Authenticate DNS Zone Transfer with TSIG

TSIG (Transaction Signatures) provides authentication and data integrity for the communication between servers. This communication includes zone transfers, notifications, recursive queries or dynamic updates. A shared secret will be generated in one of both servers and the same secret with the same name will be configured in them. Bear in mind that TSIG only provides authentication and data integrity and doesn’t provide encryption for the communication.

DNS Master

- Generate a new key:



# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom transfer

- Include the new key generated to the bind config files:


# cat Ktransfer.+165+09240.private

Private-key-format: v1.3

Algorithm: 165 (HMAC_SHA512)

Key: umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==


# vi /etc/bind/transfer.key


key "transfer-key" {

algorithm HMAC-SHA512;

secret "umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==";

};




# vi /etc/bind/named.conf


include "/etc/bind/transfer.key";

- Assign the new key to the zone to be transfer:


# vi /etc/bind/named.conf.default-zones


zone "domain.local" {

type master;

file "/etc/bind/db.domain.local";

allow-transfer { key "transfer-key"; };

};


- Restart the daemon:



# service bind9 restart

DNS Slave

- Copy the same key on the master and include on the configuration zone:


# vi /etc/bind/transfer.key


key "transfer-key" {

algorithm HMAC-SHA512;

secret "umWniLJJuw0K8sxz8NJzl7Cm3GmrfFv6UBpzEYtO8f6uvwcrzDvI4VgP0LLHiFZBl9JhUoD7CrO1WNfg163DDA==";

}

server 192.168.1.129 { keys "transfer-key";};


# vi /etc/bind/named.conf

include "/etc/bind/transfer.key";

- Configure the zone on the slave to transfer the information from the master:



# vi /etc/bind/named.conf.default-zones


zone "domain.local" {

        type slave;

        file "/etc/bind/db.domain.local";

        masters { 192.168.1.129; };

};


- Setup the correct permissions:



# chown -R bind:bind /etc/bind

- Restart the daemon:


# service bind9 restart

- Checking the transfer zone is completed successfully:

slave-transfer

Sources

http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#tsig

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm

Connect to a different port with SQL Server Management Studio

Hình ảnh
Microsoft's SQL Server Management Studio will connect by default to port 1433 and there's nowhere in the connect dialog to specify a different port from the default. To connect using a different port specify the servername, a comma, and then the port number as shown in this post. Connect using a different port using a comma The connection dialog in the SQL Server Management Studio client is shown in the screenshot below. Normally you would just type the server name into field but to specify a different port use a comma then the port number. The example screenshot above shows " 192.168.50.166\SQLSERVER2012 " as the instance name and "port" where the port would be. 192.168.50.166\SQLSERVER2012,1343 Then specify the login credentials, click the connect button, and assuming everything is correct it should then connect to the SQL Server. Setup specific port for SQL Server: Link: http://msdn.microsoft.com/en-us/library/ms177440.aspx
Đọc thêm