Christophe Nowicki

March 14, 2006

DNS Secret Key Transaction Authentication (TSIG) support for MyDNS

For Work related reasons, I’ve added transaction authentication support for MyDNS version 1.1.0 in tree days for one of our clients.
I’ve used the source code of ISC Bind, OpenSSL and RFC 2847 to write my patch.

MyDNS

MyDNS is a free (as freedom) DNS server for UNIX systems. It is designed to serve DNS records directly from an SQL database (MySQL or PostgreSQL are supported).
It’s a very useful software, used by many dynamic DNS providers.
I’ve used it at work for many projects, because is very easy to manage DNS records with it. But this time we needed to secure dynamic DNS updates.

TSIG

This protocol allows for transaction level authentication using shared secrets and one way hashing (with the HMAC-MD5 algorithm).
It can be used to authenticate dynamic updates as coming from an approved client or to authenticate
responses as coming from an approved recursive name server.
It’s an easy and strong authentication method, simpler than DNSSEC.
If you want more informations about Dynamic DNS Updates with TSIG and Security, please read this document.

Installation

Download and extract the source code of MyDNS version 1.1.0 at http://mydns.bboy.net/download :


$ wget http://mydns.bboy.net/download/mydns-1.1.0.tar.gz
$ tar xzf mydns-1.1.0.tar.gz

Download and apply my patch : /wp-content/contrib/mydns-1.1.0-tsig.patch


$ cd mydns-1.1.0
$ wget https://csquad.org/wp-content/contrib/mydns-1.1.0-tsig.patch
$ patch -p1 < mydns-1.1.0-tsig.patch

Build process

You need to build the program with OpenSSL support :

$ ./configure --with-openssl
$ make
# make install

Database setup

To create database structure use the ‘–create-table’ option :

$ mydns --create-table | mysql

Transaction Keys are stored in the ‘dnskey’ table and the name of the key.
Keyname allowed to update an record are stored in column ‘update_key’ of the ‘soa’ table.

You can generate you own key with dnssec-keygen tool :

$ dnssec-keygen -a HMAC-MD5 -b 128 -n HOST client.domain.com

Insert the value of this key in the ‘dnskey’ table :

mydns> INSERT INTO dnskey (name, algorithm, size, type, private) VALUES
('client.domain.com', 'HMAC-MD5', 128, 'HOST', 'IYrqgYuJaTkL2Xs34GZ7+w==');

Add the ‘update_acl’ column in the ‘soa’ table :

mydns> ALTER TABLE `soa` ADD `update_key` VARCHAR( 255 ) ;

Assign the update key to an DNS entry :

mydns> UPDATE soa SET update_key = 'client.domain.com' WHERE origin='domain.com.';

Restart the MyDNS server and check if the optional column ‘update_key’ was found :

# mydns -v
...
mydns: optional 'update_key' column found in 'soa' table
...

Usage

Update an domain entry with the nsupdate client :

$ nsupdate -d -y client.domain.com:IYrqgYuJaTkL2Xs34GZ7+w==
> server ns.domain.com
> zone domain.com
> update add entry.domain.com 60 A 192.168.0.1
> send

Conculsion

The full RFC in not totaly implanted, thoses features are missing :

  • TCP support, I’am not an expert of the DNS protocol and I dont fully understand TCP usage and message chunking.
  • Authentication of responses from an approved recursive name server.
Filed under: Network,Work — Tags:, , — cscm @ 10:31
« Previous Page

Powered by WordPress