Feature #122
Optionally require TSIG signatures for zone transfers
| Status: | New | Start: | 2014-02-15 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 2 |
Description
Now that PowerDNS appear to support TSIG it would be nice to have it as an optional requirement for zone transfers.
History
Updated by halleck almost 9 years ago
Ok, time for a quick BIND tutotal, that now being what is running on a.authns.
TSIG signatures are based on a shared secret, and are used both to authenticate zone transfers as well as to protect the integrity of the zone transfer.
One way to generate is properly formated secret is to use the BIND dnssec-keygen tool.
dnssec-keygen -r /dev/urandom -a hmac-sha256 -b 256 -n HOST bitfolk-exampleThis will generate two files, Kbitfolk-example.+163+*.key and Kbitfolk-example.+163+*.private; both containing the shared key.
The Secondary server will need two pieces of configuration; one which specifies the key, and one which specifies for which (master) ip address the key should be used.
key bitfolk-example {
algorithm hmac-sha256;
secret "lgCopLqhGqk12p2BdW3yKi+pJyExRznYJH6/nLfTVhA=";
};server 2001:DB8::53:2 {
keys { bitfolk-example; };
};...where bitfolk-example is the name of the key and 2001:DB8::53:2 is the ip address of the DNS master. Note that the name of the key matters to the extent that both the Master server and the Secondary server need to use the same name.
Updated by halleck almost 9 years ago
The Master server is configured with the same key directive as well as the equivalent server directive. Then there are the zone directives, which specifies keys rather than ip addresses for allow-transfer.
zone "example.net" {
...
allow-transfer{ key "bitfolk-example"; };
....
};