Bind 9 Administrator Reference Manual

Chapter 4. Advanced Concepts

In the resolv.conf (or equivalent) on the bastion host(s):

search ...

nameserver 172.16.72.2

nameserver 172.16.72.3

nameserver 172.16.72.4

4.4. TSIG

This is a short guide to setting up Transaction SIGnatures (TSIG) based transaction security in BIND. It

describes changes to the conﬁguration ﬁle as well as what changes are required for different features,

including the process of creating transaction keys and using transaction signatures with BIND.

BIND primarily supports TSIG for server to server communication. This includes zone transfer, notify,

and recursive query messages. Resolvers based on newer versions of BIND 8 have limited support for

TSIG.

TSIG might be most useful for dynamic update. A primary server for a dynamic zone should use access

control to control updates, but IP-based access control is insufﬁcient. Key-based access control is far

superior, see Proposed Standards. The nsupdate program supports TSIG via the -k and -y command

line options.

4.4.1. Generate Shared Keys for Each Pair of Hosts

A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen:

"host1-host2.". The key name must be the same on both hosts.

4.4.1.1. Automatic Generation

The following command will generate a 128 bit (16 byte) HMAC-MD5 key as described above. Longer

keys are better, but shorter keys are easier to read. Note that the maximum key length is 512 bits; keys

longer than that will be digested with MD5 to produce a 128 bit key.

dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.

The key is in the ﬁle Khost1-host2.+157+00000.private. Nothing directly uses this ﬁle, but the

base-64 encoded string following "Key:" can be extracted from the ﬁle and used as a shared secret:

Key: La/E5CjG9O+os1jq0a2jdA==

The string "La/E5CjG9O+os1jq0a2jdA==" can be used as the shared secret.