DNS Master / SLAVE TSIG on RHEL 5.8

  • by

I am using 2 dns server here. 192.168.2.83 (Master) and 192.168.2.86 (Slave)

First lets setup the Master

1. Create /etc/named.conf as RHEL 5.8 does not provide a sample file. Then add the following content to it

include "/etc/transfer.key";
server 192.168.2.86 {
  keys { HOST1-HOST2. ;};
};
acl domblocal { 192.168.2.0/24;
                127.0.0.1;
};

options { allow-transfer { 192.168.2.86;};
          directory "/var/named";
          notify yes;
        };

//include "/etc/named.rfc1912.zones";

zone "2.168.192.in-addr.arpa" {
      type master;
//      allow-transfer { 192.168.2.86;};
      allow-transfer { key HOST1-HOST2. ;};
      allow-query { domblocal;};
      file "2.168.192.in-addr.arpa.zone";
};

zone "local.domb.com" {
      type master;
//      allow-transfer { 192.168.2.86;};
      allow-transfer { key HOST1-HOST2. ;};
      allow-query { domblocal;};
      file "local.domb.com.zone";
};

2. Create the zone files. Lets begin with the reverse zone in /var/named/2.168.192.in-addr.arpa.zone

$ORIGIN .
$TTL 86400
2.168.192.in-addr.arpa  IN SOA  ns1.local.domb.com. root.2.168.192.in-addr.arpa. (
                                50      ; serial
                                1H      ; refresh
                                15M     ; retry
                                1W      ; expiry
                                1D      ; minimum
                                )
                        NS      ns1.local.domb.com.
                        NS      ns2.local.domb.com.
$ORIGIN 2.168.192.in-addr.arpa.
83                      PTR     ns1.local.domb.com.
86                      PTR     ns2.local.domb.com.
231                     PTR     test.local.domb.com.

3. Add forward zone local.domb.com.zone

$ORIGIN .
$TTL    86400
local.domb.com  IN SOA  ns1.local.domb.com.     root.local.domb.com. (
                                        50      ; serial
                                        1H      ; refresh
                                        15M     ; retry
                                        1W      ; expiry
                                        1D)     ; minimum
                        NS      ns1.local.domb.com.
                        NS      ns2.local.domb.com.
$ORIGIN local.domb.com.
ns1                     A       192.168.2.83
ns2                     A       192.168.2.86
test                    A       192.168.2.231

4. Add iptables

# iptables -I INPUT -p udp --dport 53 -j ACCEPT
# iptables -I INPUT -p udp --dport 953 -j ACCEPT
# iptables -I INPUT -p tcp --dport 53 -j ACCEPT
# iptables -I INPUT -p tcp --dport 953 -j ACCEPT

5. Create the TSIG key

# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key

6. Create the transfer.key file. Cat the file and add its content to the transfer.key file

# cat Ktransfer.+157+58702.private

7. This how the transfer key file should look like. After you added the keyfile transfer it to the slave host.

keys HOST1-HOST2. {
algorithm hmac-md5;
secret "SKDuwwhNH+adsfasfda/aJ/zOV9PPIblBNiehnFo=";
};

8. Login to the slave add add the named.conf

include "/etc/transfer.key";
server 192.168.2.83 { 
   keys { HOST1-HOST2. ;};
};

acl domblocal { 192.168.2.0/24;
                127.0.0.1;
};

options { allow-transfer { 192.168.2.83;};
          directory "/var/named";
        };

//include "/etc/named.rfc1912.zones";

zone "2.168.192.in-addr.arpa" {
      type slave;
      allow-query { domblocal; };
      file "/var/named/slaves/2.168.192.in-addr.arpa.zone";
      masters { 192.168.2.83; };
      allow-notify { 192.168.2.86;};
//      allow-transfer { none; };
};

zone "local.domb.com" {
      type slave;
      allow-query { domblocal; };
      file "/var/named/slaves/local.domb.com.zone";
      allow-notify { 192.168.2.86;};
      masters { 192.168.2.83; };
//      allow-transfer { none; };
};

9. Now create the zone files for the slave. Lets start with the reverse zone file in /var/namend/slaves/

$ORIGIN .
$TTL 86400      ; 1 day
2.168.192.in-addr.arpa  IN SOA  ns1.local.domb.com. root.2.168.192.in-addr.arpa. (
                                50         ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.local.domb.com.
                        NS      ns2.local.domb.com.
$ORIGIN 2.168.192.in-addr.arpa.
231                     PTR     test.local.domb.com.
83                      PTR     ns1.local.domb.com.
86                      PTR     ns2.local.domb.com.

10. Add the foreward Zone

$ORIGIN .
$TTL 86400      ; 1 day
local.domb.com          IN SOA  ns1.local.domb.com. root.local.domb.com. (
                                50         ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.local.domb.com.
                        NS      ns2.local.domb.com.
$ORIGIN local.domb.com.
test                    A       192.168.2.231
ns1                     A       192.168.2.83
ns2                     A       192.168.2.86

11. Restart both dns server and do an rndc reload on the master. Look at /var/log/messages on the client. You should see something like

May 13 00:00:58 ns2 named[2913]: zone local.domb.com/IN: transferred serial 49: TSIG 'host1-host2'

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.