Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

Bind

Using TSIG

The new versions of bind (version >= 8.2) introduced a mechanism to sign zone transfers. To do so, the following things have to be done:

1. Generate a keypair:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host1-host2.domain.net.

2. Change your named.conf file:

key host1-host2.domain.net. {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxx";
}

Here you need to exchange the x-es with the value in the .key file which was just generated.
Just as a side remark: make sure your named.conf file is not world readable! In case you need it, use the include-statement in the named.conf to include a file which holds the key-section.
3. To use TSIG (transaction signatures), as this method is called, you need to add the following to the named.conf:

server 192.249.249.1 { keys {host1-host2.domain.net.; }; };

On 192.249.249.1 you need to restrict zone transfers to signed ones:

zone "domain.net" { type master; file "db.domain.net"; allow-transfer {key host1-host2.domain.net.; }; };

Allowing Updates / Queries

To allow queries just from certain hosts:

options { allow-query {address_list; }; };

address_list can be: 129.132.220/24
The same concept is true for zone transfers:

zone "domain.net" { type master; file "xyz.db"; allow-transfer {address_list; }; };

address_list can also be "none". Again you could use the key-statement to sign transfers.

Chrooting Named

If you wanna know how to chroot() named, send me an email!

CopyLeft (l) 2003 by Raffael Marty