Setting up secure updates using TSIG keys for BIND 9 for DNS agent
Prev Agent notes for DNS agent Next

Setting up secure updates using TSIG keys for BIND 9 for DNS agent

In the following example, the domain is example.com.

To use secure updates using TSIG keys, perform the following steps at the DNS server:

  1. Run the dnssec-keygen command with the HMAC-MD5 option to generate a pair of files that contain the TSIG key:
    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com.
  2. Open the example.com.+157+00000.key file. After you run the cat command, the contents of the file resembles:
    # cat example.com.+157+00000.key
    example.com. IN KEY 512 3 157 +Cdjlkef9ZTSeixERZ433Q==
  3. Copy the shared secret (the TSIG key), which looks like:
    +Cdjlkef9ZTSeixERZ433Q==
  4. Configure the DNS server to only allow TSIG updates using the generated key. Open the named.conf file and add these lines.
    key example.com. { 
    algorithm hmac-md5; 
    secret "+Cdjlkef9ZTSeixERZ433Q=="; 
};

    Where +Cdjlkef9ZTSeixERZ433Q== is the key.

  5. In the named.conf file, edit the appropriate zone section and add the allow- updates sub-statement to reference the key:
    allow-update { key example.com. ; } ;
  6. Save and restart the named process.
  7. Place the files containing the keys on each of the nodes that are listed in your group's SystemList. The DNS agent uses this key to update the name server.

    Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.

  8. Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.
    DNS www (
Domain = "example.com"
ResRecord = {www = north}
TSIGKeyFile = "/var/tsig/example.com.+157+00000.private"
)
Prev Up Next
Secure DNS update for BIND 9 for DNS agent Home Sample configurations for DNS agent