Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND /DHCP Server with TSIG Signature

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 220 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • penguinpagesP
      penguinpages
      last edited by

      Trying to find documentation and workflow, hopefully command / CI based that will enable and input TSIG signature for use in DNS BIND service.

      I found a bunch of articles about DDNS with signatures but this is not what I need. BIND local as SOA of zone to be enabled for TSIG so I can use a service like CERTBOT to update via DNS-01 records.

      I found this article but it is not very clear:
      Howto enable DNSSEC for a domain configured in Bind

      [2.7.2-RELEASE][admin@rt1.core.acme.net]/root: tsig-keygen -a hmac-sha256 ddns-update
      key "ddns-update" {
      algorithm hmac-sha256;
      secret "wn6G9qxOZhDpfn+SUUeEXqKCigpohSWU8G23JXRk51Tc=";
      };

      I expected this to create cert in GUI: System -> Certificates : no certs but ones I have for ACME/self signed for router.
      But under GUI: Services => BIND --> Advanced I see no obvious server wide option to use common TSIG key.
      I expected to be under zone as TSIG is zone specific but: Services -> BIND ->Zones -> <edit core.acme.net> -> DNSSEC <check enable> (URL for "See Inline DNSSEC signing. is broken so that is not much help.

      Zone Result Config file does not look as I would expect

      My zone :
      $TTL 43200
      ;
      $ORIGIN core.acme.net.

      ; Database file core.acme.net.DB for core.acme.net zone.
      ; Do not edit this file!!!
      ; Zone version 2745869734
      ;
      core.acme.net. IN SOA 172.16.100.1. admin.core.acme.net. (
      2745869734 ; serial
      1d ; refresh
      2h ; retry
      4w ; expire
      1h ; default_ttl
      )

      ;
      ; Zone Records
      ;
      @ IN NS 172.16.100.1.
      @ IN A 172.16.100.1
      foo IN A 172.16.100.110
      <snip>

      Example with TSIG
      zone "example.com" {
      type master;
      file "/etc/bind/db.example.com";
      allow-transfer {
      key "my-key";
      };
      allow-update {
      key "my-key";
      };
      };

      I tried to select "backup keys" hoping I could see where it is putting them or calling them.

      Options:

      1. Each zone and then DHCP , I need example and some baseline hacking config file in UI or via command edit will not break things Example would be appreciated :)
      2. Work with UI team on correct workflow to create, setup TSIG on server/zones/dhcp scope.

      Thanks

      penguinpagesP 1 Reply Last reply Reply Quote 0
      • penguinpagesP
        penguinpages @penguinpages
        last edited by penguinpages

        @penguinpages

        i poked around a bit and tried to figure this out. still not clear at all what to do to enable TSIG for DNS and then enable local subnets to update DDNS and DHCP also to make updates.

        So far I think I have tried a few dozen ways to change.. and if you don't use GUI.. any GUI change just overwrites. So here is what I have so far

        Step 6: BIND DNS

        Create TSIG vi command line

        
[2.7.2-RELEASE][admin@rt1.core.penguinpages.net]/root: tsig-keygen -a hmac-sha256 ddns-update
key "ddns-update" {
        algorithm hmac-sha256;
        secret "wn6G9qxOZhDpfn+SUUeEX<snip>k51Tc=";
};

        Copy output stanza and paste in : service -> bind -> Settings -> advanced -> Custom Options: <paste key standza in box>

        Validate service restarted

        Now check if DDNS update via remote host will work

        export BIND_SERVER=172.16.100.1
export CERTBOT_DOMAIN=shuffleboard01.core.acme.net
export CERTBOT_TOKEN="example-token-12345"  # Replace with actual Certbot token
echo 'key "ddns-update" {
    algorithm hmac-sha256;
    secret "wn6G9qxOZhDpfn+SUUeEX<snip>k51Tc=";
};' > /tmp/ddns-update.key
chmod 600 /tmp/ddns-update.key
nsupdate -k /tmp/ddns-update.key <<EOF
server $BIND_SERVER
zone $CERTBOT_DOMAIN
update add _acme-challenge.$CERTBOT_DOMAIN 300 IN TXT "$CERTBOT_TOKEN"
send
EOF

update failed: NOTAUTH

        Baseline that use to work before update TSIG then after.. I can do updates and not pass key so.. meh.. its not working

        
nsupdate <<EOF
server 172.16.100.1
zone core.acme.net
update add _acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT 12345
send
EOF

dig -t TXT _acme-challenge.shuffleboard01.core.acme.net. @172.16.100.1

nsupdate -k ddns-update.key <<EOF
server 172.16.100.1
zone core.acme.net
update add _acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT 12221
send
EOF

dig -t TXT _acme-challenge.shuffleboard01.core.acme.net. @172.16.100.1
<snip>
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "12221"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "111111"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "43441"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "12345"

        so that TSIG stanza posted in Advanced -> Global Settings. Is being ignored.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.