Froxlor icon indicating copy to clipboard operation
Froxlor copied to clipboard

Published 20 hours ago verified publisher icon froxlor

Option to provide AXFR secret (TSIG)

Open Af0x opened this issue 4 years ago • 9 comments

Hello,

to secure the AXFR transfer I want to request an option to add a TSIG secret in the DNS options.

Best regards,

Af0x

Af0x avatar Oct 11 '21 10:10 Af0x

That would also require to include DNSSEC if i see this correctly

d00p avatar Oct 11 '21 13:10 d00p

I think those are two different things. Example guide for bind: https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/ Bind manual: https://bind.isc.org/doc/arm/9.11/Bv9ARM.ch04.html#tsig

Summary:

  • create a key file on the master and the slave to define the key and instruct to sign all transactions
  • include that file in the .conf file
  • use the key in the allow-transfer statement of the zone

Af0x avatar Oct 11 '21 13:10 Af0x

According to that guide, if such key is already setup, we'd only need the key "name" for the generated zones.

d00p avatar Oct 11 '21 15:10 d00p

If you mean included with setup, yes. The impact in the conf file is quite minimal. But you need to create that keyfile with the key itself and instructions to use the key "name" for the AXFR slave IP address. What I´m not sure about is if you can use the same key for multiple slaves or if you have to set one key per slave.

Af0x avatar Oct 11 '21 15:10 Af0x

addition: you are probably right. you just need to define the key and add it to the allow-transfer section of the zone. No need to add the slave in the keyfile - if I read the bind docs correctly:

Once a key has been added to named.conf and the server has been restarted or reconfigured, the server can recognize the key. If the server receives a message signed by the key, it is able to verify the signature. If the signature is valid, the response is signed using the same key.

Af0x avatar Oct 11 '21 16:10 Af0x

That's what I meant, everything else needs to be done on master AND Slave hence not much sense for froxlor to do that only for the master. Maybe we can provide a small tutorial in our wiki for the creation and integration so People are not totally lost, what do you think?

d00p avatar Oct 11 '21 16:10 d00p

If that feature is present, of course. The slave has to be configured manually anyway. Only thing froxlor needs to do is to include the key/ make it possible to use that key in the AXFR field.

Af0x avatar Oct 11 '21 16:10 Af0x

Just to clarify: there has to be some work within froxlor to make use of that key, correct?

Af0x avatar Oct 12 '21 09:10 Af0x

Depends. When froxlor should also do the key-mgmt and creation and named config then yes. If it's just the key-entry for every zone, then it's not a big deal

d00p avatar Oct 12 '21 10:10 d00p