HP-UX IP Address and Client Management Administrator's Guide (October 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software

message if the message’s sender had a cryptographic key shared with the receiver and if the

message was not modified after it left the sender.

One-Way Hash Function

TSIG uses a one-way hash function to provide authentication and data integrity. A one-way hash

function, or cryptographic checksum, computes a fixed-size hash value based on an arbitrary

large input. Each hash value bit depends on each bit of the input. A minor change to an input

value changes the hash value drastically, so that it is computationally infeasible to reverse the

function and recalculate the input that generated the output.

Configuring TSIG

You must configure one or more TSIG keys on either end of the transaction before using TSIG

for authentication. If you want to use TSIG to secure zone transfers between the master and slave

name servers for div.inc.com, you must configure both the name servers with a common key

as follows:

key venus-mars.div.inc.com. {

algorithm hmac-md5;

secret “skrKc4Twy/cIgIykQu7JZA==”;

};

The argument to the key statement, venus-mars.div.inc.com, is the name of the key. It is

essential that the name of the key (in addition to the binary data the key points to) is identical

on both ends of the transaction because the recipient attempts to verify the TSIG record with the

same key. The algorithm is hmac-md5 and the secret is base 64 encoding of the binary key.

Generating Keys

You can use the /usr/bin/dnssec-keygen program to generate keys.

A sample directive to invoke the dnssec-keygen program to generate a 768-bit DSA key for

the domain example.com is as follows:

# /usr/bin/dnssec-keygen -a DSA -b 768 -n ZONE example.com

The preceding command generates the key identification string Kexample.com.+003+26160,

indicating a DSA key with an identifier 26160.

Use the -a option to specify the encryption algorithm. Use the -b option to specify the key size,

and use the -n option to specify the nametype. A nametype can be a ZONE, HOST, ENTITY, or

USER.

The /usr/bin/dnssec-keygen program creates two files in the following format:

Knnnn.+aaa+iiiii.key

Knnnn.+aaa+iiiii.private

For a detailed description of all the supported functions, type man 1 dnssec-keygen at the

HP-UX prompt.

Using TSIG

You can configure the name server to use the keys configured with the TSIG keys by using the

keys substatements. The keys substatements inform a name server to sign queries and zone

transfer requests sent to a particular remote name server. The following server substatement

informs the local name server, moon.div.inc.com, to sign all requests to the host 192.249.249.1

(venus.div.inc.com) with the key venus-moon.div.inc.com:

server 192.249.249.1 {

keys { venus-moon.div.inc.com. ; };

};

Next, on venus.div.inc.com, you must restrict zone transfers to those signed with the

venus-moon.div.inc.com key as follows:

BIND Security 89