Transaction Signatures (TSIG) is a method of authenticating DNS messages between servers, allowing for secure communication and transfer of DNS zones. Here’s how you can configure TSIG on a BIND DNS server:
- Generate a shared secret key that will be used to authenticate DNS messages. You can use a tool like
dnssec-keygento generate the key.dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST example.com
This will generate a new key called “Kexample.com.+165+12345” in the current directory. Make sure to keep the key secret, as anyone with access to the key can authenticate DNS messages.
- Configure the BIND server to use the TSIG key for authentication. Open the BIND configuration file (usually located at
/etc/named.conf) and add the following lines:key "example.com." {
algorithm hmac-sha256;
secret "<paste the shared secret key here>";
};
This configures a new TSIG key called “example.com.” using the HMAC-SHA256 algorithm and the shared secret key you generated in step 1. Make sure to replace “<paste the shared secret key here>” with the actual shared secret key.
- Configure the BIND server to use the TSIG key for zone transfers. Open the BIND configuration file (usually located at
/etc/named.conf) and add the following lines for each zone you want to transfer using TSIG:zone "example.com" {
type master;
file "/var/named/example.com.zone";
allow-transfer {
key "example.com.";
};
};
This configures the “example.com” zone to use the TSIG key for transfers. Make sure to replace “example.com” with the actual zone name and “/var/named/example.com.zone” with the actual zone file path.
- Reload the BIND server to apply the new configuration:
service named reload
This will reload the BIND server with the new TSIG key and zone transfer settings.
With these steps, your BIND server is now configured to use TSIG for secure communication and transfer of DNS zones.