Re: How to create the TSIG?

[Chris Buxton]

Point 1: The rndc.key file is referenced automatically if its contents  
are not included, because you do not have a controls statement. This  
is confusing, so please read the section of the ARM on the controls  
statement.
__

Point 2: Your 'allow-update' statement is wrong. You have:
allow-update { tdnet.key; };

Problem one is, you forgot the word "key".

allow-update { key tdnet.key; };

Problem two is, you're re-using a server-to-server key for dynamic  
updates. This is bad practice. You should have one key for dynamic  
updates to the zone, and another key for all communication with the  
server at 192.168.0.194.
__

Point 3: Since you have an allow-transfer statement in the zone, you  
should change it to this:

allow-transfer { key tdnet.key; };

Add all 5 slave server keys to that list. Furthermore, you can move  
this list out of the zone statements and into the options statement,  
so that you don't have to duplicate it once per zone.
__

Point 4: The reason your zone has been rewritten, and the reason for  
the .jnl file, is that your zone has received a dynamic update. This  
is normal behavior. nsupdate doesn't directly create the journal file,  
nor does it directly modify the zone file; instead, named does this in  
response to the dynamic update. The .jnl file is created immediately  
upon receiving the first update, while the main zone file is rewritten  
15 minutes later.

You should constrain the size of your journal files, in the options  
statement, with something like this:

max-journal-size 5M;

The rndc.key file was created by the package installer for BIND, as  
part of the post-processing. It was always there; you just didn't  
notice it.
__

Point 5: Whenever you modify named.conf, before you restart named, run  
named-checkconf over it, just to be sure.

Chris Buxton
Professional Services
Men & Mice

On Feb 6, 2009, at 8:47 AM, Michelle Konzack wrote:

Hello Chris,

thank you for the "HOWTO"... now it is more clear.

OK, there are some stange things happen to my master DNS @home.   
Since I
it seems I had a "nsupdate" from my Laptop,  an  update  from  my   
work-
stations was working perfectly and now it comes:

I have never used:

Am 2009-02-05 16:58:27, schrieb Chris Buxton:
Create a key:

dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key

(Note: Use something better than hmac-md5 if your BIND version  
supports
it.) This creates two files, with similar names. Extract the secret  
from
either of them (it is the same in both) and create a key statement:

key "slave1.key" {
        algorithm hmac-md5;
        secret "put here the secret from the file";
};

and this installed and was not looking into my local DNS  since   
several
weeks...  Today I have found

1) a modified file
  /etc/bind/net.tamay-dogan.private

2) two new files
  /etc/bind/net.tamay-dogan.private.njl
  /etc/bind/rndc.key

where the last one has the key enty above.

Q: Does the "nsupdate" create/change this files?

Note:  The rndc.key file is not included in any files, hence I
      asume it is not alive and I have to include it into my.
      /etc/bind/named.conf.local (Debian System)

Put this statement into named.conf on both the master server and  
one of
your slaves. Then, put this into the master server's named.conf:

server 192.0.2.1 { // use the actual IP address of the slave here
        keys { slave1.key; };
};

On the slave:

server 192.0.2.2 { // this should be the IP address of the master
        keys { slave1.key; };
};

OK done.

This will then secure all communication (except forwarded updates)
between master and slave1. That includes notifies, SOA queries and
responses, and zone transfers.

Repeat the above for each slave. Use a different key for each slave.
This means the master will have 5 keys defined (plus an RNDC key,
hopefully), and 5 server statements. You may also want to create
additional keys (and additional server statements) for use between
slaves, just in case you ever need to promote one.

OK, now I have:

key "rndc-key" {
...
};
key "tdnet.key" {
...
};
key "hetzner.key" {
...
};
key "vallendor.key" {
...
};

and 5 entries like

server 192.168.0.194 {
        keys { tdnet.key; };
};

Next, create yet another key for dynamic updates. Put that key's name
into your allow-update statement. Turn on update-forwarding on the

Done but...

slaves, like this (in each slave zone):

allow-update-forwarding { any; };

OK done.

Since the master will only permit signed updates, and since the  
slaves
will forward signed updates unmodified (signatures intact), you do  
not
need to secure this ACL.

I have for testing only me second local DNS included and I call the   
key
"tdnet.key" since it is under my own control...

I have now (unneccesary lines striped)

----[ '/etc/bind/ 
named.conf' ]------------------------------------------
include "/etc/bind/named.conf.options";

zone "." {
       type hint;
       file "/etc/bind/db.root";
};

zone "localhost" {
       type master;
       file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
       type master;
       file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
       type master;
       file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
       type master;
       file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";
------------------------------------------------------------------------

----[ '/etc/bind/ 
named.conf.options' ]----------------------------------
options {
       directory "/var/cache/bind";
       check-names master fail;
       check-names slave warn;
       check-names response ignore;
       auth-nxdomain no;
       listen-on-v6 { any; };
       listen-on { 192.168.0.74; };
};
------------------------------------------------------------------------

----[ '/etc/bind/ 
named.conf.local' ]------------------------------------
key "rndc-key" {
       algorithm hmac-md5;
       secret " ...very_short_key... ";
};

key "tdnet.key" {
       algorithm hmac-md5;
       secret " ...very_long_key... ";
};

server 192.168.0.194 {
       keys { tdnet.key; };
};

zone "private.tamay-dogan.net" {
       type            master;
       file            "/etc/bind/net.tamay-dogan.private";
       allow-transfer  { 192.168.0.194; };
       allow-update    { tdnet.key;  };
//      allow-update    { 192.168.0.91; 192.168.0.92; 192.168.0.93;  
192.168.0.112;  };
};

zone "0.168.192.in-addr.arpa" {
       type            master;
       file            "/etc/bind/db.192.168.0";
       allow-transfer  { 192.168.0.194; };
};
------------------------------------------------------------------------

And my Intranet Zone looks like:

----[ '/etc/bind/ 
net.tamay.dogan.private' ]-----------------------------
$ORIGIN .
$TTL 86400      ; 1 day
private.tamay-dogan.net IN SOA  dns.private.tamay-dogan.net.  
hostmaster.tamay-dogan.net. (
                               1230807508 ; serial
                               10800      ; refresh (3 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               86400      ; minimum (1 day)
                               )
                       NS      dns.private.tamay-dogan.net.
                       MX      10 mail.private.tamay-dogan.net.
                       MX      20 server4.pinguin-hosting.de.
$ORIGIN private.tamay-dogan.net.
$TTL 300        ; 5 minutes
128                     A       192.168.0.84
336                     A       192.168.0.81
576                     A       192.168.0.82
access                  A       192.168.0.80
aspire1350              A       192.168.0.115
clamav                  A       192.168.0.76
devel                   A       192.168.0.92
dns                     A       192.168.0.74
karima1                 A       192.168.0.94
keyserver               A       192.168.0.73
ledger                  A       192.168.0.75
lpd                     A       192.168.0.72
mail                    A       192.168.0.70
$TTL 86400      ; 1 day
                       TXT     "v=spf1 a mx ~all"
$TTL 300        ; 5 minutes
michelle1               A       192.168.0.91
mobilix                 A       192.168.0.111
multimedia              A       192.168.0.93
mysql                   A       192.168.0.66
pgsql                   A       192.168.0.66
r40                     A       192.168.0.113
router                  A       192.168.0.65
samba1                  A       192.168.0.67
                       TXT     "sources archive; 258 GByte left"
samba2                  A       192.168.0.68
                       TXT     "Multimedia stuff; 1783 GByte left"
samba3                  A       192.168.0.69
                       TXT     "Some comment for bind-users"
syslog                  A       192.168.0.71
t72                     A       192.168.0.114
tp570                   A       192.168.0.112
------------------------------------------------------------------------

but if I restart bin I get:

----[ '/var/log/ 
syslog' ]-----------------------------------------------
Feb  6 17:40:10 dns named[24020]: starting BIND 9.3.4-P1.1 -u bind
Feb  6 17:40:10 dns named[24020]: found 4 CPUs, using 4 worker threads
Feb  6 17:40:10 dns named[24020]: loading configuration from '/etc/ 
bind/named.conf'
Feb  6 17:40:10 dns named[24020]: listening on IPv6 interfaces, port  
53
Feb  6 17:40:10 dns named[24020]: listening on IPv4 interface  
eth0:4, 192.168.0.74#53
Feb  6 17:40:10 dns named[24020]: /etc/bind/named.conf.local:49:  
undefined ACL 'tdnet.key'
Feb  6 17:40:10 dns named[24020]: loading configuration: not found
Feb  6 17:40:10 dns named[24020]: exiting (due to fatal error)
------------------------------------------------------------------------

which looks not realy funn since I can not more send messages... :-/

if I restore the line

       allow-update    { tdnet.key;  };

bach to the IPs it works fine:

----[ '/var/log/ 
syslog' ]-----------------------------------------------
Feb  6 17:43:09 dns named[24170]: starting BIND 9.3.4-P1.1 -u bind
Feb  6 17:43:09 dns named[24170]: found 4 CPUs, using 4 worker threads
Feb  6 17:43:09 dns named[24170]: loading configuration from '/etc/ 
bind/named.conf'
Feb  6 17:43:09 dns named[24170]: listening on IPv6 interfaces, port  
53
Feb  6 17:43:09 dns named[24170]: listening on IPv4 interface  
eth0:4, 192.168.0.74#53
Feb  6 17:43:09 dns named[24170]: zone 'private.tamay-dogan.net'  
allows updates by IP address, which is insecure
Feb  6 17:43:09 dns named[24170]: command channel listening on  
127.0.0.1#953
Feb  6 17:43:09 dns named[24170]: command channel listening on ::1#953
Feb  6 17:43:09 dns named[24170]: zone 0.in-addr.arpa/IN: loaded  
serial 1
Feb  6 17:43:09 dns named[24170]: zone 127.in-addr.arpa/IN: loaded  
serial 1
Feb  6 17:43:09 dns named[24170]: /etc/bind/db.192.168.0:3: using  
RFC 1035 TTL semantics
Feb  6 17:43:09 dns named[24170]: zone 0.168.192.in-addr.arpa/IN:  
loaded serial 1230468458
Feb  6 17:43:09 dns named[24170]: zone 255.in-addr.arpa/IN: loaded  
serial 1
Feb  6 17:43:09 dns named[24170]: zone localhost/IN: loaded serial 1
Feb  6 17:43:09 dns named[24170]: /etc/bind/net.tamay- 
dogan.cybercenter:3: using RFC 1035 TTL semantics
Feb  6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/ 
IN: loaded serial 1220552501
Feb  6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.omega:3:  
using RFC 1035 TTL semantics
Feb  6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN:  
loaded serial 1220552501
Feb  6 17:43:09 dns named[24170]: zone private.tamay-dogan.net/IN:  
loaded serial 1230807508
Feb  6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.redhat: 
3: using RFC 1035 TTL semantics
Feb  6 17:43:09 dns named[24170]: zone redhat.tamay-dogan.net/IN:  
loaded serial 1220552501
Feb  6 17:43:09 dns named[24170]: running
Feb  6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/ 
IN: sending notifies (serial 1220552501)
Feb  6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN:  
sending notifies (serial 1220552501)
------------------------------------------------------------------------

What I have doen wrong?

Thanks, Greetings and nice Day/Evening
   Michelle Konzack
   Systemadministrator
   24V Electronic Engineer
   Tamay Dogan Network
   Debian GNU/Linux Consultant


--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant  
#####################
<http://www.tamay-dogan.net/>               <http:// 
www.can4linux.org/>
Michelle Konzack   Apt. 917                  ICQ #328449886
+49/177/9351947    50, rue de Soultz         MSN LinuxMichi
+33/6/61925193     67100 Strasbourg/France   IRC #Debian (irc.icq.com)
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users