Transation Signatures (TSIG) é um mecanismo utilizado para a segurança de mensagens DNS e para a comunicação entre servidores, que inclui transferência de zonas, notificações e requisições recursivas. O TSIG é um método para assegurar o controle de acesso e autenticação de mensagens DNS entre duas máquinas usando criptografia de chave simétrica.
Como funciona?
No servidor DMZ acesse o diretório em /etc/bind/, e execute o comando abaixo para criar as chaves compartilhadas:
# cd /etc/bind/
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1-ns2
Usando o programa dnssec-keygen, que cria dois arquivos ambos contendo a chave gerada.
Liste o conteúdo do diretório para visualizar os arquivos criados:
# ls -l K* -rw------- 1 root bind 51 Jun 4 22:08 Kns1-ns2.+157+65345.key -rw------- 1 root bind 165 Jun 4 22:08 Kns1-ns2.+157+65345.private
O programa dnssec-keygen criou dois arquivos, e ambas as chaves e arquivos privados são gerados por algoritmos de criptografia simétrica, como HMAC-MD5, mesmo que a chave pública e privada são equivalentes:
Agora é preciso criar um arquivo contendo o nome da chave, o algoritmo e sua string:
# cat /etc/bind/rndc.key > /etc/bind/transfer.key
# cat /etc/bind/Kns1-ns2.+157+65345.key >> /etc/bind/transfer.key
Listando o arquivo criado
# cat /etc/bind/transfer.key key "rndc-key" { algorithm hmac-md5; secret "cZDlTBXEn7aZABa4Cycxeg=="; }; ns1-ns2. IN KEY 512 3 157 PT9L5UH/v+SDpLqmsPl/Vw==
Com a o arquivo transfer.key criado, faça alterações no nome e string seguindo o exemplo: De…
# cat /etc/bind/transfer.key key "rndc-key" { algorithm hmac-md5; secret "cZDlTBXEn7aZABa4Cycxeg=="; }; ns1-ns2. IN KEY 512 3 157 PT9L5UH/v+SDpLqmsPl/Vw==
Para…
# cat /etc/bind/transfer.key key "ns1-ns2" { algorithm hmac-md5; secret "PT9L5UH/v+SDpLqmsPl/Vw=="; }; # IP do slave server 192.168.200.101 { keys { ns1-ns2; }; };
Altere o dono do arquivo para bind e sua permissão para 640:
# chown bind /etc/bind/transfer.key # chmod 640 /etc/bind/transfer.key
Com o arquivo criado, abra o arquivo named.conf e inclua no final do arquivo a inclusão do arquivo transfer.key:
# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/transfer.key";
O próximo passo é ajustar o arquivos named.conf.local, para alterar a diretiva allow-transfer seguindo o exemplo abaixo: De…
# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "martins.net" { type master; file "db.martins.net"; allow-transfer { 192.168.200.101; }; notify yes; also-notify { 192.168.200.101; }; }; zone "200.168.192.in-addr.arpa" { type master; file "rev.martins.net"; allow-transfer { 192.168.200.101; }; notify yes; also-notify { 192.168.200.101; }; };
Para…
# cat named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "martins.net" { type master; file "db.martins.net"; allow-transfer { key ns1-ns2; }; notify yes; allow-update { key ns1-ns2; }; }; zone "200.168.192.in-addr.arpa" { type master; file "rev.martins.net"; allow-transfer { key ns1-ns2; }; notify yes; allow-update { key ns1-ns2; }; };
Restarte o servidor DNS para aplicar as novas configurações e verifique se o serviço esta rodando:
# systemctl restart bind9.service
# systemctl status bind9.service ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled) Drop-In: /run/systemd/generator/bind9.service.d └─50-insserv.conf-$named.conf Active: active (running) since Qui 2015-06-04 22:35:59 BRT; 2s ago Docs: man:named(8) Process: 1075 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 1079 (named) CGroup: /system.slice/bind9.service └─1079 /usr/sbin/named -f -u bind Jun 04 22:35:59 ns1.martins.net named[1079]: zone martins.net/IN: loaded serial 2015060401 Jun 04 22:35:59 ns1.martins.net named[1079]: zone 200.168.192.in-addr.arpa/IN: loaded serial 2015060401 Jun 04 22:35:59 ns1.martins.net named[1079]: zone localhost/IN: loaded serial 2 Jun 04 22:35:59 ns1.martins.net named[1079]: zone 255.in-addr.arpa/IN: loaded serial 1 Jun 04 22:35:59 ns1.martins.net named[1079]: all zones loaded Jun 04 22:35:59 ns1.martins.net named[1079]: running Jun 04 22:35:59 ns1.martins.net named[1079]: zone martins.net/IN: sending notifies (serial 2015060401) Jun 04 22:35:59 ns1.martins.net named[1079]: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2015060401) Jun 04 22:35:59 ns1.martins.net named[1079]: error (network unreachable) resolving 'ns2.marrtins.net/A/IN': 2001:500:2d::d#53 Jun 04 22:35:59 ns1.martins.net named[1079]: error (network unreachable) resolving 'ns2.marrtins.net/AAAA/IN': 2001:500:2d::d#53
Para começar, na maquina ns1 pare o serviço do bind:
# systemctl stop bind9.service
Em seguida acesse o diretório em /etc/bind/ e transfira o arquivo transfer.key da maquina ns1 para o diretório /tmp/ do ns2:
# cd /etc/bind
# scp transfer.key gean@192.168.200.101:/tmp/
Agora no servidor slave copia o arquivo que foi copiado para o diretório /tmp para o diretório /etc/bind
# cp /tmp/transfer.key /etc/bind/
Altere o dono do arquivo para bind e sua permissão para 640:
# chown bind /etc/bind/transfer.key # chmod 640 /etc/bind/transfer.key
Agora abra o arquivo named.conf e inclua no final do arquivo a inclusão do arquivo transfer.key:
# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/transfer.key";
O próximo passo é ajustar o arquivo transfer.key, para adicionar no final a diretiva server e IP do Master:
# cat /etc/bind/transfer.key key "ns1-ns2" { algorithm hmac-md5; secret "PT9L5UH/v+SDpLqmsPl/Vw=="; }; # IP do Master server 192.168.200.100 { keys { ns1-ns2; }; };
Restarte o servidor DNS para aplicar as novas configurações (master e slave):
# systemctl restart bind9.service
Na maquina Slave use o comando dig com a opção axfr para transferência full da zona master. A flag -y indica o nome da chave e sua string:
# dig -y ns1-ns2:PT9L5UH/v+SDpLqmsPl/Vw== martins.net axfr ; <<>> DiG 9.9.5-9-Debian <<>> -y ns1-ns2 martins.net axfr ;; global options: +cmd martins.net. 86400 IN SOA ns1.martins.net. root.martins.net. 2015060401 3600 1800 604800 86400 martins.net. 86400 IN A 192.168.200.220 martins.net. 86400 IN NS ns1.martins.net. martins.net. 86400 IN NS ns2.marrtins.net. martins.net. 86400 IN MX 10 mail.martins.net. ftp.martins.net. 86400 IN CNAME martins.net. imap.martins.net. 86400 IN CNAME mail.martins.net. mail.martins.net. 86400 IN A 192.168.200.240 ns1.martins.net. 86400 IN A 192.168.200.100 ns2.martins.net. 86400 IN A 192.168.200.101 pop.martins.net. 86400 IN CNAME mail.martins.net. smtp.martins.net. 86400 IN CNAME mail.martins.net. www.martins.net. 86400 IN CNAME martins.net. martins.net. 86400 IN SOA ns1.martins.net. root.martins.net. 2015060401 3600 1800 604800 86400 ns1-ns2. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1433471348 300 16 MWpGrZ/PojHVoY+m0GZEhw== 31369 NOERROR 0 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 04 23:29:08 BRT 2015 ;; XFR size: 14 records (messages 1, bytes 409)
Para verificar no servidor Slave se a transferência foi realizada, use o comando grep no arquivo syslog e daemon.log:
# egrep -i tsig /var/log/syslog Jun 4 23:11:35 ns2 named[2138]: client 127.0.0.1#41359/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:15:37 ns2 named[2138]: client 192.168.200.100#35282/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:17:44 ns2 named[2164]: client 192.168.200.100#28721/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:18:16 ns2 named[2164]: client 192.168.200.100#60048/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:18:16 ns2 named[2164]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2' Jun 4 23:22:45 ns2 named[2192]: client 127.0.0.1#57716/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:23:32 ns2 named[2192]: client 192.168.200.100#55604/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:23:41 ns2 named[2206]: client 127.0.0.1#46482/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:24:25 ns2 named[2206]: client 127.0.0.1#50695/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:25:45 ns2 named[2206]: client 127.0.0.1#57804/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:27:23 ns2 named[2206]: client 192.168.200.100#40591/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:29:08 ns2 named[416]: client 127.0.0.1#45855/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
# egrep -i tsig /var/log/daemon.log Jun 4 23:11:35 ns2 named[2138]: client 127.0.0.1#41359/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:15:37 ns2 named[2138]: client 192.168.200.100#35282/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:17:44 ns2 named[2164]: client 192.168.200.100#28721/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:18:16 ns2 named[2164]: client 192.168.200.100#60048/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:18:16 ns2 named[2164]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2' Jun 4 23:22:45 ns2 named[2192]: client 127.0.0.1#57716/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:23:32 ns2 named[2192]: client 192.168.200.100#55604/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:23:41 ns2 named[2206]: client 127.0.0.1#46482/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:24:25 ns2 named[2206]: client 127.0.0.1#50695/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:25:45 ns2 named[2206]: client 127.0.0.1#57804/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2 Jun 4 23:27:23 ns2 named[2206]: client 192.168.200.100#40591/key ns1-ns2: received notify for zone '200.168.192.in-addr.arpa': TSIG 'ns1-ns2' Jun 4 23:29:08 ns2 named[416]: client 127.0.0.1#45855/key ns1-ns2 (martins.net): transfer of 'martins.net/IN': AXFR started: TSIG ns1-ns2
Mas um teste. Vamos remover os arquivos que foram tranferidos anteriormente para ter certeza qua haverá à transferência… Primeiro vamos para o serviço do bind, depois remover os arquivos, starta o bind e verificar os estatos:
# systemctl stop bind9.service # rm -rf /var/cache/bind/db.martins.net # rm -rf /var/cache/bind/rev.martins.net # systemctl start bind9.service # systemctl status bind9.service ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled) Drop-In: /run/systemd/generator/bind9.service.d └─50-insserv.conf-$named.conf Active: active (running) since Qui 2015-06-04 23:33:49 BRT; 6s ago Docs: man:named(8) Process: 461 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 470 (named) CGroup: /system.slice/bind9.service └─470 /usr/sbin/named -f -u bind Jun 04 23:33:49 ns2.martins.net named[470]: zone 200.168.192.in-addr.arpa/IN: transferred serial 2015060403: TSIG 'ns1-ns2' Jun 04 23:33:49 ns2.martins.net named[470]: transfer of '200.168.192.in-addr.arpa/IN' from 192.168.200.100#53: Transfer completed: 1 messa...tes/sec) Jun 04 23:33:49 ns2.martins.net named[470]: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2015060403) Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: Transfer started. Jun 04 23:33:49 ns2.martins.net named[470]: transfer of 'martins.net/IN' from 192.168.200.100#53: connected using 192.168.200.101#49427 Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: transferred serial 2015060403: TSIG 'ns1-ns2' Jun 04 23:33:49 ns2.martins.net named[470]: transfer of 'martins.net/IN' from 192.168.200.100#53: Transfer completed: 1 messages, 15 recor...tes/sec) Jun 04 23:33:49 ns2.martins.net named[470]: zone martins.net/IN: sending notifies (serial 2015060403) Jun 04 23:33:49 ns2.martins.net named[470]: error (network unreachable) resolving 'ns2.marrtins.net/A/IN': 2001:503:c27::2:30#53 Jun 04 23:33:49 ns2.martins.net named[470]: error (network unreachable) resolving 'ns2.marrtins.net/AAAA/IN': 2001:503:c27::2:30#53 Hint: Some lines were ellipsized, use -l to show in full.
# ls -lh /var/cache/bind/ total 12K -rw-r--r-- 1 bind bind 734 Jun 4 23:33 db.martins.net -rw-r--r-- 1 bind bind 720 Jun 4 21:35 managed-keys.bind -rw-r--r-- 1 bind bind 281 Jun 4 23:33 rev.martins.net
Observer que que as zonas foram transferida…