DNS Secret Key Transaction Authentication (TSIG) support for MyDNS
For Work related reasons, I’ve added transaction authentication support for MyDNS version 1.1.0 in tree days for one of our clients.
I’ve used the source code of ISC Bind, OpenSSL and RFC 2847 to write my patch.
MyDNS
MyDNS is a free (as freedom) DNS server for UNIX systems. It is designed to serve DNS records directly from an SQL database (MySQL or PostgreSQL are supported).
It’s a very useful software, used by many dynamic DNS providers.
I’ve used it at work for many projects, because is very easy to manage DNS records with it. But this time we needed to secure dynamic DNS updates.
TSIG
This protocol allows for transaction level authentication using shared secrets and one way hashing (with the HMAC-MD5 algorithm).
It can be used to authenticate dynamic updates as coming from an approved client or to authenticate
responses as coming from an approved recursive name server.
It’s an easy and strong authentication method, simpler than DNSSEC.
If you want more informations about Dynamic DNS Updates with TSIG and Security, please read this document.
Installation
Download and extract the source code of MyDNS version 1.1.0 at http://mydns.bboy.net/download :
$ wget http://mydns.bboy.net/download/mydns-1.1.0.tar.gz
$ tar xzf mydns-1.1.0.tar.gz
Download and apply my patch : /wp-content/contrib/mydns-1.1.0-tsig.patch
$ cd mydns-1.1.0
$ wget https://csquad.org/wp-content/contrib/mydns-1.1.0-tsig.patch
$ patch -p1 < mydns-1.1.0-tsig.patch
Build process
You need to build the program with OpenSSL support :
$ ./configure --with-openssl
$ make
# make install
Database setup
To create database structure use the ‘–create-table’ option :
$ mydns --create-table | mysql
Transaction Keys are stored in the ‘dnskey’ table and the name of the key.
Keyname allowed to update an record are stored in column ‘update_key’ of the ‘soa’ table.
You can generate you own key with dnssec-keygen tool :
$ dnssec-keygen -a HMAC-MD5 -b 128 -n HOST client.domain.com
Insert the value of this key in the ‘dnskey’ table :
mydns> INSERT INTO dnskey (name, algorithm, size, type, private) VALUES
('client.domain.com', 'HMAC-MD5', 128, 'HOST', 'IYrqgYuJaTkL2Xs34GZ7+w==');
Add the ‘update_acl’ column in the ‘soa’ table :
mydns> ALTER TABLE `soa` ADD `update_key` VARCHAR( 255 ) ;
Assign the update key to an DNS entry :
mydns> UPDATE soa SET update_key = 'client.domain.com' WHERE origin='domain.com.';
Restart the MyDNS server and check if the optional column ‘update_key’ was found :
# mydns -v
...
mydns: optional 'update_key' column found in 'soa' table
...
Usage
Update an domain entry with the nsupdate client :
$ nsupdate -d -y client.domain.com:IYrqgYuJaTkL2Xs34GZ7+w==
> server ns.domain.com
> zone domain.com
> update add entry.domain.com 60 A 192.168.0.1
> send
Conculsion
The full RFC in not totaly implanted, thoses features are missing :
- TCP support, I’am not an expert of the DNS protocol and I dont fully understand TCP usage and message chunking.
- Authentication of responses from an approved recursive name server.
