults)
generates a zone key instead. Is ED25519 supported for host keys? If not, what
would be the best current practice algorithm to generate a key of this type?
Apparently the options in my installation of BIND are among these:
-a <algorithm>:
RSASHA1 | NSEC3RSASHA1 |
RSASHA256 | RSASHA512 |
ECDSAP256SHA256 | ECDSAP384SHA384 |
ED25519 | ED448 | DH
-b <key size in bits>:
RSASHA1: [1024..4096]
NSEC3RSASHA1: [1024..4096]
RSASHA256: [1024..4096]
RSASHA512: [1024..4096]
DH: [128..4096]
ECDSAP256SHA256: ignored
ECDSAP384SHA384: ignored
ED25519: ignored
ED448: ignored
(key size defaults are set according to
algorithm and usage (ZSK or KSK)
[1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
Thanks again for your time to read this email, and for your insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
More information about the bind-users
mailing list