• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

BIND /DHCP Server with TSIG Signature

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 1 Posters 220 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    penguinpages
    last edited by 26 days ago

    Trying to find documentation and workflow, hopefully command / CI based that will enable and input TSIG signature for use in DNS BIND service.

    I found a bunch of articles about DDNS with signatures but this is not what I need. BIND local as SOA of zone to be enabled for TSIG so I can use a service like CERTBOT to update via DNS-01 records.

    I found this article but it is not very clear:
    Howto enable DNSSEC for a domain configured in Bind

    [2.7.2-RELEASE][admin@rt1.core.acme.net]/root: tsig-keygen -a hmac-sha256 ddns-update
    key "ddns-update" {
    algorithm hmac-sha256;
    secret "wn6G9qxOZhDpfn+SUUeEXqKCigpohSWU8G23JXRk51Tc=";
    };

    I expected this to create cert in GUI: System -> Certificates : no certs but ones I have for ACME/self signed for router.
    But under GUI: Services => BIND --> Advanced I see no obvious server wide option to use common TSIG key.
    I expected to be under zone as TSIG is zone specific but: Services -> BIND ->Zones -> <edit core.acme.net> -> DNSSEC <check enable> (URL for "See Inline DNSSEC signing. is broken so that is not much help.

    Zone Result Config file does not look as I would expect

    My zone :
    $TTL 43200
    ;
    $ORIGIN core.acme.net.

    ; Database file core.acme.net.DB for core.acme.net zone.
    ; Do not edit this file!!!
    ; Zone version 2745869734
    ;
    core.acme.net. IN SOA 172.16.100.1. admin.core.acme.net. (
    2745869734 ; serial
    1d ; refresh
    2h ; retry
    4w ; expire
    1h ; default_ttl
    )

    ;
    ; Zone Records
    ;
    @ IN NS 172.16.100.1.
    @ IN A 172.16.100.1
    foo IN A 172.16.100.110
    <snip>

    Example with TSIG
    zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer {
    key "my-key";
    };
    allow-update {
    key "my-key";
    };
    };

    I tried to select "backup keys" hoping I could see where it is putting them or calling them.

    Options:

    1. Each zone and then DHCP , I need example and some baseline hacking config file in UI or via command edit will not break things Example would be appreciated :)
    2. Work with UI team on correct workflow to create, setup TSIG on server/zones/dhcp scope.

    Thanks

    P 1 Reply Last reply 25 days ago Reply Quote 0
    • P
      penguinpages @penguinpages
      last edited by penguinpages 25 days ago 25 days ago

      @penguinpages

      i poked around a bit and tried to figure this out. still not clear at all what to do to enable TSIG for DNS and then enable local subnets to update DDNS and DHCP also to make updates.

      So far I think I have tried a few dozen ways to change.. and if you don't use GUI.. any GUI change just overwrites. So here is what I have so far

      Step 6: BIND DNS

      Create TSIG vi command line

      
[2.7.2-RELEASE][admin@rt1.core.penguinpages.net]/root: tsig-keygen -a hmac-sha256 ddns-update
key "ddns-update" {
        algorithm hmac-sha256;
        secret "wn6G9qxOZhDpfn+SUUeEX<snip>k51Tc=";
};

      Copy output stanza and paste in : service -> bind -> Settings -> advanced -> Custom Options: <paste key standza in box>

      Validate service restarted

      Now check if DDNS update via remote host will work

      export BIND_SERVER=172.16.100.1
export CERTBOT_DOMAIN=shuffleboard01.core.acme.net
export CERTBOT_TOKEN="example-token-12345"  # Replace with actual Certbot token
echo 'key "ddns-update" {
    algorithm hmac-sha256;
    secret "wn6G9qxOZhDpfn+SUUeEX<snip>k51Tc=";
};' > /tmp/ddns-update.key
chmod 600 /tmp/ddns-update.key
nsupdate -k /tmp/ddns-update.key <<EOF
server $BIND_SERVER
zone $CERTBOT_DOMAIN
update add _acme-challenge.$CERTBOT_DOMAIN 300 IN TXT "$CERTBOT_TOKEN"
send
EOF

update failed: NOTAUTH

      Baseline that use to work before update TSIG then after.. I can do updates and not pass key so.. meh.. its not working

      
nsupdate <<EOF
server 172.16.100.1
zone core.acme.net
update add _acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT 12345
send
EOF

dig -t TXT _acme-challenge.shuffleboard01.core.acme.net. @172.16.100.1

nsupdate -k ddns-update.key <<EOF
server 172.16.100.1
zone core.acme.net
update add _acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT 12221
send
EOF

dig -t TXT _acme-challenge.shuffleboard01.core.acme.net. @172.16.100.1
<snip>
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "12221"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "111111"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "43441"
_acme-challenge.shuffleboard01.core.acme.net. 300 IN TXT "12345"

      so that TSIG stanza posted in Advanced -> Global Settings. Is being ignored.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received