Transaction Signatures is method for securing communication between two DNS servers with symmetric key encryption. TSIG messages have time stamp associated with them that has an inception time and expiration time to determine how long the message are valid. In this exercise we will make secure zone transfer with TSIG key. Keep on mind that master and slave have to bi with same clock, so they can function properly. We will start wit generating the encryption key. We will do this on slave server.

[root@security2 ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST security2-security1
Ksecurity2-security1.+157+45226 This is name for file which will contain our key, number 45226 is key fingerprint

From this file you should extract shared key:
[root@security2 ~]# cat Ksecurity2-security1.+157+45226.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: frenSwzx0xWpbA9nLT2+8g==

Now, on master and slave server you should make a file which will be called transfer.key, and it will be located in /var/named/chroot/etc file with next content:

key "security2-security1."{
algorithm hmac-md5;
secret "frenSwzx0xWpbA9nLT2+8g==";

In this point you will also need to setup properly permissions. You should do this on both machine.

[root@security2 etc]# chown root:named transfer.key
[root@security2 etc]# chmod 644 transfer.key
[root@security2 etc]# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key

Now it is a time to include work with TSIG on your servers. In first line of /etc/named.conf add next line:

include "/etc/transfer.key";

Slave server should prohibit all zone transfers from anywhere, so you need to change /var/named/chroot/etc/named.conf according to this:

allow-transfer {none;};
forwarders {;};
forward only;

security2 should authenticate to security1 using /etc/transfer.key. Change same named.conf according to this:

server {
keys {security2-security1.;};

Change master configuration, so he can transfer zone to slave. In named.conf in options part add next:

allow-transfer { key security2-security1.; };
forwarders {; };
forward only;

Pay attention that you should remove line allow-transfer {; }; from zone's parts. Restart services on both server, and do initial zone transfer.

[root@security2 ~]# dig -y security2-security1.:frenSwzx0xWpbA9nLT2+8g== @security1 axfr