Symantec logo

Previous  | TOC | Index | Next  >  

Secure DNS update

The DNS agent by default—when the attribute TSIGKeyFile is unspecified—expects the IP address of the hosts that can update the DNS records dynamically to be specified in the allow-updates field of the zone. However, since IP addresses can be easily spoofed, a secure alternative is to use TSIG (Transaction Signature) as specified in RFC 2845. TSIG is a shared key message authentication mechanism available in DNS. A TSIG key provides a means to authenticate and verify the validity of DNS data exchanged, using a shared secret key between a resolver and either one or two servers.

Setting up secure updates using TSIG keys

In the following example, the domain is veritas.com.

 To use secure updates using TSIG keys

  1. Run the dnskeygen command with the HMAC-MD5 (-H) option to generate a pair of files that contain the TSIG key:

    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST veritas.com.

    Kveritas.com.+157+00000.key

    Kveritas.com.+157+00000.private

  2. Open either file. The contents of the file should look similar to:

      veritas.com. IN KEY 513 3 157 +Cdjlkef9ZTSeixERZ433Q==

  3. Copy the shared secret (the TSIG key), which should look similar to:

      +Cdjlkef9ZTSeixERZ433Q==

  4. Configure the DNS server to only allow TSIG updates using the generated key.

    Open the named.conf file and add these lines.

      key veritas.com. {

      algorithm hmac-md5;

      secret "+Cdjlkef9ZTSeixERZ433Q==";

      };

    Where +Cdjlkef9ZTSeixERZ433Q== is the key.

  5. In the named.conf file, edit the appropriate zone section and add the allow-updates substatement to reference the key:

    allow-updates { key veritas.com. ; } ;

  6. Save and restart the named process.
  7. Place the files containing the keys on each of the nodes that is listed in your group's SystemList. The DNS agent uses this key to update the name server.

    Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.

  8. Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.

    DNS www (

    Domain = "veritas.com"

    Alias = www

    Hostname = north

    TSIGKeyFile = "/var/tsig/Kveritas.com.+157+00000.private"

    )


 ^ Return to Top

Previous  | TOC | Index | Next  >