Setting up DH key exchange

karthik kumar karthik.kumar23 at gmail.com
Tue Nov 21 06:26:07 UTC 2006


Hi Bind Gurus,
I am trying to set a DH key exchange between client Linux terminal and DNS
Bind 9.3.2 serving running on Linux (Fedoro).

This is how I have done so far:

*Server Side Configurations:*
1. Created DH key using :
            dnssec-keygen -a DH -b 128 -n host -g 2 testpc48key
  I got the following files(keys) generated:
Ktestpc48key.+002+14250.key      and    Ktestpc48key.+002+14250.private

2. To authenticate TKEY queries with an established TSIG key authenticator
as recommended by RFC 2930 I created a Client key HMAC-MD5  key in my client
system and did the necessary TSIG configurations in my server
named.conffile as shown below:

key "clientkey." {
    algorithm hmac-md5;
    secret "ALp5Wa/rh43ckyPBJuNwFg==";
};

zone "bsr.com" {
    type master;
    notify no;
    file "bsr.zone";
    allow-query { any; };
    update-policy { grant clientkey. subdomain bsr.com ANY; };
};


**
3. I kept my zone files and key files in /var/named/chroot/var/named

         my /var/named/chroot/var/named directory structure is as below:

         [root at testpc48 named]# pwd
        /var/named/chroot/var/named

        [root at testpc48 named]# ls
         bsr.zone       Ktestpc48key.+002+14250.key          named.ca
 _pdu.txt
         bsr.zone.jnl   Ktestpc48key.+002+14250.private
named.ip6.local
pdu.txt
         data             localdomain.zone
named.local           slaves
         del.txt          localhost.zone
named.run
        Help.txt       named.broadcast

Key files are with default permissions when created.

In my /etc directory...i have the following soft link for named.conf
lrwxrwxrwx  1 root root 32 Nov 16 12:34          /etc/named.conf   ->
/var/named/chroot/etc/named.conf

4. I configured my named.conf options section for tkey as below:

   tkey-dhkey "testpc48key" 14250;
   tkey-domain "bsr.com";
   random-device "/dev/random";


My named.conf is below for your reference:


//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
       // dnssec-enable yes;
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
   tkey-dhkey "testpc48key" 14250;
   tkey-domain "bsr.com";
   random-device "/dev/random";

};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};


zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { 127.0.0.1; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };

};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

logging {
    channel "bsr_log" {
        // send most BIND logs to a dedicated log file
        file "/var/log/bsr_log.log" versions 10 size 500k;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
};


key "clientkey." {
    algorithm hmac-md5;
    secret "ALp5Wa/rh43ckyPBJuNwFg==";
};



zone "bsr.com" {
    type master;
    notify no;
    file "bsr.zone";
    allow-query { any; };
    update-policy { grant clientkey. subdomain bsr.com ANY; };
};

/*zone "115.31.172.in-addr.arpa"{
        type master;
        file "bsr.reverse.zone";
        allow-query { any; };
        allow-update { key shan;};

};*/

include "/etc/rndc.key";

I start my name server as below:

/root/bind-9.3.2/bin/named/named -u named -t /var/named/chroot/

[root at testpc48 named]# ps -ef |grep named


named    16417     1  0 Nov20 ?        00:00:00
/root/bind-9.3.2/bin/named/named
-u named -t /var/named/chroot/
root     18205 15873  0 11:55 pts/1    00:00:00 grep named

Now How do I proceed to do the DH key exchange.

Please advice.



Thanks & rgds

KK




More information about the bind-users mailing list