lost and found ( for me ? )

lost and found ( for me ? )

↑ Grab this Headline Animator

BIND9 : enable TSIG for zone transfers

install bind9 on both machines
# apt-get install bind9 bind9utils dnsutils –y

# named -v
BIND 9.9.5-3ubuntu0.1-Ubuntu (Extended Support Version)
[ notify, zone transfer without TSIG ]
master : 10.0.3.20
secondary : 10.0.3.21
master
zone "foo.com" {
       type master;
       file "/etc/bind/foo.com.db";
};
secondary
zone "foo.com" {
       type secondary;
       masters {
               10.0.3.20;
       };
       file "/etc/bind/foo.com.db";
};
Here is an output of capture after modifying RRs on the master and issue “rndc reload <zone>” on the master.
# tshark -n -r a.pcap
 1 0.000000000    10.0.3.20 -> 10.0.3.21    DNS 108 Zone change notification 0x2ea5  SOA foo.com
 2 0.000437000    10.0.3.21 -> 10.0.3.20    DNS 67 Zone change notification response 0x2ea5
 3 0.000782000    10.0.3.21 -> 10.0.3.20    DNS 78 Standard query 0xd20d  SOA foo.com
 4 0.001119000    10.0.3.20 -> 10.0.3.21    DNS 184 Standard query response 0xd20d  SOA ns01.foo.com
 5 0.001492000    10.0.3.21 -> 10.0.3.20    TCP 74 43380 > 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=149206955 TSecr=0 WS=512
 6 0.001567000    10.0.3.20 -> 10.0.3.21    TCP 74 53 > 43380 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=149206955 TSecr=149206955 WS=512
No1
the master sends notification to the secondary

No2.
the secondary send the reply.
No.3
the salve asks for SOA serial number.
No.4
the secondary gets the serial number from the master
No.5
the secondary executed zone transfer over TCP
[ notify, zone transfer with TSIG ]
generate a TSIG key on the master.
# dnssec-keygen -r /dev/urandom -a hmac-sha1 -b 128 -n HOST
ns1-ns2

# cat Kns1-ns2.+161+31946.private
Private-key-format: v1.3
Algorithm: 161 (HMAC_SHA1)
Key: xAQ6MiBa7ltvOyGKxgMTcw==
/etc/bind/named.conf.options ( master )
key "ns1-ns2" {
       algorithm HMAC-SHA1;
       secret "xAQ6MiBa7ltvOyGKxgMTcw==";
};
/etc/bind/named.conf.default-zones ( master )
zone "bar.com" {
       type master;
       file "/etc/bind/bar.com.db";
       allow-transfer {
               key "ns1-ns2";
       };
};
on the secondary
/etc/bind/named.conf.options
key "ns1-ns2" {
       algorithm HMAC-SHA1;
       secret "xAQ6MiBa7ltvOyGKxgMTcw==";
};

server 10.0.3.20 {
       keys { ns1-ns2; };
};
zone "bar.com" {
       type slave;
       masters {
               10.0.3.20;
       };
       file "/etc/bind/bar.com.db";
};
capture data after adding RRs on the master and issuing “rndc reload <zone>”
# tshark -nn -r aa.pcap
 1 0.000000000    10.0.3.20 -> 10.0.3.21    DNS 108 Zone change notification 0x32f0  SOA bar.com
 2 0.000480000    10.0.3.21 -> 10.0.3.20    DNS 67 Zone change notification response 0x32f0
 3 0.000963000    10.0.3.21 -> 10.0.3.20    DNS 144 Standard query 0x66af  SOA bar.com
 4 0.001314000    10.0.3.20 -> 10.0.3.21    DNS 250 Standard query response 0x66af  SOA ns01.bar.com
 5 0.001686000    10.0.3.21 -> 10.0.3.20    TCP 74 33515 > 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=149893688 TSecr=0 WS=512
 6 0.001748000    10.0.3.20 -> 10.0.3.21    TCP 74 53 > 33515 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=149893688 TSecr=149893688 WS=512
 7 0.001774000    10.0.3.21 -> 10.0.3.20    TCP 66 33515 > 53 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=149893688 TSecr=149893688
 8 0.002020000    10.0.3.21 -> 10.0.3.20    DNS 200 Standard query 0xe2df  IXFR bar.com
 9 0.002072000    10.0.3.20 -> 10.0.3.21    TCP 66 53 > 33515 [ACK] Seq=1 Ack=135 Win=30208 Len=0 TSval=149893689 TSecr=149893689
10 0.002517000    10.0.3.20 -> 10.0.3.21    DNS 342 Standard query response 0xe2df  SOA ns01.bar.com NS ns01.bar.com NS ns02.bar.com A 10.0.3.20 A 10.0.3.21 A 127.0.0.1 A 127.0.0.1 SOA ns01.bar.com
11 0.002543000    10.0.3.21 -> 10.0.3.20    TCP 66 33515 > 53 [ACK] Seq=135 Ack=277 Win=30720 Len=0 TSval=149893689 TSecr=149893689
TSIG keys are included in the following packets. ( SOA, zone transfer )
No4.,No.5 ( SOA )
# tshark -n -r aa.pcap -Y '(frame.number==3 or frame.number=
=4)' -V | grep -i tsig
       ns1-ns2: type TSIG, class ANY
           Type: TSIG (Transaction Signature)
       ns1-ns2: type TSIG, class ANY
           Type: TSIG (Transaction Signature)
No.8, No.10 ( zone transfer )
# tshark -n -r aa.pcap -Y '(frame.number==8 or frame.number=
=10)' -V | grep -i tsig
       ns1-ns2: type TSIG, class ANY
           Type: TSIG (Transaction Signature)
       ns1-ns2: type TSIG, class ANY
           Type: TSIG (Transaction Signature)
[ simulate AXFR, IXFR with dig ]
- without TSIG
AXFR
# dig @10.0.3.20 foo.com axfr
IXFR ( ixfr=<serial number> )
# dig @10.0.3.20 foo.com ixfr=10
- with TSIG
AXFR
dig @10.0.3.20 -y hmac-sha1:ns1-ns2:xAQ6MiBa7ltvOyGKxgMTcw== bar.com axfr
IXFR
# dig @10.0.3.20 -y hmac-sha1:ns1-ns2:xAQ6MiBa7ltvOyGKxgMTcw== bar.com ixfr=10

Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)