Configuring TSIG keys and ACL's on slave server

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 17 22:59:48 UTC 2007


OK, so you've made some changes to your config. Is it working or not? 
Don't keep us in suspense.

                                                                         
            - Kevin

Phusion wrote:
> On 4/16/07, Curt Sampson <cjs at cynic.net> wrote:
>   
>> On Mon, 16 Apr 2007, Phusion wrote:
>>
>>     
>>> I need help configuring TSIG keys and ACL's on a slave server.
>>>       
>> Your key statements look fine, but your ACLs don't seem right.
>> You probably want something that includes things similar to the following:
>>
>> transfer-keys.conf:
>>
>>      key transfer.key. {
>>         algorithm hmac-md5;
>>         secret "...";
>>      };
>>
>> named-master.conf:
>>
>>      include "transfer-keys.conf";
>>      options {
>>         allow-transfer {
>>             localhost;
>>             key transfer.key.;
>>         };
>>      };
>>
>> name-slave.conf:
>>
>>      include "transfer-keys.conf";
>>      masters my_masters {
>>         10.1.1.2 key transfer.key.;
>>      };
>>      zone foo.com. {
>>         type slave;
>>         file "slave/foo.com";
>>         masters { my_masters; };
>>      };
>>
>>
>> Also, you don't want recursion on (except for maybe local queries, if
>> the machine and all its users are trusted--I still have doubts about
>> even that) in your slave servers; they're still authoratative servers.
>>
>> As well, it appears to me (though I've not yet played with this
>> seriously) that you can put some or all of your slaves in you slave file
>> master list and they'll co-ordinate properly, pulling down the data from
>> the "master" with the highest serial number. Thus, if you completely
>> lose your master (e.g., it falls off the Internet) and you need to
>> update a zone, you can use a copy of the master files on the slave (I
>> keep all mine in version control on a separate machine, and have extra
>> checkouts handy on slaves just in case) change the slave to use the
>> master config file, make your changes, reload, and you're set.
>>
>>
>> cjs
>> --
>> Curt Sampson            <cjs at cynic.net>             +81 90 7737 2974
>>    The power of accurate observation is commonly called cynicism
>>    by those who have not got it.    --George Bernard Shaw
>>
>>     
>
> I made some changes and now my config files look like the following.
>
> ====================
> named.conf.master
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
>         algorithm       hmac-md5;
>         secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
>
> /* ACLs ============================ */
> acl lan {
>         127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
>         key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
>         algorithm       hmac-md5;
>         secret
> "Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
> };
>
> controls {
>         inet            127.0.0.1 port 953
>                         allow { 127.0.0.1; }
>                         keys { "rndc-key"; };
> };
>
> /* Options ========================= */
> options {
>         directory       "/";
>         version         "";     // remove this to allow version queries
>         allow-query     { "lan"; };
>         allow-transfer  { "transfer"; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
>         type            hint;
>         file            "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
>         type            master;
>         file            "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
>         type            master;
>         file            "master/db.10.1.1";
>         allow-update    { key mdnlan; };
>         notify          yes;
> };
>
> zone "localhost" {
>         type            master;
>         file            "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
>         type            master;
>         file            "master/db.mdnlan.test.com";
>         allow-update    { key mdnlan; };
>         notify          yes;
> };
>
> zone "test.com" {
>         type            master;
>         file            "master/db.test.com";
> };
>
>   
>> Your key statements look fine, but your ACLs don't seem right.
>> You probably want something that includes things similar to the following:
>>
>> transfer-keys.conf:
>>
>>      key transfer.key. {
>>         algorithm hmac-md5;
>>         secret "...";
>>      };
>>
>> named-master.conf:
>>
>>      include "transfer-keys.conf";
>>      options {
>>         allow-transfer {
>>             localhost;
>>             key transfer.key.;
>>         };
>>      };
>>
>> name-slave.conf:
>>
>>      include "transfer-keys.conf";
>>      masters my_masters {
>>         10.1.1.2 key transfer.key.;
>>      };
>>      zone foo.com. {
>>         type slave;
>>         file "slave/foo.com";
>>         masters { my_masters; };
>>      };
>>
>>
>> Also, you don't want recursion on (except for maybe local queries, if
>> the machine and all its users are trusted--I still have doubts about
>> even that) in your slave servers; they're still authoratative servers.
>>
>> As well, it appears to me (though I've not yet played with this
>> seriously) that you can put some or all of your slaves in you slave file
>> master list and they'll co-ordinate properly, pulling down the data from
>> the "master" with the highest serial number. Thus, if you completely
>> lose your master (e.g., it falls off the Internet) and you need to
>> update a zone, you can use a copy of the master files on the slave (I
>> keep all mine in version control on a separate machine, and have extra
>> checkouts handy on slaves just in case) change the slave to use the
>> master config file, make your changes, reload, and you're set.
>>
>>
>> cjs
>> --
>> Curt Sampson            <cjs at cynic.net>             +81 90 7737 2974
>>    The power of accurate observation is commonly called cynicism
>>    by those who have not got it.    --George Bernard Shaw
>>
>>     
>
> I made some changes and now my config files look like the following.
>
> ====================
> named.conf.master
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
>         algorithm       hmac-md5;
>         secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
> /* ACLs ============================ */
> acl lan {
>         127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
>         key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
>         algorithm       hmac-md5;
>         secret
> "Bpd0MiJARZI7+Ze5ZvYqpMLWKd6u43DRsqRB6ouHEay8dQZRCdj5zsibvdR6gySRjen7AGAV/DYedEDFsjhEvg==";
> };
>
> controls {
>         inet            127.0.0.1 port 953
>                         allow { 127.0.0.1; }
>                         keys { "rndc-key"; };
> };
>
> /* Options ========================= */
> options {
>         directory       "/";
>         version         "";     // remove this to allow version queries
>         allow-query     { "lan"; };
>         allow-transfer  { "transfer"; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
>         type            hint;
>         file            "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
>         type            master;
>         file            "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
>         type            master;
>         file            "master/db.10.1.1";
>         allow-update    { key mdnlan; };
>         notify          yes;
> };
>
> zone "localhost" {
>         type            master;
>         file            "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
>         type            master;
>         file            "master/db.mdnlan.test.com";
>         allow-update    { key mdnlan; };
>         notify          yes;
> };
>
> zone "test.com" {
>         type            master;
>         file            "master/db.test.com";
> };
>
> ====================
> named.conf.slave
> ====================
> /* TSIG keys ======================= */
> key smdndnsp1-smdndnsp2.test.com. {
>         algorithm       hmac-md5;
>         secret
> "iHWAgk6OZdOb/z8kjYVhQO/h+gAbAbQPFfgxOQWRTGPHAg23XAQQy6ysV1uxd5tlqeXY/EskKdUDKCHPkAXpHQ==";
> };
>
> server 10.1.1.2 {
>         keys            { smdndnsp1-smdndnsp2.test.com.; };
> };
>
> /* ACLs ============================ */
> acl lan {
>         127/8; 10.1.1/24; 10.1.101/24;
> };
>
> acl transfer {
>         key smdndnsp1-smdndnsp2.test.com.;
> };
>
> /* rndc configuration ============== */
> key "rndc-key" {
>         algorithm       hmac-md5;
>         secret
> "wejqinaDNIMyTQ/DEObjVfRLbO1mOxughAefMgzenKX2zF7JwcpBJbR3zaIl3EX7T3IG9wMHHfS4I+SBuubXvg==";
> };
>
> controls {
>         inet            127.0.0.1 port 953
>                         allow { 127.0.0.1; }
>                         keys { rndc-key; };
> };
>
> /* Options ========================= */
> options {
>         directory       "/";
>         version         "";     // remove this to allow version queries
>         allow-query     { "lan"; };
>         allow-transfer  { none; };
> };
> ...
> ...
> ...
> /* Authoritative zones ============= */
> zone "." {
>         type            hint;
>         file            "standard/root.hint";
> };
>
> zone "0.0.127.in-addr.arpa" {
>         type            master;
>         file            "standard/loopback";
> };
>
> zone "1.1.10.in-addr.arpa" {
>         type            slave;
>         masters         { 10.1.1.2; };
>         file            "slave/bak.10.1.1";
> };
>
> zone "localhost" {
>         type            master;
>         file            "standard/localhost";
> };
>
> zone "mdnlan.test.com" {
>         type            slave;
>         masters          { 10.1.1.2; };
>         file            "slave/bak.mdnlan.test.com";
> };
>
> zone "test.com" {
>         type            slave;
>         masters         { 10.1.1.2; };
>         file            "slave/bak.test.com";
> };
>
> I think there are still problems with the ACL's. Let me know.
>
> Phusion
>
>
>
>
>   



More information about the bind-users mailing list