Genning up TSIG keys for DNS UPDATE messages


  • Thu 06 November 2014
  • misc

As awesome as they are, not everyone wants to use DynDNS or similar services, mostly because we run our own nameservers and want to update zones hosted there.

The way you do this in a reasonably secure (and interoperable) way is with a transaction signature with a (quaintly old fashioned) signature protocol called HMAC-MD5. More recent versions of BIND support HMAC-SHA, HMAC-SHA256, etc. But this is one of those "MD5 is probably good enough" situations, at least until SHA-256 is pretty much pervasive. Which might be soon - I might only be using HMAC-MD5 out of (bad) habit.

Anyway, every time I have to gen some keys I forget the syntax so I have to google it up. That's why I'm posting about it here. Next time I'll be able to look on my own blog for the answer. Hooray!

The syntax looks like this:

merlot:tmp rs$ dnssec-keygen -a HMAC-MD5 -b 128 -n HOST foohost.example.com-20141106-00
Kfoohost.example.com-20141106-00.+157+32952
merlot:tmp rs$

Most of the examples you see out there have "rndc-key" for the name. In truth you can put whatever you want there, and if you're only genning up a single key you're probably fine. But back when I was at Afilias I got into the habit of putting something actually useful there including the name of the host that's being updated (or in another application, the name of the host doing the zone transfer) and the date in ISO-8601 format. Remember that the name is both part of the ingredients to the HMAC and needs to be carried forward into your configuration file, so why not make it something actually useful?

Now we have two files:

merlot:tmp rs$ ls -la
total 16
drwxr-xr-x   4 rs  staff   136 Nov  6 12:05 .
drwxr-xr-x+ 55 rs  staff  1870 Nov  6 09:19 ..
-rw-------   1 rs  staff    75 Nov  6 12:05 Kfoohost.example.com-20141106-00.+157+32952.key
-rw-------   1 rs  staff   165 Nov  6 12:05 Kfoohost.example.com-20141106-00.+157+32952.private
merlot:tmp rs$

Unfortunately, neither of them is formatted in the way we want, but we can cut and paste to make a BIND configuration fragment like so:

merlot:tmp rs$ cat Kfoohost.example.com-20141106-00.+157+32952.key
foohost.example.com-20141106-00. IN KEY 512 3 157 24z1PFoyhfDgFb20HqMNwQ==
merlot:tmp rs$ 

And the fragment looks like this:

key "foohost.example.com-20141106-00" {
    algorithm hmac-md5 ;
    secret "24z1PFoyhfDgFb20HqMNwQ==" ;
} ;

and you could reference it later as follows:

zone "example.com" {
        type master;
        allow-transfer { rs-axfr; } ;
        file "master/rs/example.com.zone" ;
        update-policy {
        grant "foohost.example.com-20141106-00" name foohost.example.com. A AAAA TXT ;
        }
} ;

Easy!

Next blog entry is a client for sending updates to a nameserver so-configured.