Secure DNS update for HP-UX, Linux, and Solaris
Prev Network agents Next

Secure DNS update for HP-UX, Linux, and Solaris

The DNS agent by default—when the attribute TSIGKeyFile is unspecified—expects the IP address of the hosts that can update the DNS records dynamically to be specified in the allow-updates field of the zone. However, since IP addresses can be easily spoofed, a secure alternative is to use TSIG (Transaction Signature) as specified in RFC 2845. TSIG is a shared key message authentication mechanism available in DNS. A TSIG key provides a means to authenticate and verify the validity of DNS data exchanged, using a shared secret key between a resolver and either one or two servers.

Setting up secure updates using TSIG keys on HP-UX

In the following example, the domain is veritas.com.

To use secure updates using TSIG keys

  1. Run the dnskeygen command with the HMAC-MD5 (-H) option to generate a pair of files that contain the TSIG key:

    # dnskeygen -H 128 -h -n veritas.com.

    Kveritas.com.+157+00000.key

    Kveritas.com.+157+00000.private

  2. Open either file. The contents of the file should look similar to:

    veritas.com. IN KEY 513 3 157 +Cdjlkef9ZTSeixERZ433Q==

  3. Copy the shared secret (the TSIG key), which should look similar to:

    +Cdjlkef9ZTSeixERZ433Q==

  4. Configure the DNS server to only allow TSIG updates using the generated key.

    Open the named.conf file and add these lines.

    key veritas.com. {

    algorithm hmac-md5;

    secret "+Cdjlkef9ZTSeixERZ433Q==";

    };

    Where +Cdjlkef9ZTSeixERZ433Q== is the key.

  5. In the named.conf file, edit the appropriate zone section and add the allow-updates substatement to reference the key:

    allow-updates { key veritas.com. ; } ;

  6. Save and restart the named process.
  7. Place the files containing the keys on each of the nodes that is listed in your group's SystemList. The DNS agent uses this key to update the name server.

    Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.

  8. Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.

    DNS www (

    Domain = "veritas.com"

    Alias = www

    Hostname = north

    TSIGKeyFile = "/var/tsig/Kveritas.com.+157+00000.private"

    )

Setting up secure updates using TSIG keys on Linux

In the following example, the domain is veritas.com.

To use secure updates using TSIG keys

  1. Run the dnssec-keygen command with the HMAC-MD5 option to generate a pair of files that contain the TSIG key:

    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST veritas.com.

    Kveritas.com.+157+00000

  2. Open the Kveritas.com.+157+00000.key file. After running the cat command, the contents of the file resembles:

    # cat Kveritas.com.+157+00000.key

    veritas.com. IN KEY 512 3 157 +Cdjlkef9ZTSeixERZ433Q==

  3. Copy the shared secret (the TSIG key), which looks like:

    +Cdjlkef9ZTSeixERZ433Q==

  4. Configure the DNS server to only allow TSIG updates using the generated key. Open the named.conf file and add these lines.

    key veritas.com. {

    algorithm hmac-md5;

    secret "+Cdjlkef9ZTSeixERZ433Q==";

    };

    Where +Cdjlkef9ZTSeixERZ433Q== is the key.

  5. In the named.conf file, edit the appropriate zone section and add the allow-updates sub-statement to reference the key:

    allow-updates { key veritas.com. ; } ;

  6. Save and restart the named process.
  7. Place the files containing the keys on each of the nodes that is listed in your group's SystemList. The DNS agent uses this key to update the name server.

    Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.

  8. Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.

    DNS www (

    Domain = "veritas.com"

    Alias = www

    Hostname = north

    TSIGKeyFile a= "/var/tsig/Kveritas.com.+157+00000.private"

    )

Setting up secure updates using TSIG keys on Solaris

In the following example, the domain is example.com.

To use secure updates using TSIG keys

  1. Run the dnskeygen command with the HMAC-MD5 (-H) option to generate a pair of files that contain the TSIG key:

    # dnskeygen -H 128 -h -n veritas.com.

    Kveritas.com.+157+00000.key

    Kveritas.com.+157+00000.private

  2. Open either file. The contents of the file should look similar to:

    veritas.com. IN KEY 513 3 157 +Cdjlkef9ZTSeixERZ433Q==

  3. Copy the shared secret (the TSIG key), which looks like:

    +Cdjlkef9ZTSeixERZ433Q==

  4. Configure the DNS server to only allow TSIG updates using the generated key. Open the named.conf file and add these lines.

    key veritas.com. {

    algorithm hmac-md5;

    secret "+Cdjlkef9ZTSeixERZ433Q==";

    };

    Where +Cdjlkef9ZTSeixERZ433Q== is the key.

  5. In the named.conf file, edit the appropriate zone section and add the allow-updates substatement to reference the key:

    allow-updates { key veritas.com. ; } ;

  6. Save and restart the named process.
  7. Place the files containing the keys on each of the nodes that is listed in your group's SystemList. The DNS agent uses this key to update the name server.

    Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.

  8. Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.

    DNS www (

    Domain = "veritas.com"

    Alias = www

    Hostname = north

    TSIGKeyFile = "/var/tsig/Kveritas.com.+157+00000.private"

    )

Prev Up  Next
Secure DNS update for Linux and Solaris Home IP agent