Day 3 17th January 2004 Lab exercises 5 - RNDC Objective: Be able to use RNDC to sercurely send control messages to a name server either remotely or locally. 1. Use RNDC for the lab primary name server. Under /var/named/primary generate the RNDC key using rndc-confgen and update named.conf to use it. % rndc-confgen 2. Cut the first part the of statement to rndc.conf and the second part which has a comment (hash) to named.conf. Make sure to remove the comment starting from the "key" statement before using it. You could also place the second part to a file then use "include" statement in your named.conf to specify that file. example" include "/var/named/primary/myrndc-key.txt"; 3. Run primary name server using -g flag and try the following statement on a different terminal. rndc -s -c rndc.conf reload/flush rndc -s -c rndc.conf stop/stats/status/trace Lab exercises 6 - TSIG Objective: Be able to secure zone transfer between primary & secondary name server. Primary servers Secondary servers PC1 PC2 PC3 PC4 PC5 PC6 PC7 PC8 PC9 PC10 From the table above pc2 will act as slave for pc1.net zone, pc4 for pc3.net and so forth. 1. Primary & Secondary name server should try zone transfer without the key. 2. All the primary server will derive a key using "dnssec-keygen" statement % dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1-ns2.pcX.net where: x is your pc number. 3. Send the key off-band to your secondary name server administrator so they could configure their secondary name server to use the key. 4. Update primary & secondary named.conf with this key. It is recommended to put it in a separate file and use the "include" statement in named.conf to specify this key. 5. Zone transfer could also be done using dig command, try using it with a key example: without the key which is expected to fail.. dig @server domain axfr example: with a key dig @server domain axfr -y ns1-ns2.pcX.net:lksdjfq38475-qejflavna== 6. If the time difference between primary & secondary is more than 3 minutes zone transfer will fail even if you have the correct key.