Presentation is loading. Please wait.

Presentation is loading. Please wait.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely."— Presentation transcript:

1 RNDC & TSIG

2 What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely

3 Configuring RNDC "rndc-confgen" generates lines to be added to two files –rndc.conf –named.conf

4 Generating the lines: > rndc-confgen key “rndc-key” { algorith hmac-md5; secret “rXxroiejf8937Bjf_+-532ktj/==“; }; Options { default-key “rndc-key”; default-server 127.0.0.1; default-port 953; #End of rndc.conf # User with the followign in named.conf, adjusting the # allow list as needed # key “rndc-key” { # algorithm hmac-md5; #secret “rXxroiejf8937Bjf_+-532ktj/==“; #}; # controls { #inet 127.0.0.1 port 953 #allow { 127.0.0.1; } keys { “rndc-key” }; #};

5 Using an rndc.conf file /etc/rndc.conf specifies defaults for rndc E.g., key "rndc-key" { algorithm hmac-md5; secret "dY7/uIiR0fKGvi5z50+Q=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; };

6 Enabling RNDC in the server – named.conf key definition key rndc_key { secret "dY7/uIiR0fKGvi5z50+Q=="; algorithm hmac-md5; }; –Warning: example secret looks good but is invalid (don't copy it!) controls statement controls { inet 127.0.0.1 port 953 // for remote host, use allow { 127.0.0.1; } // actual IP keys { "rndc-key"; }; };

7 What can be done with RNDC > rndc stop - kills server > rndc status - prints some information > rndc stats - generates stat file (named.stats) > rndc reload - refresh zone(s), with variations > rndc trace - increases debug level > rndc flush - removes cached data other commands in the ARM

8 What is TSIG - Transaction Signature? A mechanism for protecting a message from a primary to secondary and vice versa A keyed-hash is applied (like a digital signature) so recipient can verify message –DNS question or answer –& the timestamp Based on a shared secret - both sender and receiver are configured with it

9 What is TSIG - Transaction Signature? TSIG (RFC 2845) –authorizing dynamic updates & zone transfers –authentication of caching forwarders Used in server configuration, not in zone file

10 Names and Secrets TSIG name –A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) TSIG secret value –A value determined during key generation –Usually seen in Base64 encoding

11 Transaction Signature: TSIG TSIG (RFC 2845) –authorizing dynamic updates & zone transfers –authentication of caching forwarders –can be used without deploying other features of DNSSEC One-way hash function over: –DNS question or answer –& the timestamp Signed with “shared secret” key Used in server configuration, not in zone file

12 Names and Secrets 'Looks' like the rndc key –BIND uses same interface for TSIG and RNDC keys

13 Using TSIG to protect AXFR Deriving a secret > dnssec-keygen -a -b -n host e.g. > dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-ns2.pcx.net This will generate the key > Kns1-ns2.pcx.net.+157+15921 >ls  Kns1-ns2.pcx.net.+157+15921.key  Kns1-ns2.pcx.net.+157+15921.private

14 Using TSIG to protect AXFR Configuring the key –in named.conf file, same syntax as for rndc –key { algorithm...; secret...;} Making use of the key –in named.conf file –server x { key...; } –where 'x' is an IP number of the other server

15 Configuration Example – named.conf Primary server 10.33.40.46 key ns1-ns2.pcx. net{ algorithm hmac-md5; secret "APlaceToBe"; }; server 10.33.50.35 { keys {ns1-ns2.pcx.net;}; }; zone "my.zone.test." { type master; file...; allow-transfer { key ns1-ns2..pcx.net ;}; }; Secondary server 10.33.50.35 key ns1-ns2.pcx.net { algorithm hmac-md5; secret "APlaceToBe"; }; server 10.33.40.46 { keys {ns1-ns2.pcx.net;}; }; zone "my.zone.test." { type slave; file...; masters {10.33.40.46;}; allow-transfer { key ns1-ns2.pcx.net;}; }; You can save this in a file and refer to it in the named.conf using ‘include’ statement: include “/var/named/master/tsig-key-ns1-ns2”;

16 TIME!!! TSIG is time sensitive - to stop replays –Message protection expires in 5 minutes –Make sure time is synchronized –For testing, set the time –In operations, (secure) NTP is needed

17 Other uses of TSIG TSIG was designed for other purposes as well –Protecting sensitive stub resolvers This has proven hard to accomplish –Dynamic Update Discussed later, securing this relies on TSIG

18 Questions ?

Download ppt "RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely."

Similar presentations

Authoritative-only server & TSIG cctld-workshop Nairobi,12-15 october 2005

Authoritative-only server & TSIG cctld-workshop Nairobi,12-15 october 2005
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Zone transfer and dns-express

Zone transfer and dns-express
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.

DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.

DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Similar presentations

Ads by Google