TSIG for Secure Zone Transfer

Objective

Be able to secure zone transfer between master & slave name server using TSIG keys.

Steps

1. All the master server will derive a key using dnssec-keygen statement
   

   dnssec-keygen -a <algorithm> -b <bits> -n HOST <tsig-key-name>

   
   ex:
   

   dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST ns1-ns2.groupX.net

   
   

   For extra randomness, add the option –r /dev/urandom

   
   Check that this generates two files
   

   # ls -al
   K<ns1-ns2.mydomain>.+157+<XXXXX>.key
   K<ns1-ns2.mydomain>.+157+<XXXXX>.private

   
   

   Make sure that the key name is as descriptive as possible. In our example, the name chosen is ns1-ns2.groupX.net to show that it is for the domain groupX.net and the TSIG key is to be exchanged between ns1 (the primary server) and ns2 (the secondary server).
2. Update the primary server’s named.conf.local with this key. It is recommended to put it in a separate file and use the include statement in named.conf.local to specify this key.
   1. Copy the key part into a file and name it ns1-ns2.groupX.net.key. The format is as follows:
      

      key ns1-ns2.groupX.net {
      algorithm HMAC-MD5;
      secret “<copy-the-secret-here>”;
      };

   2. Edit named.conf.local and add the #include statement.
      

      include “ns1-ns2.groupX.net.key”;
      server <ip-of-slave> {
      keys { ns1-ns2.groupX.net; };
      };

   3. Now edit named.conf.local to allow zone transfer from slave servers with the generated key instead of IP addresses.
      

      allow-transfer {
      //192.168.30.X (comment this out)
      key ns1-ns2.groupX.net; //use keys for secure zone transfer
      };

3. Send the key off-band to your slave name server administrator so they could configure their slave name server to use the key. To do this,
   1. Copy the key to the slave server securely.
      

      scp <ns1-ns2.groupX.net.key> apnic@<ip-address-of-slaveserver>:/home/apnic/

      
      Ex: for server1
      

      scp ns1-ns2.groupX.net.key apnic@192.168.30.1:/home/apnic/

   2. Request the owner of Secondary Server to Update the secondary server’s named.conf.local to reflect the same changes as the primary.
      

      include “ns1-ns2.groupX.net.key”;
      server <ip-of-master> {
      keys { ns1-ns2.mydomain; };
      };
      allow-transfer {
      //192.168.30.1 (comment this out)
      key ns1-ns2.groupX.nett; //use keys for secure zone transfer
      };

4. Run both master & slave nameserver and see if zone transfers happen. Zone transfer can also be tested using dig command, try using it with a key.
   Example: Without the key, transfer is expected to fail.
   

   dig @server domain axfr

   
   Result:
   

   Transfer failed.

   
   Example: with a key

   dig -y "hmac-md5:ns1-ns2.groupX.net:lksdjfq38475-qejflavna==" @<slave-server> <slave domain> axfr

   
   

   If the time difference between master & slave is more than 3 minutes, the zone transfer will fail even if you have the correct key.