Automatic Configuration of Slave Nameservers (BIND 9.7.2 only)

Similar documents
How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Securing an Internet Name Server

Integrating SAP BusinessObjects with Hadoop. Using a multi-node Hadoop Cluster

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Moving to Plesk Automation 11.5

Solaris Networking Guide. Stewart Watkiss. Volume. New User To Technical Expert Solaris Bookshelf. This document is currently under construction

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

Enterprise Manager. Version 6.2. Installation Guide

Deploying & Configuring a DNS Server on OpenServer 6 or UnixWare 7. Kirk Farquhar

Building a Linux IPv6 DNS Server

Configuration Guide BES12. Version 12.1

SAIP 2012 Performance Engineering

Device Log Export ENGLISH

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configuration Guide BES12. Version 12.2

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Healthstone Monitoring System

Networking Domain Name System

OnCommand Performance Manager 1.1

Networking Domain Name System

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

Application Servers - BEA WebLogic. Installing the Application Server

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

CA Performance Center

Advanced Internetworking

Sample copy. Introduction To WebLogic Server Property of Web 10.3 Age Solutions Inc.

Table of Contents. Requirements and Options 1. Checklist for Server Installation 5. Checklist for Importing from CyberAudit

AdWhirl Open Source Server Setup Instructions

Products, Features & Services

Discovery Guide. Secret Server. Table of Contents

User Manual of the Pre-built Ubuntu Virutal Machine

Basic Exchange Setup Guide

How To - Implement Single Sign On Authentication with Active Directory

Using Webmin and Bind9 to Setup DNS Sever on Linux

Configuration Guide BES12. Version 12.3

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Installation of MicroSoft Active Directory

Sophos Mobile Control Installation guide. Product version: 3.5

Domain Name System Security

NGASI Shared-Runtime Manager Administration and User Guide WebAppShowcase DBA NGASI

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Plesk 11 Manual. Fasthosts Customer Support

FaxCore 2007 Getting Started Guide (v1.0)

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

TANDBERG MANAGEMENT SUITE 10.0

Configuring Nex-Gen Web Load Balancer

Parallels Plesk Automation

Red Hat system-config-bind BIND (Berkeley Internet Name Domain) DNS ( Domain Name System)

IMF Tune Quarantine & Reporting Running SQL behind a Firewall. WinDeveloper Software Ltd.

PowerChute TM Network Shutdown Security Features & Deployment

SOA Software API Gateway Appliance 7.1.x Administration Guide

StoreGrid Backup Server With MySQL As Backend Database:

Oracle EXAM - 1Z Oracle Weblogic Server 11g: System Administration I. Buy Full Product.

EMC XDS Repository Connector for ViPR

Sophos Mobile Control Installation guide. Product version: 3.6

Configuring MailArchiva with Insight Server

Create WebLogic Cluster application Prerequisites From Application director import-export service... 2

Secure Messaging Server Console... 2

Project Management (PM) Cell

Simba XMLA Provider for Oracle OLAP 2.0. Linux Administration Guide. Simba Technologies Inc. April 23, 2013

Installing and Using the vnios Trial

Ciphermail for BlackBerry Quick Start Guide

Kony MobileFabric. Sync Windows Installation Manual - WebSphere. On-Premises. Release 6.5. Document Relevance and Accuracy

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Configuration Guide. BES12 Cloud

Networking Domain Name System

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC

Installation Guidelines (MySQL database & Archivists Toolkit client)

Table of Contents. Cisco Cisco VPN Client FAQ

Sophos Mobile Control Installation guide. Product version: 3

Defeating Firewalls : Sneaking Into Office Computers From Home

Table of Contents. This whitepaper outlines how to configure the operating environment for MailEnable s implementation of Exchange ActiveSync.

Apache Hadoop 2.0 Installation and Single Node Cluster Configuration on Ubuntu A guide to install and setup Single-Node Apache Hadoop 2.

Installing The SysAidTM Server Locally

User Manual of the Pre-built Ubuntu 9 Virutal Machine

JAMF Software Server Installation Guide for Linux. Version 8.6

1z0-102 Q&A. DEMO Version

escan SBS 2008 Installation Guide

Upgrade Guide BES12. Version 12.1

LICENSE4J AUTO LICENSE GENERATION AND ACTIVATION SERVER USER GUIDE

freesshd SFTP Server on Windows

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

OCS Training Workshop LAB14. Setup

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

File S1: Supplementary Information of CloudDOE

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

DNS at NLnet Labs. Matthijs Mekking

F-SECURE MESSAGING SECURITY GATEWAY

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

3. Installation and Configuration. 3.1 Java Development Kit (JDK)

SOSFTP Managed File Transfer

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Transcription:

DNSSHIM 1 DNSSHIM is an open-source software that implements the Domain Name Name System (DNS) protocol for the Internet. Its main feature is to work as a Hidden Master nameserver, that is, provide information only to authoritative slave servers. Furthermore he has the ability to manage, store and automatically resign zones using the security extension DNSSEC. Features DNSSEC Zone Transfer via AXFR and IXFR TSIG Support Zone Notification with DNS NOTIFY Automatic Configuration of Slave Nameservers (BIND 9.7.2 only) Compatibility DNSSHIM follows the standards defined by RFCs for communication with the slave servers, which includes zone transfer via AXFR or IXFR, using TSIG keys. That makes DNSSHIM compatible to work with most major nameservers software on the market. The feature of automatic configuration of slave nameservers is currently available only for servers running BIND. 1 Migration from version 1.x IMPORTANT: If you are a new user skip this section, otherwise please save all DNSSHIM files located under DNSSHIM HOME directory before migrate all data from DNSSHIM 1.x to DNSSHIM 2.x. It s important to notice that DNSSHIM 2+ uses MySQL to store all metadata like slaves and slave-groups, DNSKEYs, DNSSHIM s users and so on. All resource records and private keys are still stored on filesystem. To migrate DNSSHIM 1.x data to DNSSHIM 2 (or newer) it s necessary to run the following steps: Make sure you have a MySQL 5+ server running on a accessible machine. 1 Version: Rev : 1498 1

Edit the file xfrd.properties located under DNSSHIM HOME/xfrd/conf directory and add the entries: database dialect=org.hibernate.dialect.mysql5innodbdialect database driver class=com.mysql.jdbc.driver database host=db host database name=db name database password=db password database port=db port database username=db username database vendor=mysql Create a new database with the same name given on xfrd.properties file. Run the migration utility: java -jar db-migration.jar 2 Installation This document contains information for the compilation and installation of DNSSHIM. All instructions are valid for all platforms and operating systems that have a Java Virtual Machine (JVM) installed and configured correctly. 2.1 Requirements 2.1.1 Basic Requirements The following requirements are necessary to use: JRE 6 (or greater) MySQL 5 (or greater) 2.1.2 Automatic Configuration of Slaves (OPTIONAL) In order for the automatic configuration of slave nameservers to work, the following tools are required: Server Hidden Master 1. SSH client 2. Rsync 3. Bourne Shell 2

Server Slave 1. SSH server 2. Rsync 3. Bind (with DNSSEC bis support) 2.2 Download All DNSSHIM files, including source, binaries and docs, can be downloaded at http://registro.br/dnsshim/. 2.3 Configuring DNSSHIM configuration files, by default, are located under the user s home directory. To change it, you can set an enviroment variable named DNSSHIM HOME. In order to provide a more scalable architecture all files related to zones are hashed and stored under a three level directory structure. This behaviour exists in both main directories under DNSHIM HOME: /xfrd and /signer: 2.3.1 Signer All signer configuration files and private keys are located under the signer directory. Each zone managed by DNSSHIM has a private key located under: The key name format is: signer/first LEVEL/SECOND LEVEL/THIRD LEVEL YYYYMMDDHHmmSS -ZSK-257-KEYTAG.private All key files are extremely important, keep them safe. The file signer.properties has two entries described below: allowed hosts regex: An regular expression that defines which IP address can access signer. The default value is.+ (anyone) server port: The port signer server will listen on. 3

2.3.2 XFRD Server All XFRD configuration files are located under the xfrd directory. This directory holds public keys, zone informations like resource records and individual properties, main server configurations and slave informations. The file xfrd.properties is the main configuration file for XFRD. All entries are described bellow: allowed hosts regex An regular expression that defines which IP address is allowed to access XFRD server. The default value is.+ (anyone). database dialect The database dialect. By now, DNSSHIM uses org.hibernate.dialect.mysql5innodb as default value. You can change it at your own risk. database driver class The driver used to communicate with database. By now DNSSHIM uses MySQL and the value should be com.mysql.jdbc.driver. database host The host where database is running. This value can be a IP address or hostname. database name The database name where DNSSHIM s data are stored database password The password used to connect to the database database port The port used by database server database username Username used to connect with database database vendor The database vendor. Use mysql as default value dns server port The TCP and UDP port that listen DNS queries. Default value is 53. scheduler high priority (in hours) All signatures that expire in less than scheduler high priority will be resigned immediately. Default is 120 hours (5 days). scheduler low priority (in hours) All signatures that expire between scheduler high priority and scheduler low priority will be rescheduled for resigning in some time within that interval. Default is 240 hours (10 days). signer cert file The file that contains a TLS certificate. By default the communication between xfrd and signer uses an embedded TLS certificate. signer cert password Only necessary if the option above (signer cert file) is defined. signer host Host where signer server is running. Default value is localhost. signer port The TCP port that the signer server is listen. Default is 9797. shutdown secret A secret used to gently shutdown the DNSSHIM xfrd server. This can be any string. 4

slave user User used by SlaveSync.sh script to connect to slaves. Change it if you want enable automatic provisioning. Default is empty. tsig fudge The default fudge value for outgoing packets. ui cert file The TLS certificate file used in communications between xfrd server and client. By default the communication use an embedded TLS certificate. ui cert password Only necessary if the option above (ui cert file) is defined. ui port The TCP port where the server will receive client s requests. slave sync enabled (true or false) If true the server will execute SlaveSync.sh script in order automatically configure slave nameservers. slave sync period (in seconds) The period that the server rewrites zone configuration files used for configuration of the slaves. This option is only necessary if slave sync enabled option is true. slave sync path The path where the script SlaveSync.sh is located. Default value is./slavesync.sh. rndc path Path where the rndc utility is located. Default value is /usr/sbin/rndc. rndc port Port rndc connects on the slave servers. Default value is 953. 3 Client In order to interact with DNSSHIM, it is necessary to have a client that supports its protocol. A python client library, named pydnssshim,that fully supports all commands, is distributed separately and is available at the DNSSHIM website. You are free to use it or implement your own client. Please visit DNSSHIM website for more information about clients. 4 Deployment Starting Signer $ java -jar -Dlog4j.configuration=log4j-signer.properties dnsshim-signer.jar 2 Starting XFRD Server $ java -jar -Dlog4j.configuration=log4j-xfrd.properties dnsshim-xfrd.jar Important note: in order to start using DNSSHIM effectively, you must create a user and login to the server. These operations, as well as many others, should be performed by a client application. For more information see the section 3. 2 For convenience, DNSSHIM comes with two log4j pre-configured files. If you prefer you can use your own. 5

4.1 Troubleshooting Could not determine local IP address. Using loopback In the /etc/hosts file, check the IP address for the hostname of the machine. 4.2 Automatic Configuration of Slave Nameservers DNSSHIM has a feature which allows for automatic configuration of slave nameservers, so that once a new zone is created in DNSSHIM, the slave will be authoritative for that zone within a period of time with no further intervention. It works only on slaves running BIND 9.7.2 and above, using the rndc utility to automatically create new slave server. In order to setup for automatic configuration of slave nameservers, there are several step that should be followed: 1. Make sure that BIND 9.7.2 or newer is properly installed on the DNSSHIM host and all the slave servers. On the DNSSHIM host 2. Open the xfrd.properties file. 3. Set the variable slavesync path to the path where the SlaveSync.sh script is. 4. Make sure the SlaveSync.sh script is executable. 5. Set the variable slave sync enable to true. 6. Optionally, set the variable slave sync period to the interval (in seconds) between two slave synchronizations. 7. Set the variable rndc path to the path where rndc is. 8. Optionally, set the variable rndc port to the port where rndc is going to listen on the slave servers. Default is 953. 9. Start the Signer and the DNSSHIM server (4). 10. Create a new slave group using the command new-slavegroup in the DNSSHIM client (3). 11. Add the desired slave(s) to the newly created slave group using the command add-slave in the DNSSHIM client (3). 12. Assign the slave group to the desired zone(s) using the command assign-slavegroup in the DNSSHIM client (3). 13. New zones should be created with the option --slave-group= groupname on the new-zone command 6

14. Create a TSIG key for the servers which will be synchronized using the command new-tsig-key in the DNSSHIM client (3). 15. Edit the file /etc/rndc.conf with the following directives: key tsig-key { algorithm hmac-md5; secret tsig-secret ; }; server slave ip { key tsig-key ; }; Where tsig-key is the name of the TSIG key assigned to the slave, tsig-secret is the secret of the key, slave ip is the IP address of the slave server. Make sure this is done for each slave server and TSIG key. On each of the Slave hosts: 16. Edit the file named.conf with the following directives: options { allow-new-zones yes; }; key tsig-key { algorithm hmac-md5; secret tsig-secret ; }; server dnsshim ip { keys tsig-key ; }; controls { inet * allow { dnsshim ip; } keys { tsig-key ; }; }; Where tsig-key is the name of the TSIG key assigned to the slave, tsig-secret is the secret of the key, dnsshim ip is the IP address of the host running DNSSHIM. The first two lines tell BIND that DNSSHIM is using the specified TSIG key. The controls ensures that the host running DNSSHIM is allowed to control the BIND server via rndc, mainly by adding and removing zones. 17. Copy the script CreateZoneDirs.sh, which comes with the DNSSHIM distribution, on the base directory of BIND and run it. This will create the directory structure for the zones that will be added by DNSSHIM via rndc. 18. Restart the BIND on the slave hosts. 5 Compilation If you want build from source the following steps will guide you. 7

5.1 Requirements The following requirements are necessary to compile: JDK 6 (or higher) Ant 1.7 (or higher) Apache Commons Codec 1.3 (or higher) Apache log4j 1.2.15 (or higher) 5.2 Build Unzip source, in the directory DNSSHIM execute: $ ant dist After the execution of this target a directory named dist will be create containing two JARs (signer and XFRD). 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information