Q. How do I configure BIND9 name serves with TSIG (Transaction SIGnature) mechanism to secure server-to-server communication? How do I use secret key transaction authentication for DNS (bind nameservers)?
A. Transaction signatures (TSIG) is a mechanism used to secure DNS messages and to provide secure server-to-server communication (usually between master and slave server, but can be extended for dynamic updates as well). TSIG can protect the following type of transactions between two DNS servers:
A. Transaction signatures (TSIG) is a mechanism used to secure DNS messages and to provide secure server-to-server communication (usually between master and slave server, but can be extended for dynamic updates as well). TSIG can protect the following type of transactions between two DNS servers:
- Started Generate Rndc Key For Bind Dns Name
- Started Generate Rndc Key For Bind Dns Ip
- Started Generate Rndc Key For Bind Dns Account
- Started Generate Rndc Key For Bind Dns Service
Advertisements
![Started Generate Rndc Key For Bind Dns Started Generate Rndc Key For Bind Dns](/uploads/1/2/6/0/126084885/924411551.png)
- Zone transfer
- Notify
- Dynamic updates
- Recursive query messages etc
BIND DNS Server service does not start and fail. And reply with the below warning. Starting Generate rndc key for BIND (DNS). Nov 9 23:31:43 WebServer systemd. At the resulting command prompt (aka DOS Box) enter rndc-confgen -a to write the rndc.key file as shown below: Now the installation is ready to replace the normal Windows 10/7 DNS Client with the BIND 9 version. Click the Start icon, click Administrative Tools (or Start -Control Panel -Administrative Tools) and select Services.
TSIG is available for BIND v8.2 and above. TSIG uses shared secrets and a one-way hash function to authenticate DNS messages. TSIG is easy and lightweight for resolvers and named.
How it works?
- Each name server adds a TSIG record the data section of a dns server-to-server queries and message.
- The TSIG record signs the DNS message, proving that the message’s sender had a cryptographic key shared with the receiver and that the message wasn’t modified after it left the sender.
- TSIG uses a one-way hash function to provide authentication and data integrity.
Our sample setup:
- Master nameserver: ns1.theos.in – 202.54.1.2
- Slave nameserver: ns2.theos.in – 75.55.2.100
- BIND configuration is stored in /etc/bind/ directory.
- Zone data is stored in /etc/bind/named.conf file.
How do I configure TSIG?
Type the following command on master nameserver (ns1.theos.in) to create the shared keys, using the dnssec-keygen program, which creates two files, both containing the key generated.
Sample output:
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key
Sample output:
List all files, enter:
Output:
# ls -l
Output:
Where,
- -a Specify the encryption algorithm.
- -b Specify the key size.
- -n Specify the nametype. A nametype can be a ZONE, HOST, ENTITY, or USER. Usually, you need to use HOST or ZONE such as theos.in
![Started Generate Rndc Key For Bind Dns Started Generate Rndc Key For Bind Dns](/uploads/1/2/6/0/126084885/141021579.jpg)
The above dnssec-keygen program created two files as follows. Both .key and .private files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent:
- Krndc-key.+157+64252.key – Contains the public key. The .key file contains a DNS KEY record that can be inserted into a zone file.
- Krndc-key.+157+64252.private – Contains the private key. The .private file contains algorithm-specific fields.
Using TSIG – master server configuration
Run the following command and note down the Key:
Sample output:
# cat Krndc-key.+157+64252.private
Sample output:
Open /etc/bind/tsig.key file, enter:
Now you need to create tsig.key file on master server as follows:
# vi /etc/bind/tsig.key
Now you need to create tsig.key file on master server as follows:
First block is nothing but keys. TSIG keys are configured using the keys substatements. The keys substatements inform a name server to sign queries and zone transfer requests sent to a particular remote name server. In our case the above substatement informs the master server, to sign all requests to the host slave server 75.55.2.100 with the key called TRANSFER. The server statement’s keys clause to tell the slave name server to sign all zone transfer requests and queries sent to its master server and vice verse. Save and close the file. Open named.conf file, enter:
Append the following line:
# vi /etc/bind/named.conf
Append the following line:
Save and close the file. Restart named:
OR
# rndc reload
OR
# service named restart
Using TSIG – slave server configuration
Create /etc/bind/tsig.key on slave server, enter:
Append following config:
# vi /etc/bind/tsig.key
Append following config:
Save and close the file. Append following to named.conf:
Restrict zone transfers only to those signed with a specific key
Started Generate Rndc Key For Bind Dns Name
On the master name server, you can restrict zone transfers only to those signed with a specific key such as TRANSFER. open named.conf
You must restrict zone transfers to those signed with the TRANSFER key as follows:
# vi /etc/bind/named.conf
You must restrict zone transfers to those signed with the TRANSFER key as follows:
Save and close the file. Restart / reload the bind server:
OR
# rndc reload
OR
# service named restart
Verify TSGI
Watch your master BIND dns server log file or system log file, enter:
OR
OR
Sample output:
# tail -f /var/log/messages
OR
# tail -f /var/log/syslog
OR
# grep 'theos.in/IN' /var/log/syslog
Sample output:
You should able to see similar message on slave server:
Suggested readings:
- man dnssec-keygen
- BIND 9 Administrator Reference Manual
ADVERTISEMENTS
How do I start / stop / restart the Berkeley Internet Name Daemon (BIND) dns server under Linux operating systems?BIND is by far the most widely used DNS software on the Internet. Use the following commands as per your Linux distro:
Advertisements
[a] service service-name command.
Started Generate Rndc Key For Bind Dns Ip
[b] /etc/init.d/service-name script command.
[c] rndc command – Name server control utility.
CentOS / RHEL / Fedora Linux
Started Generate Rndc Key For Bind Dns Account
Type the following command to start BIND server:
Type the following command to stop BIND server:
Type the following command to restart BIND server:
Type the following command to reload BIND server to reload zone file or config file changes:
Type the following command to see the current status of BIND server:
You can also use the following syntax too:
# service named start
Type the following command to stop BIND server:
# service named stop
Type the following command to restart BIND server:
# service named restart
Type the following command to reload BIND server to reload zone file or config file changes:
# service named reload
Type the following command to see the current status of BIND server:
# service named status
You can also use the following syntax too:
Debian / Ubuntu Linux
Type the following command to start BIND server:
Type the following command to stop BIND server:
Type the following command to restart BIND server:
Type the following command to reload BIND server to reload zone file or config file changes:
Type the following command to see the current status of BIND server:
Sample outputs:
You can also use the following syntax too:
# service bind9 start
Type the following command to stop BIND server:
# service bind9 stop
Type the following command to restart BIND server:
# service bind9 restart
Type the following command to reload BIND server to reload zone file or config file changes:
# service bind9 reload
Type the following command to see the current status of BIND server:
# service bind9 status
Sample outputs:
You can also use the following syntax too:
A note about rncd command
This is an optional command and you are recommended to use the above commands only. From the rndc man page:
Started Generate Rndc Key For Bind Dns Service
rndc controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server’s response. All commands sent over the channel must be signed by a key_id known to the server. rndc reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
Please note that rndc does not yet support all the commands of the BIND 8 ndc utility:
- status – Display status of the server.
- stop – Save pending updates to master files and stop the server.
- restart – Restart the server.
- reload – Reload configuration file and zones.
To see status, enter:
Sample outputs:
# rndc status
Sample outputs:
To reload the server, enter:
To see all options just type rncd:
Sample outputs:
# rndc reload
To see all options just type rncd:
# rndc
Sample outputs:
ADVERTISEMENTS