BIND 9 rndc hints (was: [rescue] Tricking DNS)

[Loomis, Rip]

An excerpt follows from the cookbook we created and use
both in-house and for training.  Note that this is based
on using the built-in entropy source for the BIND 9.1.x
internal OpenSSL implementation.  Ideally you should be
using PRNGd or something similar for
entropy...

Also, the rules below have worked since (at least) 9.1.0, but
BIND 9.1.3 will by default try to use an rndc.key file in the
same directory as /etc/named.conf if no other key is available.
I still recommend that you do the longer procedure below--
that way it's obvious to anyone who looks at named.conf
where the heck that rndc key came from.

=-=-=-=-=
3.1	Create a configuration file for rndc to hold the required,
shared secret key.  The default location for the rndc configuration
file is /etc/rndc.conf (or /usr/local/etc/rndc.conf depending
on the options passed to configure)

A sample minimal rndc configuration file is as follows:
  key rndc_key {
    algorithm "hmac-md5";
    secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9y
        GEgd29tYW4K";
  };
  options {
    default-server localhost;
    default-key rndc_key;
  };

3.2	Modify the named.conf file to use the shared secret key, by
adding a new "control" directive.
  controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc key; }
  };
  key rndc_key {
    algorithm "hmac-md5";
    secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9y          
        IGEgd29tYW4K";
  };

3.3	Note that the configuration files above will work verbatim
for initial testing, but that the secret keys listed in those files
should not be used on production systems.  New HMAC-MD5 secrets
should be generated for rndc on each DNS server system using
dnssec-keygen.  Note that since all you're using from the files
generated by dnssec-keygen (*.key and *.private files) is
the "raw" key string, you don't really need to worry about what
"entity name" you provide with the -n option to dnssec-keygen.

  ns1# dnssec-keygen -a hmac-md5 -b 128 -n HOST mytestkey
  ns1# start typing: [[TYPE AS REQUIRED UNTIL TOLD TO STOP]]
  ns1# stop typing.
  ns1# Kmytestkey.+157+NNNNN
  ** Adding dot to the name to make it fully qualified domain name**
  Generating 128 bit HMAC-MD5 Key for mytestkey.
 
  Generated 128 bit Key for mytestkey. id=0 alg=157 flags=513

  ns1#

For the example above, the file Kmytestkey.+157+NNNNN.key contains 

  mytestkey. IN KEY 512 3 157 MLenGxvcv1ClOvZ73JtZMg==

of which the last section ( MLenGxvcv1ClOvZ73JtZMg== ) is the actual
TSIG secret key.

=-=-=-=-=
You can also do things like reloading specific zones
without restarting the whole doggone nameserver...which
can be a big bonus on major production nameservers.
BIND 9.2.0 will finally include man pages that format
properly under Solaris ("man" macros to *roff instead
of "mandoc")...let me know if you need the ones for 9.1.3
in their reformatted form in the interim.

Hope this helps, and feel free to send me questions--

--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security
http://www.brainbench.com  [Transcript 1923411]


> -----Original Message-----
> From: Bill Bradford [mailto:mrbill at mrbill.net]
> Sent: Monday, 22 October, 2001 11:35

> Whats the proper procedure for generating the rndc key and 
> config file?
> 
> I've got BIND9 running; I just have to kill/restart it to get it to 
> reload zones, etc... so rndc would be nice. 8-)