Now we have the key installed.
A couple of observations:
dig
anymore!Ask your partner to attempt a zone transfer of your zone from THEIR machine. Does it work ? What do you see in /var/log/bind/general
?
We can get zone transfers working with dig
, if we tell dig
which key to use!
Try this, but:
myzone
with YOUR zone,For example:
dig @localhost axfr myzone -y hostX-key:Wup...LejA=
If everything goes well, you should be able to transfer the zone...
Check /var/log/bind/transfers
- what does it say (use tail
)
Now, you can tell your partner to try it from THEIR machine - but you will need to communicate the KEY to your partner - it's too long to type!
To do this, we're going to need to transfer the TSIG key from your machine to theirs.
We can use Secure Copy for this.
We can copy the PRIVATE key file we generated earlier, to their machine.
To do this, it's easiest to COPY the key with your mouse, then SSH into the PARTNER machine and copy the key there.
So, at the bottom of /etc/bind/named.conf.options
, find your TSIG key:
key "host25-key" {
algorithm hmac-md5;
secret "Wup...LejA="; // Copy YOUR key
goes here!
};
Once you have done this, you can paste the key into Notepad or any text editor, and keep it ready, for the next part.
Once you have done this, help your partner update their BIND config to use the key for TSIG. The easiest is to open a new SSH connection and log into your partner's host - talk to them about it!
You should have the key ready to paste. Make sure you are logged in to your partner's host using SSH (use the hostname
command) just in case.
Now, on your PARTNER's host, edit /etc/bind/named.conf.options
, and we'll add the key and a statement that it should be used with the MASTER host:
sudo vi /etc/bind/named.conf.options
Go all the way to the bottom, and add this:
key hostX-key {
algorithm hmac-md5;
secret "Wu...A="; // PASTE they key between " and "
};
server 10.10.0.25 {
keys { host25-key; };
};
One last thing - to make sure that zone transfer works, we need to remove the existing slave copy - otherwise we won't see if BIND on the slave was able to transfer the zone!
start by deleting the SLAVE copy- to do this, look at the zone definition (normally, in named.conf.local, but they may have put it somewhere else), and find the "file" line, for example:
file "/var/cache/bind/db.zone_of_your_partner.slave";
Find the file and REMOVE it:
sudo rm /var/cache/bind/db.zone_of_your_partner.slave
If all went well, it's time to restart named (still on your PARTNER's host)
sudo service bind9 restart
Now, please check:
/var/log/bind/transfers
and /var/log/bind/general