小蘇的世界

TSIG是做什麼的吶？

Transaction SIGnatures (TSIG) based transaction security in BIND. 啥米…有聽沒有懂～繼續往下看囉

BIND primarily supports TSIG for server to server communication. This includes zone transfer, notify, and recursive query messages.
Resolvers based on newer versions of BIND 8 have limited support for TSIG.
TSIG can also be useful for dynamic update. A primary server for a dynamic zone should control access to the dynamic update service, but IP-based access control is insufficient.
The cryptographic access control provided by TSIG is far superior.

以上的內容截自官網說明文件～大概指出TSIG的功能，其中一個功能可以用在zone transfer transaction security~翻不出中文～ >.<
也就是說Master DNS 跟Slave DNS交易zone file 時會比較安全吧~哈~

來做吧…~
相關內容可以查看這兒…
--> 點這兒 <--

#man dnssec-keygen

首先產生key…等會要用的…
#dnssec-keygen -a hmac-md5 -b 128 -n HOST master-slave
然後執行該指令的目錄下會產生Kmaster-slave.XXXX.key 、及Kmaster-slave.XXXX.private
這兒假設XXXX為+157+01389(不一定是這樣喔)，後面的master-slave的名稱可換掉

分別查看一下檔案內容…等一下會用到
#cat Kmaster-slave.+157+01389.key
master-server. IN KEY 512 3 157 KhDVspoqFonWKv58rFXOWw==

#cat Kmaster-slave.+157+01389.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: KhDVspoqFonWKv58rFXOWw==


注意喔
■ The *.key file contains a DNS KEY record that can be included in a zone file using the include statement.
■ The *.private file contains algorithm specific fields. For security reasons, this file does not have general read permission.

@Master DNS server (OpenSuSE 11.1 32Bits 192.168.148.129)
#vi /etc/named.conf
key master-slave{ //宣告key
   algorithm HMAC-MD5; //使用那種演算法
   secret "KhDVspoqFonWKv58rFXOWw=="; //該key的內容
};

zone "hellokitty.com.tw" in {
   type master;
   file "hellokitty.com.tw";
   allow-transfer {key master-slave;}; //用那把key做為transfer時的key
};

server 192.168.148.130 { //對那台server(129.168.148.130)進行溝通時?，用那把key?
//這兒對192.168.148.130這台…用master-slave這把key
   keys {master-slave;};
};

上面server的內容可以不用加(如果照目前設定Master與Slave架構中只有Slave主動要求zone-transfer而已)…但官方文件中提到~如果雙方有反過來溝通的機會…就加進去吧~
If host1 sends a message that is a request to that address, the message will be signed with the specified key.
Host1 will expect any responses to signed messages to be signed with the same key.
A similar statement must be present in host2's configuration file (with host1's address) for host2 to sign request messages to host1.

//如果有相關的反解的zone，也必須加入~

#/etc/init.d/named restart
#netstat -tlnup|grep 53

@Slave DNS server (OpenSuSE 11.1 32Bits 192.168.148.132)
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc.
想辦法告知Slave key的內容透過安全的交換機制~

#vi /etc/named.conf
key master-slave{ //宣告key
   algorithm HMAC-MD5; //使用那種演算法
   secret "KhDVspoqFonWKv58rFXOWw=="; //該key的內容
};

zone "hellokitty.com.tw" in {   //下面一樣維持slave的設定
   type slave;
   file "slave/hellokitty.com.tw";
   masters { 192.168.148.129; };

};

server 192.168.148.129 { //這兒很重要…對192.168.148.129進行溝通時，用master-slave這把key
//對同一台目標可以使用多個key，但只有第一個有效
   keys {master-slave;};
};

上面的server的內容為必要的…因為要對192.168.148.129要求zone-transfer的動作~

#/etc/init.d/named restart
#netstat -tlnup|grep 53


注意：下面的是安全性重點
If a computer now tries to carry out a zone transfer withoutpossessing the key, the zone transfer is refused.
意思是說…如果沒有用正確的key進行transfer就會被拒絕啦~可查看Log得之~

named.conf該檔的存取權限就相對重要…請好好檢查，不相干的人無法看到檔案內容
#ls -l /etc/named.conf

或者 the key directive be added to a non-world readable file that is included by named.conf .
用include方式，把key的內容加入不是全域可讀的檔案裡面去

如果要避免zone file被transfer(加到Slave的那台吧…不然Slave的zone也是有可能被transfer走的~)
#vi /etc/named.conf
options {
   allow-transfer {none;};
  };
在options區段中把allow-transfer的內容改成none吧


很有趣吧~各位…   >.<