Bind DNS and keys (TSIG, DDNS, etc)

aligator638

This has been a nightmare!

We use all sorts of keys for zone transfer and TSIG updates. So far I have been copying my keys from a files located in the /root to /var/etc/named/etc/namedb/keys after each reboot of my firewall. But this is not really manageable and I think pf should do this correctly in a secure fashion.

So I tried to add them in the custom options, this works fairly well since these are encrypted in the config.xml and suits the purpose. But horror followed, these keys are then restored in clear text in the named.conf, and the perms are:

-rw-r--r-- 1 root wheel 3398 Apr 25 15:22 named.conf

And rndc.conf as well, contains a key, and is world readable.

Yes world readable, I cried.

Basically permissions should be better, and keys should never be in configuration files.

In my other Bind servers I have
No rndc.conf so no key inside and strict permissions on the key files

-rw-r----- 1 bind bind 100 Jul 1 2022 rndc.key
-rw-r----- 1 root bind 146 Jul 1 2022 xfer-key.key

One way to implement this nicely IMHO would be for PfSense to read the keys from the config.xml, and with them create the different key files with restrictive permissions (there is etc/namedb/keys for this isn´t it ?), then write in named.conf include statements where appropriate in the options, views etc like:

include "/etc/bind/rndc.key";
include "/etc/bind/xfer-key.key";

This would be very nice indeed, and make our DNSs safer and easier to manage.

Eric