Configuring TSIG keys and ACL's on slave server
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 17 22:59:48 UTC 2007
OK, so you've made some changes to your config. Is it working or not?
Don't keep us in suspense.
- Kevin
Phusion wrote:
> On 4/16/07, Curt Sampson <cjs at cynic.net> wrote:
>
>> On Mon, 16 Apr 2007, Phusion wrote:
>>
>>
>>> I need help configuring TSIG keys and ACL's on a slave server.
>>>
>> Your key statements look fine, but your ACLs don't seem right.
>> You probably want something that includes things similar to the following:
>>
>> transfer-keys.conf:
>>
>> key transfer.key. {
>> algorithm hmac-md5;
>> secret "...";
>> };
>>
>> named-master.conf:
>>
>> include "transfer-keys.conf";
>> options {
>> allow-transfer {
>> localhost;
>> key transfer.key.;
>> };
>> };
>>
>> name-slave.conf:
>>
>> include "transfer-keys.conf";
>> masters my_masters {
>> 10.1.1.2 key transfer.key.;
>> };
>> zone foo.com. {
>> type slave;
>> file "slave/foo.com";
>> masters { my_masters; };
>> };
>>
>>
>> Also, you don't want recursion on (except for maybe local queries, if
>> the machine and all its users are trusted--I still have doubts about
>> even that) in your slave servers; they're still authoratative servers.
>>
>> As well, it appears to me (though I've not yet played with this
>> seriously) that you can put some or all of your slaves in you slave file
>> master list and they'll co-ordinate properly, pulling down the data from
>> the "master" with the highest serial number. Thus, if you completely
>> lose your master (e.g., it falls off the Internet) and you need to
>> update a zone, you can use a copy of the master files on the slave (I
>> keep all mine in version control on a separate machine, and have extra
>> checkouts handy on slaves just in case) change the slave to use the
>> master config file, make your changes, reload, and you're set.
>>
>>
>> cjs
>> --
>> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
>> The power of accurate observation is commonly called cynicism
>> by those who have not got it. --George Bernard Shaw
>>
>>
>
> I made some changes and now my config files look like the following.
>
> ====================
> named.conf.master
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
> algorithm hmac-md5;
> secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
>
> /* ACLs ============================ */
> acl lan {
> 127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
> key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
> algorithm hmac-md5;
> secret
> "Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; }
> keys { "rndc-key"; };
> };
>
> /* Options ========================= */
> options {
> directory "/";
> version ""; // remove this to allow version queries
> allow-query { "lan"; };
> allow-transfer { "transfer"; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
> type hint;
> file "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
> type master;
> file "master/db.10.1.1";
> allow-update { key mdnlan; };
> notify yes;
> };
>
> zone "localhost" {
> type master;
> file "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
> type master;
> file "master/db.mdnlan.test.com";
> allow-update { key mdnlan; };
> notify yes;
> };
>
> zone "test.com" {
> type master;
> file "master/db.test.com";
> };
>
>
>> Your key statements look fine, but your ACLs don't seem right.
>> You probably want something that includes things similar to the following:
>>
>> transfer-keys.conf:
>>
>> key transfer.key. {
>> algorithm hmac-md5;
>> secret "...";
>> };
>>
>> named-master.conf:
>>
>> include "transfer-keys.conf";
>> options {
>> allow-transfer {
>> localhost;
>> key transfer.key.;
>> };
>> };
>>
>> name-slave.conf:
>>
>> include "transfer-keys.conf";
>> masters my_masters {
>> 10.1.1.2 key transfer.key.;
>> };
>> zone foo.com. {
>> type slave;
>> file "slave/foo.com";
>> masters { my_masters; };
>> };
>>
>>
>> Also, you don't want recursion on (except for maybe local queries, if
>> the machine and all its users are trusted--I still have doubts about
>> even that) in your slave servers; they're still authoratative servers.
>>
>> As well, it appears to me (though I've not yet played with this
>> seriously) that you can put some or all of your slaves in you slave file
>> master list and they'll co-ordinate properly, pulling down the data from
>> the "master" with the highest serial number. Thus, if you completely
>> lose your master (e.g., it falls off the Internet) and you need to
>> update a zone, you can use a copy of the master files on the slave (I
>> keep all mine in version control on a separate machine, and have extra
>> checkouts handy on slaves just in case) change the slave to use the
>> master config file, make your changes, reload, and you're set.
>>
>>
>> cjs
>> --
>> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
>> The power of accurate observation is commonly called cynicism
>> by those who have not got it. --George Bernard Shaw
>>
>>
>
> I made some changes and now my config files look like the following.
>
> ====================
> named.conf.master
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
> algorithm hmac-md5;
> secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
> /* ACLs ============================ */
> acl lan {
> 127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
> key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
> algorithm hmac-md5;
> secret
> "Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; }
> keys { "rndc-key"; };
> };
>
> /* Options ========================= */
> options {
> directory "/";
> version ""; // remove this to allow version queries
> allow-query { "lan"; };
> allow-transfer { "transfer"; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
> type hint;
> file "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
> type master;
> file "master/db.10.1.1";
> allow-update { key mdnlan; };
> notify yes;
> };
>
> zone "localhost" {
> type master;
> file "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
> type master;
> file "master/db.mdnlan.test.com";
> allow-update { key mdnlan; };
> notify yes;
> };
>
> zone "test.com" {
> type master;
> file "master/db.test.com";
> };
>
> ====================
> named.conf.slave
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
> algorithm hmac-md5;
> secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
> server 10.1.1.2 {
> keys { smdndnsp1-smdndnsp2.test.com.; };
> };
>
> /* ACLs ============================ */
> acl lan {
> 127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
> key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
> algorithm hmac-md5;
> secret
> "wejqinaDNIMyTQ/DEObjVfRLbO1mOxughAefMgzenKX2zF7JwcpBJbR3zaIl3EX7T3IG9wMHHfS4I+SBuubXvg==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; }
> keys { rndc-key; };
> };
>
> /* Options ========================= */
> options {
> directory "/";
> version ""; // remove this to allow version queries
> allow-query { "lan"; };
> allow-transfer { none; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
> type hint;
> file "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
> type slave;
> masters { 10.1.1.2; };
> file "slave/bak.10.1.1";
> };
>
> zone "localhost" {
> type master;
> file "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
> type slave;
> masters { 10.1.1.2; };
> file "slave/bak.mdnlan.test.com";
> };
>
> zone "test.com" {
> type slave;
> masters { 10.1.1.2; };
> file "slave/bak.test.com";
> };
>
> I think there are still problems with the ACL's. Let me know.
>
> Phusion
>
>
>
>
>
More information about the bind-users
mailing list