10 August 2014

Overview

There is numerous posts about how to setup the ISC Bind to use TSIG for AXFR. Few days I found this setup is more secrure than left it untouched, but not so secure as it could be. ## Configuration

This setup was tested on the version 9.8.

Basic BIND setup

Let’s assume to have one master server and two slave servers using different TSIG keys. I will skip all the steps and just show the relevant part of final configuration.

Master server

key "company-tsig-key01" {
    algorithm hmac-md5;
    secret "KeYSJ2wL5ATTk0beyyLAvA==";
};

key "company-tsig-key02" {
    algorithm hmac-md5;
    secret "QM2N0SAM6Wsnkm+47iMUvA==";
};

server 192.168.100.1 {
    keys { "company-tsig-key01"; };
};

server 192.168.200.1 {
    keys { "company-tsig-key02"; };
};

zone "acme.com" in {
    type master;
    file "db.acme.com";
    allow-transfer { 
        key "company-tsig-key01";
        key "company-tsig-key02";
    };
};

First Slave Server

key "company-tsig-key01" {
    algorithm hmac-md5;
    secret "KeYSJ2wL5ATTk0beyyLAvA==";
};

server 192.168.0.1 {
    keys { "company-tsig-key01"; };
};

zone "acme.com" in {
    type slave;
    file "db.acme.com";
	masters { 192.168.0.1; };
    allow-transfer { none; };
};

First Slave Server

key "company-tsig-key02" {
    algorithm hmac-md5;
    secret "QM2N0SAM6Wsnkm+47iMUvA==";
};

server 192.168.0.1 {
    keys { "company-tsig-key02"; };
};

zone "acme.com" in {
    type slave;
    file "db.acme.com";
	masters { 192.168.0.1; };
    allow-transfer { none; };
};

Done

At this moment yo should have working AFXR with TSIG. Check your logs if it’s working.

What’s wrong ?

Testing with dig part 1

For testing purposes we wil use dig utility.

The command we will use is

dig @192.168.0.1 acme.com. axfr
dig -y hmac-md5:company-tsig-key01:KeYSJ2wL5ATTk0beyyLAvA== @192.168.0.1 acme.com. axfr
dig -y hmac-md5:company-tsig-key02:QM2N0SAM6Wsnkm+47iMUvA== @192.168.0.1 acme.com. axfr

Login to the first slave and run these commands.

Login to the second slave and run these commands.

Login to the any other server and run these commands.

The result surprised me for the first time. If you know the TSIG key you are able to use it to download the zone regard less of the source address. ISC Bind is not able to use the association from the server section to use the keys only for particular server.

How to fix it

I do not have fix I’m happy with, because you can still use the key form the allowed servers. Let’s define some ACLs and change master configuration.

acl company-slaves {
    192.168.100.1;
    192.168.100.2;		
};

acl not-company-slaves {
	!company-slaves;
	any;
}

zone "acme.com" in {
    type master;
    file "db.acme.com";
    allow-transfer {
        !not-company-slaves;
        key "company-tsig-key01";
        key "company-tsig-key02";
    };
};

Testing with dig part 2

Login to the first slave and run these commands. You should have the same result as with the first testing.

Login to the second slave and run these commands. You should have the same result as with the first testing.

Login to the any other server and run these commands. AXFR should be denied for all commands.

Final notes

As the ISB Bind is great peace software it’s complex and multi purpose. I need pure authoritative DNS servers. I’m using also NSD3, there the mapping between the keys and servers is more explicit and this situation could not happen.

There are another authoritative servers such as Knot DNS or YADIFA. They are relatively young but if they are good for ccTLDs, should be for my purposes too.

Small testing research

Knot DNS and NSD3 have mapping between the TSIG keys and the severs so ypu can be sure, that the TSIG key could not be used from another source.

YAFIDA has the same behaviour as the ISC BIND. I was not able to setup the ACL for YAFIDA as described in this post.