CCE-90771-7Platform: rhel7 | Date: (C)2017-06-29 (M)2022-10-10 |
Authenticate Zone Transfers
If it is necessary for a secondary nameserver to receive zone dat
Avia zone transfer from the primary server, follow the instructions here. Use
dnssec-keygen to create a symmetric key file in the current directory:
$ cd /tmp
$ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
Kdns.example.com .+aaa +iiiii
This output is the name of a file containing the new key. Read the file to find
the base64-encoded key string:
$ sudo cat Kdns.example.com .+NNN +MMMMM .key
dns.example.com IN KEY 512 3 157 base64-key-string
Add the directives to '/etc/named.conf' on the primary server:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
zone "example.com " IN {
type master;
allow-transfer { key zone-transfer-key; };
...
};
Add the directives below to '/etc/named.conf' on the secondary nameserver:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
server IP-OF-MASTER {
keys { zone-transfer-key; };
};
zone "example.com " IN {
type slave;
masters { IP-OF-MASTER ; };
...
};
Parameter:
Technical Mechanism:
The BIND transaction signature (TSIG) functionality allows primary
and secondary nameservers to use a shared secret to verify authorization to
perform zone transfers. This method is more secure than using IP-based limiting
to restrict nameserver access, since IP addresses can be easily spoofed.
However, if you cannot configure TSIG between your servers because, for
instance, the secondary nameserver is not under your control and its
administrators are unwilling to configure TSIG, you can configure an
allow-transfer directive with numerical IP addresses or ACLs as a last resort.
Fix:
No Remediation Info
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: