Install bind-chroot on both servers
# yum install bind-chroot
From Primary DNS
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+50029
The output tells us the name of the file containing our new key: in this case
Kmaster-slave.+157+50029.private. The numbers are the DNSSEC algorithm
(157=HMACMD5), and the key’s fingerprint (50029) which will probably be different on your machine
From Kmaster-slave+157.50029.private we will extract the shared key:
# cat Kmaster-slave+157.50029.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: axdafafFTdafaCSDF090DSDs==
The key here is axdafafFTdafaCSDF090DSDs==; this will be different in your file. Keep track of this file;
we will need it for testing our configuration later.
On both the master and slave name server, create a new file called /var/named/chroot/etc/transfer.key with
the following contents:
key “master-slave.” {
algorithm hmac-md5;
secret “axdafafFTdafaCSDF090DSDs==”;
};
Protect the contents of the transfer.key so only the nameserver can read it and only root can write to it:
# chown root:named /var/named/chroot/etc/transfer.key
# chmod 640 /var/named/chroot/etc/transfer.key
# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key
In /var/named/chroot/etc/named.conf on both the master and slave server, add the following lines at the very top of the file
include “/etc/transfer.key”;
On the slave server, prohibit all zone transfer from anywhere. Add the line in to your options block.
options {
allow-transfer { none; };
Slave DNS
# vi /etc/named.conf
Add the following lines
include “/etc/transfer.key”;
server 208.67.222.22 {
keys { master-slave.; };
};
On the master server, change the allow-transfer line to your options block so it appears as follows:
# vi /etc/named.conf
include “/etc/transfer.key”;
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; 208.67.222.22; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; any; };
allow-transfer { key master-slave.; };
allow-notify { 208.67.222.23; };
version “Bind”;
};
Now restart both servers
Author Profile
- Lordfrancis3 is a member of PinoyLinux since its establishment in 2011. With a wealth of experience spanning numerous years, he possesses a profound understanding of managing and deploying intricate infrastructure. His contributions have undoubtedly played a pivotal role in shaping the community’s growth and success. His expertise and dedication reflect in every aspect of the journey, as PinoyLinux continues to champion the ideals of Linux and open-source technology. LordFrancis3’s extensive experience remains an invaluable asset, and his commitment inspires fellow members to reach new heights. His enduring dedication to PinoyLinux’s evolution is truly commendable.
Latest entries
- System AdminstrationMay 9, 2024Let’s Encrypt Certificates Setup with DNS Validation Using acme-dns-certbot
- Operating SystemFebruary 2, 2024What is Linux?
- Operating SystemJanuary 12, 2024Upgrading Your Ubuntu 20.04 System to 22.04 LTS
- Software and TechnologyJanuary 10, 2024Comprehensive Guide: ERPNext Installation on Ubuntu 22.04 – Step-by-Step Tutorial
Leave a Reply