Physical Address
Metro Manila, Philippines
Physical Address
Metro Manila, Philippines
Install bind-chroot on both servers
# yum install bind-chroot
From Primary DNS
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+50029
The output tells us the name of the file containing our new key: in this case
Kmaster-slave.+157+50029.private. The numbers are the DNSSEC algorithm
(157=HMACMD5), and the key’s fingerprint (50029) which will probably be different on your machine
From Kmaster-slave+157.50029.private we will extract the shared key:
# cat Kmaster-slave+157.50029.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: axdafafFTdafaCSDF090DSDs==
The key here is axdafafFTdafaCSDF090DSDs==; this will be different in your file. Keep track of this file;
we will need it for testing our configuration later.
On both the master and slave name server, create a new file called /var/named/chroot/etc/transfer.key with
the following contents:
key “master-slave.” {
algorithm hmac-md5;
secret “axdafafFTdafaCSDF090DSDs==”;
};
Protect the contents of the transfer.key so only the nameserver can read it and only root can write to it:
# chown root:named /var/named/chroot/etc/transfer.key
# chmod 640 /var/named/chroot/etc/transfer.key
# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key
In /var/named/chroot/etc/named.conf on both the master and slave server, add the following lines at the very top of the file
include “/etc/transfer.key”;
On the slave server, prohibit all zone transfer from anywhere. Add the line in to your options block.
options {
allow-transfer { none; };
Slave DNS
# vi /etc/named.conf
Add the following lines
include “/etc/transfer.key”;
server 208.67.222.22 {
keys { master-slave.; };
};
On the master server, change the allow-transfer line to your options block so it appears as follows:
# vi /etc/named.conf
include “/etc/transfer.key”;
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; 208.67.222.22; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; any; };
allow-transfer { key master-slave.; };
allow-notify { 208.67.222.23; };
version “Bind”;
};
Now restart both servers