TSIG

From ISPWiki
Jump to: navigation, search

Available in DNSmanager starting from 5.59

Update system sqlite3 for correct operation on CentOS 6

wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/Application:/Geo/CentOS_6/x86_64/sqlite-3.8.8.1-142.1.x86_64.rpm
yum localinstall sqlite-3.8.8.1-142.1.x86_64.rpm

By default, DNSmanager does not support TSIG (Transaction SIGnature), but you can install a free plug-in in order to enable this feature (only for named).

Log in to DNSmanager as Admin --> Modules --> Click "Install" next to "TSIG".

Make sure that the commands return valid results:

/usr/local/mgr5/sbin/mgrctl -m dnsmgr pathlist elid=DomainZonesPath
/usr/local/mgr5/sbin/mgrctl -m dnsmgr pathlist elid=named.conf
/usr/local/mgr5/sbin/mgrctl -m dnsmgr pathlist elid=ndc
/usr/local/mgr5/sbin/mgrctl -m dnsmgr paramlist elid=DNS

Once you are done with the plug-in installation, all users and resellers with private name space will be able to enable TSIG support for their name space in the Settings - DNS settings module.

Tsig1-en.png

Enable TSIG support (master-server)

This is a master-server. After you enable this mode and click OK, the dnssec-keygen utility will generate a key in the directory /path_to_zone_files/tsig/ named view.

include will be specified for that view in the named configuration file

include "/path_to_zone_files/tsig/view_name";

The /path_to_zone_files/tsig/view_name file has the following contents

key key_name {
algorithm hmac-md5;
secret "zX/kOn3OtOeS0cRzR2w15A==";
};

server ip_of_the_slave_server {
keys { key_name; };
};
.........
server ip_of_the_slave_server {
keys { key_name; };
};

From allow-transfer of your view IP-addresses of slave servers will be removed and changed into key key_name. Therefore, only еру slave server where the key is locatedб will get records from the master. You can view the key in the Settings -- DNS settings module.

Enable TSIG (slave-server)

This is a slave-server. This means that the master server should support TSIG for name spaces.

Copy the key that you received on the step "Enable TSIG (master server)". Key mask - "domain.name. IN KEY 512 3 157 M8g7MAjWw5c7HG3tXf5HdA==".

include will be specified for that view in the named configuration file.

include "/path_to_zone_files/tsig/slave.key_name";

The /path_to_zone_files/tsig/slave.имя_ключа file has the following contents

key key_name {
algorithm hmac-md5;
secret "zX/kOn3OtOeS0cRzR2w15A==";
};

server Master_IP {
keys { key_name; };
};

Attention! By enabling TSIG support for name space you do not configure master-slave servers. You can do so in the "Slave servers" module.