Generating TSIG key for BIND 10

The first Release Candidate of the new DNS and DHCP server from ISC, BIND 10 (http://bind10.isc.org) was released on February 15, 2013.

Men&Mice is monitoring and supporting the BIND 10 development, and as part of that, our engineers sometimes create little helpful tools to share with the community.

TSIG keys

TSIG is short for Transaction Signatures, defined in RFC 2845 "Secret Key Transaction Authentication for DNS (TSIG)". TSIG is primarily used to authenticate DNS zone transfer between DNS servers, and to secure dynamic DNS updates.

BIND 10 supports TSIG for both zone transfer and dynamic updates, but it does not contain a tool to create the TSIG keys. While it is possible to use the tools from BIND 9 (https://www.isc.org/wordpress/software/bind/) or ldns (ldns-keygen, http://www.nlnetlabs.nl/projects/ldns/), installing these tools along with BIND 10 might be too much overhead.

Men&Mice engineers have written a small tool in Python called b10-gentsigkey.py (https://github.com/menandmice/b10-gentsigkey).

The tool creates by default an HMAC-MD5 key with 128bits size and prints the key on the screen:

b10-gentsigkey.py example.com example.com:rc4VdlEPMFan4D+9icDEkg==:hmac-md5

b10-gentsigkey options:

b10-gentsigkey.py [--help | options] nameOptions: -h, --help             show this help message and exit -a ALGORITHM, --algorithm=ALGORITHM                         algorithm for the TSIG key -b SIZE, --bytes=SIZE                         size of the key -f                      print bindctl CLI command

b10-gentsigkey supports all the TSIG algorithms that are also supported by BIND 10 ('hmac-md5', 'hmac-sha1', 'hmac-sha224', 'hmac-sha256', 'hmac-sha384', 'hmac-sha512').

Using the "-f" (Format) switch, the tool will print the bindctl command to enter the TSIG key into the BIND 10 configuration. That command can be copy-n-paste into the bindctl command line:

b10-gentsigkey.py -a hmac-sha256 -b 256 -f example.deconfig add tsig_keys/keys "example.de:M2nrsQWVEAuAfm67U2Gdfj2dFfJIPay9ZFMukXSSCiY=:hmac-sha256"config commit

this output can be directly piped into bindctl:

b10-gentsigkey.py -a hmac-sha1 -b 256 -f example.com | bindctl

We hope to bring a similar command into the BIND 10 CLI (bindctl), so that no external tool is required to create TSIG keys by an external tool.

Until then, enjoy this little tool.

If you are interested in learning more about BIND 10, Men&Mice is working close with ISC to deliver the first industry training on this new version of the BIND name server software in Amsterdam, Netherlands from February 20th - 21st, 2013. You can learn more about it from the Men&Mice BIND 10 workshop page.