Authenticate Zone Transfers
An XCCDF Rule
Description
If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory:
$ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com Kdns.example.com .+aaa +iiiiiThis output is the name of a file containing the new key. Read the file to find the base64-encoded key string:
$ sudo cat Kdns.example.com .+NNN +MMMMM .key dns.example.com IN KEY 512 3 157 base64-key-stringAdd the directives to
/etc/named.conf on the primary server:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
zone "example.com " IN {
type master;
allow-transfer { key zone-transfer-key; };
...
};
Add the directives below to /etc/named.conf on the secondary nameserver:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
server IP-OF-MASTER {
keys { zone-transfer-key; };
};
zone "example.com " IN {
type slave;
masters { IP-OF-MASTER ; };
...
};
warning alert: Warning
Rationale
The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort.
- ID
- xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers
- Severity
- Medium
- References
- Updated