Enabling transfer security using TSIG - part II

Now we have the key installed.

A couple of observations:

• you can't do a zone transfer using dig anymore!
• can your partner do a zone transfer ?

Ask your partner to attempt a zone transfer of your zone from THEIR machine. Does it work ? What do you see in /var/log/bind/general ?

Using dig with a TSIG key

We can get zone transfers working with dig, if we tell dig which key to use!

Try this, but:

• replace myzone with YOUR zone,
• hostX -> YOUR host key name
• Wup...LejA= -> YOUR key

For example:

dig @localhost axfr myzone -y hostX-key:Wup...LejA=

If everything goes well, you should be able to transfer the zone...

Check /var/log/bind/transfers - what does it say (use tail)

Now, you can tell your partner to try it from THEIR machine - but you will need to communicate the KEY to your partner - it's too long to type!

Getting your partner to use the same TSIG key to transfer

To do this, we're going to need to transfer the TSIG key from your machine to theirs.

We can use Secure Copy for this.

We can copy the PRIVATE key file we generated earlier, to their machine.

To do this, it's easiest to COPY the key with your mouse, then SSH into the PARTNER machine and copy the key there.

So, at the bottom of /etc/bind/named.conf.options, find your TSIG key:

key "host25-key" {
   algorithm hmac-md5;
   secret "Wup...LejA="; // Copy YOUR key
goes here!
};

Once you have done this, you can paste the key into Notepad or any text editor, and keep it ready, for the next part.

Once you have done this, help your partner update their BIND config to use the key for TSIG. The easiest is to open a new SSH connection and log into your partner's host - talk to them about it!

On your partner's host

You should have the key ready to paste. Make sure you are logged in to your partner's host using SSH (use the hostname command) just in case.

Add TSIG key to BIND configuration

Now, on your PARTNER's host, edit /etc/bind/named.conf.options, and we'll add the key and a statement that it should be used with the MASTER host:

sudo vi /etc/bind/named.conf.options

Go all the way to the bottom, and add this:

key hostX-key {
        algorithm hmac-md5;
        secret "Wu...A=";       // PASTE they key between " and "
};
server 10.10.0.25 {
        keys { host25-key; };
};

One last thing - to make sure that zone transfer works, we need to remove the existing slave copy - otherwise we won't see if BIND on the slave was able to transfer the zone!

start by deleting the SLAVE copy- to do this, look at the zone definition (normally, in named.conf.local, but they may have put it somewhere else), and find the "file" line, for example:

   file "/var/cache/bind/db.zone_of_your_partner.slave";

Find the file and REMOVE it:

   sudo rm /var/cache/bind/db.zone_of_your_partner.slave

Restart named

If all went well, it's time to restart named (still on your PARTNER's host)

sudo service bind9 restart

Now, please check:

• on the MASTER host: /var/log/bind/transfers and /var/log/bind/general
• on the SLAVE host: see if the zone was successfully transfered
• test with dig on both MASTER and SLAVE - you don't need to TSIG for simple queries, so you can query the slave for "myzone SOA" and see what you get.