Saturday, April 2, 2011

Authenticate BIND zone transfer with TSIG key

TSIG (Transaction SIGnature) can provide authentication and data integrity for DNS zone transfer and Dynamic DNS (DDNS ) update, but  it CAN'T provide encryption, the data still sent in clear text , just integrity checks detects data modification by middle-man.
The common practice to restrict  BIND zone transfer is IP access-list, since IP can be easily forged, authenticating  zone transfer  by shared secret: TSIG key is more secure than IP method. Unfortunately, BIND, as of 9.3.6, can't support  combination of both methods, only TSIG key  is effective when both methods applied.
Generating TSIG key:
TSIG key is encoded in BASE64, any BASE64  tool can create TSIG key.
# [1] BIND dns-keygen utility

$ dns-keygen

5TyOwB1gbs4wpYKDeGKHvA5sfBPR6L4ItQpavUXGSaTnD9xMdlb5hciBlEvV

# [2] openssl base64 encoding tool

$echo $(date) | openssl base64

U2F0IEFwciAyIDE1OjU5OjQwIEVTVCAyMDExCg==

# [3]  BIND dnssec-keygen utility, it is mainly used for secure DNS, so generating TSIG key a bit complex, but you can define key s

$dnssec-keygen -a HMAC-MD5 -b 256 -n HOST transfer

Ktransfer.+157+39609

$ cat Ktransfer.+157+39609.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: BMSri735ohiGYK4qT1Ursh7se8vnx2ltjajRGsJ6x/w=
Configure named.conf 

Generate TSIG key with the method of your choice, then paste the key string to a file, which is NOT world-wide readable, then embedding  the key file to named.conf




##Master DNS Server

##Key name is arbitrary, but must be same in both peers

$ cat /var/named/chroot/etc/transfer.key

key "HOST1-HOST2" {

algorithm       hmac-md5;

secret          "1B+FL8t42RXx+mELfUYkEg==";

};

$cat /var/named/chroot/etc/named.conf

include "/etc/transfer.key";

$cat /var/named/chroot/etc/named-my.zones

zone "myexample.com" IN {

type master;

file "myexample.zone";

allow-transfer { keys “HOST1-HOST2” ;};   // Can't restrict IP and  use key at the same time

};

## Slave DNS Server

##Key name is arbitrary, but must be same in both peers

$ cat /var/named/chroot/etc/transfer.key

key "HOST1-HOST2" {

algorithm       hmac-md5;

secret          "1B+FL8t42RXx+mELfUYkEg==";

};

$ cat /var/named/chroot/etc/named.conf

include "/etc/transfer.key";

server 172.16.1.1  { keys "HOST1-HOST2" ;};  // Tell Master DNS server 172.16.1.1 to use the TSIG  key

$cat /var/named/chroot/etc/named-my.zones

zone "myexample.com" IN {

type slave;

masters { 172.16.1.1 ;};

file "slaves/myexample.zone";

};


TSIG Limitations:- difficult to manage TSIG keys in large scale

- only provides security to next-hop peer

- don't provide data encryption

- BIND,as of 9.3.6, can't provide additional level security such as IP access-list on top of  TSIG key









Posted by



at


























Labels:
,


















No comments:















Post a Comment






Note: Only a member of this blog may post a comment.














        

      









Subscribe to:
Post Comments (Atom)