Setup of DNS zone with secure zone updates

binddns

How do I run a dns server with a zone for a local domain and be able to add dynamic entries to the dns zone securely from selected hosts?

I have tried to setup a domain 'rag.local' with bind9. I have tried to add a new record to that zone using TSIG. It works now. The steps are below.

Used dnssec to generate secret key for the zone

$ dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST rag.local
$ ls -l 
-rw------- 1 rag rag 118 Mar  7 23:22 Krag.local.+157+26937.key
-rw------- 1 rag rag 229 Mar  7 23:22 Krag.local.+157+26937.private

Copied .key to /etc/bind

/etc/bind$ ls -lt
-rw-r--r-- 1 root bind  265 Mar  7 23:43 rag.local
-rw-r--r-- 1 root bind  435 Mar  7 23:35 named.conf.local
-rw------- 1 root bind  118 Mar  7 23:33 Krag.local.+157+26937.key

named.conf.local

/etc/bind$ cat named.conf.local 

key "rag.local." {
  algorithm hmac-md5;
  secret "secret-key";
};

zone "rag.local" {
        type master;
        file "/etc/bind/rag.local";
        allow-update { key "rag.local."; };
};

rag.local zone definition. EDIT: this file earlier did not have a valid name server and admin email for the zone. also the zone file missed an A record for the name server.

/etc/bind$ cat rag.local
;
; BIND data file for local loopback interface
;
$TTL    604800
@   IN  SOA ns.rag.local. admin.rag.local. (
                  2     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  ns.rag.local.
@   IN  A   127.0.0.1
ns  IN  A   127.0.0.1
@   IN  AAAA    ::1

You may get some error like below if zone file is not valid

Mar  8 00:00:44 rag-tos-laptop named[20349]: zone rag.local/IN: journal rollforward failed: no more
Mar  8 00:00:44 rag-tos-laptop named[20349]: zone rag.local/IN: not loaded due to errors.

EDIT: after the zone file is corrected

Mar  8 00:23:43 rag-tos-laptop named[21469]: zone rag.local/IN: loaded serial 2
Mar  8 00:23:43 rag-tos-laptop named[21469]: zone localhost/IN: loaded serial 2

A sample nsupdate file

$ cat nsupdate.txt 
server localhost
debug yes
zone rag.local.
update add host1.rag.local. 3600 A 10.20.30.40
show
send

Ran update

 nsupdate -k Krag.local.+157+26937.private -v nsupdate.txt

Requires write permissions to bind group on /etc/bind to solve a few permissions issues.

Thanks

Best Answer

I have solved it:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com.

editing conf. file:

// TSIG Key
key "example.com." {
algorithm hmac-md5;
secret "THE KEY GENERATED ABOVE"; 
};
zone "example.com" IN {
  type master;
  file "example.com.zone";
  allow-update{ key "example.com."; };
};

This is the step that you have to add

give the named authorization to the /var/named folder:

# chown -R named:named /var/named
# find . -type d -exec chmod 770 {} \;
# find . -type f -exec chmod 660 {} \;

Note: after you have use nsupdate you need to reload the zone using this steps:

rndc freeze example.com

then reloading

rndc reload example.com  

then allowing dynamic updates again:

rndc thaw example.com
Related Question