|
|
Apricot 2003 Friday Notes |
Notifies where explained on the blackboard.
There are situations where you want to add also-notify in your named.conf zone statements. This is for instance if you run a hidden master configuration. More information can be found in the bind documentation.
We added logging to the named.conf of the authoritative server by including:
logging {
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
channel xfer-log {
file " zone-transfer.log" size 1m
print-time yes;
print-category yes;
print severity yes;
severity info;
};
};
To our named.conf files for the master and the slave. The result is that a zone-transfer log is created containing lines like:
|
Feb 21 09:50:42.416 xfer-out: info: client 192.168.115.2#49154: transfer of 'overdue.bill/IN': AXFR started |
To secure a zone transfer we can use a system that uses shared secrets to secure the communication. Details about this can be found in the BIND documentation. To create a key you type:
dnssec-keygen -a hmac-md5 -b 128 -n host olaf-joe.overdue.bill.
Kolaf-joe.overdue.bill.+157+00653.key
Kolaf-joe.overdue.bill.+157+00653.private
The content of the file is essentially the same:
cat Kolaf-joe.overdue.bill.+157+00653.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: Bs/pmEO6mFoYIXn4pAb6Ug==
cat Kolaf-joe.overdue.bill.+157+00653.key
olaf-joe.overdue.bill. IN KEY 512 3 157 Bs/pmEO6mFoYIXn4pAb6Ug==
Note that both the keys are the same. They should both be kept secret.
To use these keys for your zone transfer the master will need to add them to your master and slave configuration file:
key "ns1-ns2.overdue.bill." {
algorithm hmac-md5;
secret "Bs/pmEO6mFoYIXn4pAb6Ug==";
};
The master server will need to know that if it talks to a certain slave it needs to use a specific key. Therefore you will need to use the server directive:
// Note the IP address is the IP address of the slave server
server 192.168.115.2 {
keys { ns1-ns2.overdue.bill.; };
};
At the slave you will also need to do this:
server 192.168.115.1 {
keys { ns1-ns2.overdue.bill.; };
};
Use the allow-transfer statement to restrict zone transfers. If we want to restrict the zone transfers from the slave you use
allow-tranfer { none; }
If you want to allow zone transfers for from your master to your slave then the best way is to restrict the transfer to the owners of the key.
allow-transfer { ns1-ns2.overdue.bill.; };
If you want to test this you can use dig with the -y flag. The -y flag takes <key-name>:<key> as arguments.
dig @192.168.115.1 overdue.bill axfr -y ns1-ns2.overdue.bill.:Bs/pmEO6mFoYIXn4pAb6Ug==
should provide you a transfer while
dig @192.168.115.1 overdue.bill axfr
should not.
To build a tree in our lab environment we fist have to create a caching resolver that looks at the root server in our lab. Every participant configures such a server on their 192.168.XX.3 address. The root hints file contains the NS RRs for the lab root, containing only one RR: a.root-servers.bill and it's associated glue:
;;; Workshop Root Server. ;;; Do never use on a production machine !!!!!
. 3600 IN NS a.root-servers.bill.
a.root-servers.bill. 3600 IN A 192.168.54.1
The configuration of the server is really trivial, you did this on day one.
options {
directory "/Users/edlewis/DNS/apricot2003/recursive2";
pid-file "/Users/edlewis/DNS/apricot2003/recursive2/ns.pid";
recursion yes;
};
zone "." {
type hint;
file "db.cache";
};
See the complete setup in the dump of the directory.
Rev