Bind 9 Administrator Reference Manual

Chapter 4. Advanced Concepts

4.4.1.2. Manual Generation

The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid

base-64 strings (assuming the length is a multiple of 4 and only valid characters are used), so the shared

secret can be manually generated.

Also, a known string can be run through mmencode or a similar program to generate base-64 encoded

data.

4.4.2. Copying the Shared Secret to Both Machines

This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure

FTP, ssh, telephone, etc.

4.4.3. Informing the Servers of the Key’s Existence

Imagine host1 and host 2 are both servers. The following is added to each server’s named.conf ﬁle:

key host1-host2. {

algorithm hmac-md5;

secret "La/E5CjG9O+os1jq0a2jdA==";

};

The algorithm, hmac-md5, is the only one supported by BIND. The secret is the one generated above.

Since this is a secret, it is recommended that either named.conf be non-world readable, or the key

directive be added to a non-world readable ﬁle that is included by named.conf.

At this point, the key is recognized. This means that if the server receives a message signed by this key, it

can verify the signature. If the signature succeeds, the response is signed by the same key.

4.4.4. Instructing the Server to Use the Key

Since keys are shared between two hosts only, the server must be told when keys are to be used. The

following is added to the named.conf ﬁle for host1, if the IP address of host2 is 10.1.2.3:

server 10.1.2.3 {

keys { host1-host2. ;};

};