Create a key:
dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key
(Note: Use something better than hmac-md5 if your BIND version
supports it.) This creates two files, with similar names. Extract the
secret from either of them (it is the same in both) and create a key
statement:
key "slave1.key" {
algorithm hmac-md5;
secret "put here the secret from the file";
};
Put this statement into named.conf on both the master server and one
of your slaves. Then, put this into the master server's named.conf:
server 192.0.2.1 { // use the actual IP address of the slave here
keys { slave1.key; };
};
On the slave:
server 192.0.2.2 { // this should be the IP address of the master
keys { slave1.key; };
};
This will then secure all communication (except forwarded updates)
between master and slave1. That includes notifies, SOA queries and
responses, and zone transfers.
Repeat the above for each slave. Use a different key for each slave.
This means the master will have 5 keys defined (plus an RNDC key,
hopefully), and 5 server statements. You may also want to create
additional keys (and additional server statements) for use between
slaves, just in case you ever need to promote one.
Next, create yet another key for dynamic updates. Put that key's name
into your allow-update statement. Turn on update-forwarding on the
slaves, like this (in each slave zone):
allow-update-forwarding { any; };
Since the master will only permit signed updates, and since the slaves
will forward signed updates unmodified (signatures intact), you do not
need to secure this ACL.
Chris Buxton
Professional Services
Men & Mice
On Feb 4, 2009, at 2:23 PM, Michelle Konzack wrote:
Hello,
since the french authorities (current government has shutdown my
network
in paris) I am installing my system on some root servers at
different
ISPs all over the world...
So while reding the bind9 manual, it is not clear for me, HOW to
create
the TSIG and use it, because I will instal on one of my root
servers
bind9 as master ant then let the 5 slaves up date from it.
But I have the need for dynamicaly updation the zones.
So, what must I do to use TSIG?
(as from the manual, "allow-update" with IP addresses is suicide)
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant
#####################
<http://www.tamay-dogan.net/> <http://
www.can4linux.org/>
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users