Saturday, April 2, 2011

Authenticate BIND zone transfer with TSIG key

TSIG (Transaction SIGnature) can provide authentication and data integrity for DNS zone transfer and Dynamic DNS (DDNS ) update, but  it CAN'T provide encryption, the data still sent in clear text , just integrity checks detects data modification by middle-man.
The common practice to restrict  BIND zone transfer is IP access-list, since IP can be easily forged, authenticating  zone transfer  by shared secret: TSIG key is more secure than IP method. Unfortunately, BIND, as of 9.3.6, can't support  combination of both methods, only TSIG key  is effective when both methods applied.
Generating TSIG key:
TSIG key is encoded in BASE64, any BASE64  tool can create TSIG key.
# [1] BIND dns-keygen utility
$ dns-keygen
5TyOwB1gbs4wpYKDeGKHvA5sfBPR6L4ItQpavUXGSaTnD9xMdlb5hciBlEvV
# [2] openssl base64 encoding tool
$echo $(date) | openssl base64
U2F0IEFwciAyIDE1OjU5OjQwIEVTVCAyMDExCg==
# [3]  BIND dnssec-keygen utility, it is mainly used for secure DNS, so generating TSIG key a bit complex, but you can define key s
$dnssec-keygen -a HMAC-MD5 -b 256 -n HOST transfer
Ktransfer.+157+39609
$ cat Ktransfer.+157+39609.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: BMSri735ohiGYK4qT1Ursh7se8vnx2ltjajRGsJ6x/w=
Configure named.conf
Generate TSIG key with the method of your choice, then paste the key string to a file, which is NOT world-wide readable, then embedding  the key file to named.conf

##Master DNS Server
##Key name is arbitrary, but must be same in both peers
$ cat /var/named/chroot/etc/transfer.key
key "HOST1-HOST2" {
algorithm       hmac-md5;
secret          "1B+FL8t42RXx+mELfUYkEg==";
};
$cat /var/named/chroot/etc/named.conf
include "/etc/transfer.key";
$cat /var/named/chroot/etc/named-my.zones
zone "myexample.com" IN {
type master;
file "myexample.zone";
allow-transfer { keys “HOST1-HOST2” ;};   // Can't restrict IP and  use key at the same time
};
## Slave DNS Server
##Key name is arbitrary, but must be same in both peers
$ cat /var/named/chroot/etc/transfer.key
key "HOST1-HOST2" {
algorithm       hmac-md5;
secret          "1B+FL8t42RXx+mELfUYkEg==";
};
$ cat /var/named/chroot/etc/named.conf
include "/etc/transfer.key";
server 172.16.1.1  { keys "HOST1-HOST2" ;};  // Tell Master DNS server 172.16.1.1 to use the TSIG  key
$cat /var/named/chroot/etc/named-my.zones
zone "myexample.com" IN {
type slave;
masters { 172.16.1.1 ;};
file "slaves/myexample.zone";
};

TSIG Limitations:- difficult to manage TSIG keys in large scale
- only provides security to next-hop peer
- don't provide data encryption
- BIND,as of 9.3.6, can't provide additional level security such as IP access-list on top of  TSIG key

No comments:

Post a Comment