We're going to limit zone transfer of your zones so that only your secondary/slave nameservers are allowed to request copies of the zones.
There are two ways to enable transfer security, so that you restrict who is allowed to transfer the zone from your primary.
Use ACL based security
Use TSIG
We are not going to be doing ACL based security in this lab, but for reference, this is how it could look:
acl myslaves { 10.10.0.X; 10.10.0.Y; };
allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; };
Note that the above statement could be GLOBAL (in the options
section) of named.conf
, or it can be specified per zone.
The problem with ACLs is that they have to be maintained, and you need to update them if the IP address of your secondaries change, for example.
Instead, we will encourage you to use TSIG
based security, using shared keys, which will be used to encrypt - and authenticate - the data transfer.
To do this, we're going to need to generate a private key. For this, we need to make sure the bind9utils
package is installed. This should already be the case, but just in case:
sudo apt-get install bind9utils
Once that is done, do the following (please copy paste, but replace myzone
with YOUR zone)
cd /tmp
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST myzone.key
You will see output similar to:
Kmyzone.key.+157+48549
Let's look at the files that were created:
ls -l Kdk.key.+157+48549.*
Output:
-rw------- 1 sysadm sysadm 70 Jun 1 20:58 Kmyzone.key.+157+48549.key
-rw------- 1 sysadm sysadm 185 Jun 1 20:58 Kmyzone.key.+157+48549.private
We are interested in the private
key, let's look at the content:
cat Kmyzone.key.+157+48549.private
The contents will be similar to:
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA=
Bits: AAA=
Created: 20160601205816
Publish: 20160601205816
Activate: 20160601205816
The line we are interested in is Key: Wup...LejA=
COPY the string after Key: (in YOUR key).
Now, edit /etc/bind/named.conf.options
, and at the BOTTOM of the file, add the following, but:
key "hostX-key" {
algorithm hmac-md5;
secret "Wup2DxHLkjG82ZDTOM4nBLK19sD4SHDnQTXWufDLejA="; // Your key goes here!
};
Save the file, and exit.
Now, edit /etc/bind/named.conf.local
, and modify your zone definition, and add an allow-transfer
statement, so that your zone statement looks like the following - but remember to replace hostX
with the number of YOUR host:
zone "myzone" {
type master;
file "/home/sysadm/zones/db.
allow-transfer { key hostX-key; }; // <-- Add this!
};
As you can see above, we've added an allow-transfer
statement allowing transfer of the zone for holders of the hostX-key
.
Note: the allow-transfer is now placed INSIDE the zone definition, and not globally inside the options section -- BIND can control zone transfer either globally, or by zone. We prefer to control transfer for EACH zone individually.
sudo service bind9 restart
Try and make a zone transfer from your machine:
dig @localhost axfr myzone
/var/log/bind/general
(tail /var/log/bind/general) - what do you see ?You may see something similar to this:
02-Jun-2016 06:28:16.221 client 127.0.0.1#48060 (myzone): zone transfer 'myzone/AXFR/IN' denied
Ok, we're ready to move to part 2, where we set up the key on the slave host, and learn to make a zone transfer with dig + key.