stream-dns icon indicating copy to clipboard operation
stream-dns copied to clipboard
verified publisher icon CleverCloud

Support Secret Key Transaction Authentication for DNS (TSIG)

Open NotBad4U opened this issue 6 years ago • 0 comments

RFC 2845

Overview

TSIG relies on a secret key, shared between the two servers, which is used to generate an HMAC to ensure that the DNS communication takes place with the expected machine. The rule of sharing a secret key makes it difficult to use, in practice, to communicate with a large number of customers.

Purpose

The DNS has vulnerabilities in many places, including the risk of usurpation, which allows to falsify an answer when client get the response. Moreover, TSIG is better way than #43 to add security between DNS communication but harder to implement develop. Indeed our DNS library offer a TSIG api.

How to

  • dnssec-keygen -a HMAC-MD5 -b 512 -n HOST <host>
  • Add this to the stream-dns configuration:

For example, BIND configure TSIG like this:

key <host>. {
	algorithm "hmac-md5";
	secret <secret hmac>;
};
  • Query it like this with dig dig -y hmac-md5:<secret hmac> @<ip> example.test

NotBad4U avatar Dec 04 '19 14:12 NotBad4U