Install bind-chroot on both servers
# yum install bind-chroot
From Primary DNS
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+50029
The output tells us the name of the file containing our new key: in this case
Kmaster-slave.+157+50029.private. The numbers are the DNSSEC algorithm
(157=HMACMD5), and the key’s fingerprint (50029) which will probably be different on your machine
From Kmaster-slave+157.50029.private we will extract the shared key:
# cat Kmaster-slave+157.50029.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: axdafafFTdafaCSDF090DSDs==
The key here is axdafafFTdafaCSDF090DSDs==; this will be different in your file. Keep track of this file;
we will need it for testing our configuration later.
On both the master and slave name server, create a new file called /var/named/chroot/etc/transfer.key with
the following contents:
key “master-slave.” {
algorithm hmac-md5;
secret “axdafafFTdafaCSDF090DSDs==”;
};
Protect the contents of the transfer.key so only the nameserver can read it and only root can write to it:
# chown root:named /var/named/chroot/etc/transfer.key
# chmod 640 /var/named/chroot/etc/transfer.key
# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key
In /var/named/chroot/etc/named.conf on both the master and slave server, add the following lines at the very top of the file
include “/etc/transfer.key”;
On the slave server, prohibit all zone transfer from anywhere. Add the line in to your options block.
options {
allow-transfer { none; };
Slave DNS
# vi /etc/named.conf
Add the following lines
include “/etc/transfer.key”;
server 208.67.222.22 {
keys { master-slave.; };
};
On the master server, change the allow-transfer line to your options block so it appears as follows:
# vi /etc/named.conf
include “/etc/transfer.key”;
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; 208.67.222.22; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; any; };
allow-transfer { key master-slave.; };
allow-notify { 208.67.222.23; };
version “Bind”;
};
Now restart both servers
Author Profile
- Lordfrancis3 is a member of PinoyLinux since its establishment in 2011. With a wealth of experience spanning numerous years, he possesses a profound understanding of managing and deploying intricate infrastructure. His contributions have undoubtedly played a pivotal role in shaping the community's growth and success. His expertise and dedication reflect in every aspect of the journey, as PinoyLinux continues to champion the ideals of Linux and open-source technology. LordFrancis3's extensive experience remains an invaluable asset, and his commitment inspires fellow members to reach new heights. His enduring dedication to PinoyLinux's evolution is truly commendable.
Latest entries
Software and TechnologySeptember 18, 2023Nginx Reverse Proxy with Redis for Rate Limiting and Queues for Performance Optimization
System AdminstrationAugust 27, 2023Automating Yourself Out of Your Job
Privacy and SecurityAugust 22, 2023Security Alert: Privilege Escalation Vulnerability Impacts Over 10,000 Charitable WordPress Sites
ServersAugust 14, 2023Why Red Hat Abandoned CentOS 7 and the Best Alternatives
