Politics and Technology.

Thursday, March 26, 2009

nsupdate By Key From RHEL

We have a DNS zone here at DJ that's used for allowing nsupdates, typically in the case of applications with an HA capability between VLANS out on the WAN (when migrating the production IP is not an option).

While we have used ACLs for the allow-update stanza in bind's named.conf, I wanted to make the push towards key based authentication. The following how to is what I did to make that work.

First, generate the key. This will create two files, containing the same key, due to backwards compatibility issues with the library used to create the key. The options to pass to the "dnssec-keygen" tool (part of the bind RPM) are simple. The "-r /dev/urandom" bit below uses the psuedo-random driver to generate the key; something perfectly sufficient for this case IMHO. The name you use for the key is not important. Though it looks like an FQDN, it can be "fuzzydice" if you want it to be. The convention in all things BIND seems to be "something.yourdomain.com".

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST -r /dev/urandom some.meaningful.name.com
# ls *meaningful*
Ksome.meaningful.name.com.+157+01885.key Ksome.meaningful.name.com.+157+01885.private

I prefer to copy the key string from the ".private" key file as it doesn't have any spaces in the key string. Its contents would look like this.

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==

The next step is to allow this key's use by named. You will need to edit "named.conf" in at least one place, possibly two.

First, update your "allow-update" line in the zone entry. For example see below.

zone "ha.yourdomain.com" in {
type master;
file "db.ha.yourdomain.com";
forwarders {};
allow-update { key some.meaningful.name.com; };

You can mix ACLs, hosts, and keys on the same "allow-update".

allow-update { key some.meaningful.name.com;; my_trusted_acl; };

Secondly, you need to include the key for named to pick up. This is typically done in one of two ways: directly in the "named.conf" file or in an included file. RHEL's named.conf, out of the box, should have the following line.

include "/etc/key.conf";

Ideally, this is where you put the key to avoid a messy "named.conf" but you could put the key directly in. Either way, your entry should look something like this.

key some.meaningful.name.com. {
algorithm hmac-md5;
secret "sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==";

Don't forget to reload named.

# rndc reload

Now that was the hard part. The easy part is to actually use the key. The "nsupdate" tool is well documented in RHEL's man page, so I'll just show an example case. What isn't so well documented is that you need BOTH ".key" and ".private" files even though you only refer to one on the command line. Keep both of those files in the same directory.

# nsupdate -k Ksome.meaningful.name.com.+157+01885.private
> server
> update delete virtualhost.ha.yourdomain.com. CNAME
> update add virtualhost.ha.yourdomain.com. 300 CNAME virtualhost.otherdc.yourdomain.com.
> send
> quit

You can script this action by putting the nsupdate commands in a "conf" file that is passed to "nsupdate" as an option.

No comments: