The DNS Study of Africa Secondary DNS Help System

Registering Primary and TSIG support

Nameservers that you use as Primaries need to be registered before they can be used. This allows for a Drop-Down list to be used from the main page as well as providing other sanity controls.
This System also allows for the provision of TSIG (Transaction Signatures) support. TSIG is a mechanism to help guarantee that what you publish from your primary nameserver is the same as what the secondary publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.

It is mandatory for the TSIG protocol to support HMAC-MD5. This is no longer considered safe enough. The algorithms that can be used are the 160 bit HMAC-SHA1, 224 bit HMAC-SHA224, HMAC-SHA256 (preferred), HMAC-SHA384 or HMAC-SHA512. These newer algorithms are stronger than HMAC-MD5 but may not be present in all versions of DNS software.
The following examples assume the use of the HMAC-SHA256 algorithm.

How to create

  • Register your Primary Nameserver and set the Algorithm to HMAC-SHA256 (or other)
  • In the Keypair field - add a key. The name is arbitrary but should be a legal domain name. It is suggested that a name identifies the trust pair of nameservers ie - if your nameserver is called ns1.mydom.co.za and the trust is with sec.dnsstudy.africa - call it something like ns1-sec.mydom.co.za.
  • If you leave the Secret field blank - on clicking the ['submit'] or [add now] box, the System will generate a secret key, or you can generate your own key and paste it in yourself
  • to create your own key, run the tool tsig-keygen with the complete command:
    tsig-keygen -a HMAC-SHA256 ns1-sec.mydom.co.za
    - this will generate the information to go into your named.conf file.

How to use

In your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Xfers from 192.96.24.69 and 2001:42a0::69) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows". Their order is importaint - as in firewall rules. 
options {
    directory "/etc/bind";   // Where I keep my DNS stuff.

    allow-transfer {
	key ns1-sec.mydom.co.za;  // Explicitly allow TSIG XFers
	!192.96.24.69;              // ..and deny "non TSIG" from my secondary
	!2001:42a0::69;        // ..might not need this line - IPv6 Address
	192.96.24.0/24;             // Others that I allow Xfer from.
	2001:42a0::0/64;
	};
};

key ns1-sec.mydom.co.za {        // My Trusted secondaries key
    algorithm hmac-sha256;
    secret "YourSecretProgramGeneratedKey=";  // tsig-keygen generated key
};

server 192.96.24.69 {              // My TSIG secondary
    keys { ns1-sec.mydom.co.za; };
};

server 2001:42a0::69 {              // runs IPv6 as well
    keys { ns1-sec.mydom.co.za; };
};
Of course - use your own secret and key names.
The Nameserver sec.dnsstudy.africa has both IPv4 and IPv6 addresses from which it may request a transfer - so there needs to be a trusted relationship from both of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave the IPv6 configuration out.

Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP/NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses UTC (or GMT/ZULU) time - and takes different zimezones into consideration.

The admin system will show you the local Server time (which is UTC+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone.

After 12 months (or what you decide), the key will show with a red background which is it asking to be renewed. Its probably a good idea to update your keys on a regular basis.