==== Ativar TSIG para Transferência entre Servidores ====
Transation Signatures (TSIG) é um mecanismo utilizado para a segurança de mensagens [[dnsdebian8|DNS]] e para a comunicação entre servidores, que inclui transferência de zonas, notificações e requisições recursivas. O TSIG é um método para assegurar o controle de acesso e autenticação de mensagens DNS entre duas máquinas usando criptografia de chave simétrica.

Como funciona?
  * 1: Cada servidor de nomes adiciona um registro TSIG na seção de dados de um servidor de consultas DNS para servidor e uma mensagem;
  * 2: O TSIG grava a mensagem de DNS, provando que o remetente da mensagem tinha uma chave de criptografia compartilhada com o receptor, e que a mensagem não foi modificada após a saída do remetente;
  * 3: O TSIG utiliza uma função hash one-way para fornecer autenticação e integridade dos dados.

==== Configurar TSIG no Servidor Master ====
No servidor DMZ acesse o diretório em /etc/bind/, e execute o comando abaixo para criar as chaves compartilhadas:
<file bash>
# cd /etc/bind/
</file>

<file bash>
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1-ns2
</file>

Usando o programa dnssec-keygen, que cria dois arquivos ambos contendo a chave gerada.
  * -a → Define o algoritmo de criptografia;
  * -b → Define o tamanho da chave;
  * -n → Define o nome da chave contendo o nome do host e o nome do servidor Slave. O nametype pode ser uma zona, HOST, entidade ou USER. você precisa usar HOST ou ZONE

Liste o conteúdo do diretório para visualizar os arquivos criados:
<file bash>
# ls -l K*
-rw------- 1 root bind  51 Jun  4 22:08 Kns1-ns2.+157+65345.key
-rw------- 1 root bind 165 Jun  4 22:08 Kns1-ns2.+157+65345.private
</file>

O programa dnssec-keygen criou dois arquivos, e ambas as chaves e arquivos privados são gerados por algoritmos de criptografia simétrica, como HMAC-MD5, mesmo que a chave pública e privada são equivalentes:
  * Kns1-ns2.+157+65345.key → Contém a chave pública. O arquivo contém um registro DNS KEY que pode ser inserido em um arquivo de zona.
  * Kns1-ns2.+157+65345.private → Contém a chave privada. O arquivo contém campos de algoritmo específico.

Agora é preciso criar um arquivo contendo o nome da chave, o algoritmo e sua string:
<file bash>
# cat /etc/bind/rndc.key > /etc/bind/transfer.key
</file>

  * Estamos pegando esse arquivo (rndc.key) mas iremos usar apenas o cabeçalho dele, poderiamos cria-lo também.

<file bash>
# cat /etc/bind/Kns1-ns2.+157+65345.key >> /etc/bind/transfer.key
</file>

Listando o arquivo criado
<code bash>
# cat /etc/bind/transfer.key 
key "rndc-key" {
	algorithm hmac-md5;
	secret "cZDlTBXEn7aZABa4Cycxeg==";
};
ns1-ns2. IN KEY 512 3 157 PT9L5UH/v+SDpLqmsPl/Vw==
</code>

Com a o arquivo transfer.key criado, faça alterações no nome e string seguindo o exemplo:
De...
<code bash>
# cat /etc/bind/transfer.key 
key "rndc-key" {
	algorithm hmac-md5;
	secret "cZDlTBXEn7aZABa4Cycxeg==";
};
ns1-ns2. IN KEY 512 3 157 PT9L5UH/v+SDpLqmsPl/Vw==
</code>

Para...
<code bash>
# cat /etc/bind/transfer.key 
key "ns1-ns2" {
	algorithm hmac-md5;
	secret "PT9L5UH/v+SDpLqmsPl/Vw==";
};

# IP do slave
server 192.168.200.101 {
	keys { ns1-ns2; };
};
</code>

Altere o dono do arquivo para bind e sua permissão para 640:
<file bash>
# chown bind /etc/bind/transfer.key 
# chmod 640 /etc/bind/transfer.key
</file>

Com o arquivo criado, abra o arquivo named.conf e inclua no final do arquivo a inclusão do arquivo transfer.key:
<code bash>
# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/transfer.key";
</code>

O próximo passo é ajustar o arquivos named.conf.local, para alterar a diretiva allow-transfer seguindo o exemplo abaixo:
De...
<code bash>
# cat /etc/bind/named.conf.local 
//
// Do any local configuration here
//
 
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
 
zone "martins.net" {
        type master;
        file "db.martins.net";
	allow-transfer { 192.168.200.101; };
	notify yes;
	also-notify { 192.168.200.101; };
};
 
zone "200.168.192.in-addr.arpa" {
        type master;
        file "rev.martins.net";
        allow-transfer { 192.168.200.101; };
        notify yes;
        also-notify { 192.168.200.101; };
};
</code>

Para...
<code bash>
# cat named.conf.local
//
// Do any local configuration here
//
 
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
 
zone "martins.net" {
        type master;
        file "db.martins.net";
	allow-transfer { key ns1-ns2; };
	notify yes;
	allow-update { key ns1-ns2; };
};
 
zone "200.168.192.in-addr.arpa" {
        type master;
        file "rev.martins.net";
        allow-transfer { key ns1-ns2; };
	notify yes;
        allow-update { key ns1-ns2; };
};
</code>

Restarte o servidor DNS para aplicar as novas configurações e verifique se o serviço esta rodando:
<file bash>
# systemctl restart bind9.service
</file>

<file bash>
# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since Qui 2015-06-04 22:35:59 BRT; 2s ago
     Docs: man:named(8)
  Process: 1075 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 1079 (named)
   CGroup: /system.slice/bind9.service
           └─1079 /usr/sbin/named -f -u bind

Jun 04 22:35:59 ns1.martins.net named[1079]: zone martins.net/IN: loaded serial 2015060401
Jun 04 22:35:59 ns1.martins.net named[1079]: zone 200.168.192.in-addr.arpa/IN: loaded serial 2015060401
Jun 04 22:35:59 ns1.martins.net named[1079]: zone localhost/IN: loaded serial 2
Jun 04 22:35:59 ns1.martins.net named[1079]: zone 255.in-addr.arpa/IN: loaded serial 1
Jun 04 22:35:59 ns1.martins.net named[1079]: all zones loaded
Jun 04 22:35:59 ns1.martins.net named[1079]: running
Jun 04 22:35:59 ns1.martins.net named[1079]: zone martins.net/IN: sending notifies (serial 2015060401)
Jun 04 22:35:59 ns1.martins.net named[1079]: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2015060401)
Jun 04 22:35:59 ns1.martins.net named[1079]: error (network unreachable) resolving 'ns2.marrtins.net/A/IN': 2001:500:2d::d#53
Jun 04 22:35:59 ns1.martins.net named[1079]: error (network unreachable) resolving 'ns2.marrtins.net/AAAA/IN': 2001:500:2d::d#53
</file>

==== Configurar TSIG no Servidor Slave ====
Para começar, na maquina ns1 pare o serviço do bind:
<file bash>
# systemctl stop bind9.service
</file>

Em seguida acesse o diretório em /etc/bind/ e transfira o arquivo transfer.key da maquina ns1 para o diretório /tmp/ do ns2:
<file bash>
# cd /etc/bind
</file>

<file bash>
# scp transfer.key gean@192.168.200.101:/tmp/
</file>

  * Observe que usei a conta gean para fazer a transferência do arquivo, o debian 8 por padão não permite login do root via ssh, por isso estou copiando para o diretório /tmp já que o usuário gean não tem permissão para gravar no arquivo /etc/bind

Agora no servidor slave copia o arquivo que foi copiado para o diretório /tmp para o diretório /etc/bind
<file bash>
# cp /tmp/transfer.key /etc/bind/
</file>

Altere o dono do arquivo para bind e sua permissão para 640:
<file bash>
# chown bind /etc/bind/transfer.key 
# chmod 640 /etc/bind/transfer.key
</file>

Agora abra o arquivo named.conf e inclua no final do arquivo a inclusão do arquivo transfer.key:
<code bash>
# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/transfer.key";
</code>

O próximo passo é ajustar o arquivo transfer.key, para adicionar no final a diretiva server e IP do Master:
<code bash>
# cat /etc/bind/transfer.key 
key "ns1-ns2" {
	algorithm hmac-md5;
	secret "PT9L5UH/v+SDpLqmsPl/Vw==";
};

# IP do Master
server 192.168.200.100 {
	keys { ns1-ns2; };
};
</code>

Restarte o servidor DNS para aplicar as novas configurações (master e slave):
<file bash>
# systemctl restart bind9.service
</file>

Na maquina Slave use o comando dig com a opção axfr para transferência full da zona master. A flag -y indica o nome da chave e sua string:
<file bash>
# dig -y ns1-ns2:PT9L5UH/v+SDpLqmsPl/Vw== martins.net axfr

; <<>> DiG 9.9.5-9-Debian <<>> -y ns1-ns2 martins.net axfr
;; global options: +cmd
martins.net.		86400	IN	SOA	ns1.martins.net. root.martins.net. 2015060401 3600 1800 604800 86400
martins.net.		86400	IN	A	192.168.200.220
martins.net.		86400	IN	NS	ns1.martins.net.
martins.net.		86400	IN	NS	ns2.marrtins.net.
martins.net.		86400	IN	MX	10 mail.martins.net.
ftp.martins.net.	86400	IN	CNAME	martins.net.
imap.martins.net.	86400	IN	CNAME	mail.martins.net.
mail.martins.net.	86400	IN	A	192.168.200.240
ns1.martins.net.	86400	IN	A	192.168.200.100
ns2.martins.net.	86400	IN	A	192.168.200.101
pop.martins.net.	86400	IN	CNAME	mail.martins.net.
smtp.martins.net.	86400	IN	CNAME	mail.martins.net.
www.martins.net.	86400	IN	CNAME	martins.net.
martins.net.		86400	IN	SOA	ns1.martins.net. root.martins.net. 2015060401 3600 1800 604800 86400
ns1-ns2.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1433471348 300 16 MWpGrZ/PojHVoY+m0GZEhw== 31369 NOERROR 0 
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 04 23:29:08 BRT 2015
;; XFR size: 14 records (messages 1, bytes 409)
</file>

Para verificar no servidor Slave se a transferência foi realizada, use o comando grep no arquivo syslog e daemon.log:
<file bash>
# egrep -i tsig /var/log/syslog 
Jun  4 23:11:35 ns2 named[2138]: client 127.0.0.1#41359/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:15:37 ns2 named[2138]: client 192.168.200.100#35282/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:17:44 ns2 named[2164]: client 192.168.200.100#28721/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:18:16 ns2 named[2164]: client 192.168.200.100#60048/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:18:16 ns2 named[2164]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2'
Jun  4 23:22:45 ns2 named[2192]: client 127.0.0.1#57716/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:23:32 ns2 named[2192]: client 192.168.200.100#55604/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:23:41 ns2 named[2206]: client 127.0.0.1#46482/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:24:25 ns2 named[2206]: client 127.0.0.1#50695/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:25:45 ns2 named[2206]: client 127.0.0.1#57804/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:27:23 ns2 named[2206]: client 192.168.200.100#40591/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:29:08 ns2 named[416]: client 127.0.0.1#45855/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
</file>

<file bash>
# egrep -i tsig /var/log/daemon.log 
Jun  4 23:11:35 ns2 named[2138]: client 127.0.0.1#41359/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:15:37 ns2 named[2138]: client 192.168.200.100#35282/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:17:44 ns2 named[2164]: client 192.168.200.100#28721/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:18:16 ns2 named[2164]: client 192.168.200.100#60048/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:18:16 ns2 named[2164]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2'
Jun  4 23:22:45 ns2 named[2192]: client 127.0.0.1#57716/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:23:32 ns2 named[2192]: client 192.168.200.100#55604/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:23:41 ns2 named[2206]: client 127.0.0.1#46482/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:24:25 ns2 named[2206]: client 127.0.0.1#50695/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:25:45 ns2 named[2206]: client 127.0.0.1#57804/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Jun  4 23:27:23 ns2 named[2206]: client 192.168.200.100#40591/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2'
Jun  4 23:29:08 ns2 named[416]: client 127.0.0.1#45855/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
</file>

Mas um teste.
Vamos remover os arquivos que foram tranferidos anteriormente para ter certeza qua haverá à transferência...
Primeiro vamos para o serviço do bind, depois remover os arquivos, starta o bind e verificar os estatos:
<file bash>
# systemctl stop bind9.service
# rm -rf /var/cache/bind/db.martins.net 
# rm -rf /var/cache/bind/rev.martins.net
# systemctl start bind9.service
# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since Qui 2015-06-04 23:33:49 BRT; 6s ago
     Docs: man:named(8)
  Process: 461 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 470 (named)
   CGroup: /system.slice/bind9.service
           └─470 /usr/sbin/named -f -u bind

Jun 04 23:33:49 ns2.martins.net named[470]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2'
Jun 04 23:33:49 ns2.martins.net named[470]: transfer of '200.168.192.in-addr.arpa/IN' from 192.168.200.100#53: Transfer completed: 1 messa...tes/sec)
Jun 04 23:33:49 ns2.martins.net named[470]: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2015060403)
Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: Transfer started.
Jun 04 23:33:49 ns2.martins.net named[470]: transfer of 'martins.net/IN' from 192.168.200.100#53: connected using 192.168.200.101#49427
Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: transferred serial 2015060403: TSIG 'ns1-ns2'
Jun 04 23:33:49 ns2.martins.net named[470]: transfer of 'martins.net/IN' from 192.168.200.100#53: Transfer completed: 1 messages, 15 recor...tes/sec)
Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: sending notifies (serial 2015060403)
Jun 04 23:33:49 ns2.martins.net named[470]: error (network unreachable) resolving 'ns2.marrtins.net/A/IN': 2001:503:c27::2:30#53
Jun 04 23:33:49 ns2.martins.net named[470]: error (network unreachable) resolving 'ns2.marrtins.net/AAAA/IN': 2001:503:c27::2:30#53
Hint: Some lines were ellipsized, use -l to show in full.
</file>

<file bash>
# ls -lh /var/cache/bind/
total 12K
-rw-r--r-- 1 bind bind 734 Jun  4 23:33 db.martins.net
-rw-r--r-- 1 bind bind 720 Jun  4 21:35 managed-keys.bind
-rw-r--r-- 1 bind bind 281 Jun  4 23:33 rev.martins.net
</file>

Observer que que as zonas foram transferida...