Authenticating DNS Queries

Question

Is there any way to use a TSIG (or other) key in combination with a DNS query to authenticate into a DNS view for use with recursion? Something like:

key trusted-key {
    algorithm HMAC-SHA256;
    secret "blonggggg";
};

acl trusted { key trusted-key; };

view trusted {
    match-clients { trusted; };
    allow-recursion { any; };
};

If so, how would the querying client go about specifying the key for authentication? What if it can be guaranteed that the queries are always coming from a downstream DNS server providing local caching DNS for a branch office? Can the downstream DNS server be configured to use a particular key with all of the queries it's forwarding to the upstream server?

Thanks.

Answer 1

For testing purposes, you could just use dig -k ... or dig -y ....

For client machines to do this directly, I do not think it's viable. I'm not aware of any OS having a stub resolver that actually does TSIG signing.

However, it is possible to have a forwarding nameserver which uses TSIG to sign the forwarded queries.

You could do something like this (possibly on both ends, depending on the scenario):

key trusted-key {
    algorithm HMAC-SHA256;
    secret "x";
};

server 192.0.2.1 {
    keys { trusted-key.; };
};

This will cause BIND to always use the specified key to sign queries to the other server (identified by IP).

From the server section in the manual:

The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key.

Only a single key per server is currently supported.