SUBSCRIBE

The Men & Mice IP Address Management blog has educational, informational as well as product related material, both videos and articles for everyone and anyone interested in IP Address management, DNS, DHPC, IPv6, DNSSEC and more....

RSS feed Subscribe twitter Subscribe Facebook

Subscribe via E-mail

Your email:

Try the Men & Mice Suite

 

Ask the Experts!

Do you have a question about DNS, DHCP, IP Address Management, DNSSEC, IPv6 or anything really?

Then go ahead, Ask our Experts! It's FREE
The best thing is, you don't have to be a client of Men & Mice to ask a question!!

The Men & Mice Blog

Current Articles | RSS Feed RSS Feed

Generating TSIG key for BIND 10

  
  
  
  

The first Release Candidate of the new DNS and DHCP server from ISC, BIND 10 (http://bind10.isc.org) was released on February 15, 2013.

Men & Mice is monitoring and supporting the BIND 10 development, and as part of that, our engineers sometimes create little helpful tools to share with the community.

TSIG keys

TSIG is short for Transaction Signatures, defined in RFC 2845 "Secret Key Transaction Authentication for DNS (TSIG)". TSIG is primarily used to authenticate DNS zone transfer between DNS servers, and to secure dynamic DNS updates.

BIND 10 supports TSIG for both zone transfer and dynamic updates, but it does not contain a tool to create the TSIG keys. While it is possible to use the tools from BIND 9 (https://www.isc.org/wordpress/software/bind/) or ldns (ldns-keygen, http://www.nlnetlabs.nl/projects/ldns/), installing these tools along with BIND 10 might be too much overhead.

Men & Mice engineers have written a small tool in Python called b10-gentsigkey.py (https://github.com/menandmice/b10-gentsigkey).

The tool creates by default an HMAC-MD5 key with 128bits size and prints the key on the screen:

# b10-gentsigkey.py example.com
example.com:rc4VdlEPMFan4D+9icDEkg==:hmac-md5

b10-gentsigkey options:

Usage: b10-gentsigkey.py [--help | options] name
Options:
 -h, --help              show this help message and exit
-a ALGORITHM, --algorithm=ALGORITHM
                         algorithm for the TSIG key
-b SIZE, --bytes=SIZE
                         size of the key
-f                      print bindctl CLI command

b10-gentsigkey supports all the TSIG algorithms that are also supported by BIND 10 ('hmac-md5', 'hmac-sha1', 'hmac-sha224', 'hmac-sha256', 'hmac-sha384', 'hmac-sha512').

Using the "-f" (Format) switch, the tool will print the bindctl command to enter the TSIG key into the BIND 10 configuration. That command can be copy-n-paste into the bindctl command line:

# b10-gentsigkey.py -a hmac-sha256 -b 256 -f example.de
config add tsig_keys/keys "example.de:M2nrsQWVEAuAfm67U2Gdfj2dFfJIPay9ZFMukXSSCiY=:hmac-sha256"
config commit

this output can be directly piped into bindctl:


# b10-gentsigkey.py -a hmac-sha1 -b 256 -f example.com | bindctl

We hope to bring a similar command into the BIND 10 CLI (bindctl), so that no external tool is required to create TSIG keys by an external tool.

Until then, enjoy this little tool.

If you are interested in learning more about BIND 10, Men & Mice is working close with ISC to deliver the first industry training on this new version of the BIND name server software in Amsterdam, Netherlands from February 20th - 21st, 2013. You can learn more about it from the Men & Mice BIND 10 workshop page.
 

Tags: ,

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics