HP-UX IP Address and Client Management Administrator's Guide HP-UX 11i v2, HP-UX 11i v3
value changes the hash value drastically, so that it is computationally infeasible to reverse the
function and recalculate the input that generated the output.
Configuring TSIG
You must configure one or more TSIG keys on either end of the transaction before using TSIG
for authentication. If you want to use TSIG to secure zone transfers between the master and slave
name servers for div.inc.com, you must configure both the name servers with a common key
as follows:
key venus-mars.div.inc.com. { algorithm hmac-md5;
secret “skrKc4Twy/cIgIykQu7JZA==”;
};
The argument to the key statement, venus-mars.div.inc.com, is the name of the key. It is
essential that the name of the key (in addition to the binary data the key points to) is identical
on both ends of the transaction because the recipient attempts to verify the TSIG record with the
same key. The algorithm is hmac-md5 and the secret is base 64 encoding of the binary key.
Generating Keys
You can use the /usr/bin/dnssec-keygen program to generate keys.
A sample directive to invoke the dnssec-keygen program to generate a 768-bit DSA key for
the domain example.com is as follows:
# /usr/bin/dnssec-keygen
-a DSA -b 768 -n ZONE example.com
The preceding command generates the key identification string Kexample.com.+003+26160,
indicating a DSA key with an identifier 26160.
Use the -a option to specify the encryption algorithm. Use the -b option to specify the key size,
and use the -n option to specify the nametype. A nametype can be a ZONE, HOST, ENTITY, or
USER.
The /usr/bin/dnssec-keygen program creates two files in the following format:
Knnnn.+aaa+iiiii.key
Knnnn.+aaa+iiiii.private
For a detailed description of all the supported functions, type man 1 dnssec-keygen at the
HP-UX prompt.
Using TSIG
You can configure the name server to use the keys configured with the TSIG keys by using the
keys substatements. The keys substatements inform a name server to sign queries and zone
transfer requests sent to a particular remote name server. The following server substatement
informs the local name server, moon.div.inc.com, to sign all requests to the host 192.249.249.1
(venus.div.inc.com) with the key venus-moon.div.inc.com:
server 192.249.249.1 { keys { venus-moon.div.inc.com. ; };
};
Next, on venus.div.inc.com, you must restrict zone transfers to those signed with the
venus-moon.div.inc.com key as follows:
zone “div.inc.com” {
type master; file “db.div”
allow-transfer { key venus-moon.div.inc.com.; };
};
venus.div.inc.com also signs the zone transfer that allows moon.div.inc.com to verify
it. For more information on the dnssec-keygen program, type man 1 dnssec-keygen at
the HP-UX prompt.
86 Configuring and Administering the BIND Name Service