Perhaps it seems easy for you, but it was not for me at begining even if I am running bind9 master/bind9 slave already.
We will begin with TSIG key, on your master DNS server :
root@Sagitarius:~# tsig-keygen mykey > /etc/bind/keys/mykey.key
root@Sagitarius:~# cat /etc/bind/keys/mykey.key
key "mykey" {
algorithm hmac-sha256;
secret "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk=";
};
root@Sagitarius:~#
Now we will configure this on my “named.conf.local” file as :
root@Sagitarius:/etc/bind# cat named.conf.local
[...]
//On indique la clé à utiliser et son algorithme de chiffrement
include "/etc/bind/keys/mykey.key";
//On indique l'adresse IP du serveur "Esclave"
server 192.168.1.81
{
keys { mykey; };
};
[...]
zone "my-blah-zone.fr" {
type master;
file "/etc/bind/my-blah-zone.fr.zone";
allow-transfer { 192.168.1.81; key mykey; };
notify yes;
};
[...]
Ok. last command :
root@Sagitarius:~# rndc reload root@Sagitarius:~#
Ok good, now let’s see how it is configured on NSD host.
It’s really easy :
clucas@slave:/etc/nsd$ cat /etc/nsd/nsd.conf.d/secondaries/my-blah-zone.fr.conf
key:
name: "mykey"
algorithm: hmac-sha256
secret: "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk="
zone:
# this server is secondary, is master.
name: my-blah-zone.fr
allow-notify: 192.168.1.43 mykey
request-xfr: 192.168.1.43 mykey
Now :
nsd-checkconf /etc/nsd/nsd.conf nsd-control reload nsd-control status
It seems easy, but I have take long time to see that all these items bellow must be identical :
- name of the key
- algorithm
- secret
Easy as hell !
PS : All this can be controlled by Ansible, but it is another story.
Bind9 as master DNS server, NSD as backup with TSIG.