doc/arm/Bv9ARM.ch04.html

	Bv9ARM.ch04.html revision 2cc6eb92f9443695bc32fa6eed372d983d261a35
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: Bv9ARM.ch04.html,v 1.89 2009/01/09 01:11:52 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<title>Chapter�4.�Advanced DNS Features</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="chapter" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><b>Table of Contents</b></p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570513">Split DNS</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570531">Example split DNS setup</a></span></dt></dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dd><dl>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571169">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571242">Copying the Shared Secret to Both Machines</a></span></dt>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571253">Informing the Servers of the Key's Existence</a></span></dt>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571292">Instructing the Server to Use the Key</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571486">TSIG Key Based Access Control</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571531">Errors</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</dl></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571613">TKEY</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571662">SIG(0)</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dd><dl>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571799">Generating Keys</a></span></dt>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571878">Signing the Zone</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571959">Configuring Servers</a></span></dt>
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater</dl></dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572102">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><dl>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572164">Address Lookups Using AAAA Records</a></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572185">Address to Name Lookups Using Nibble Format</a></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dl></dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dl>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="sect1" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="notify"></a>Notify</h2></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        servers to notify their slave servers of changes to a zone's data. In
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater        response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        slave will check to see that its version of the zone is the
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater        current version and, if not, initiate a zone transfer.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User        For more information about <acronym class="acronym">DNS</acronym>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">NOTIFY</strong></span>, see the description of the
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User        <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        the description of the zone option <span><strong class="command">also-notify</strong></span> in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        protocol is specified in RFC 1996.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<h3 class="title">Note</h3>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        As a slave zone can also be a master to other slaves, named,
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater        by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater        cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        zones that it loads.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </div>
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect1" lang="en">
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User        Dynamic Update is a method for adding, replacing or deleting
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        records in a master server by sending it a special form of DNS
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User        messages.  The format and meaning of these messages is specified
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        in RFC 2136.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Dynamic update is enabled by including an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        clause in the <span><strong class="command">zone</strong></span> statement.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">tkey-gssapi-credential</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">tkey-domain</strong></span> clauses in the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <span><strong class="command">options</strong></span>        statement enable the
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        server to negotiate keys that can be matched against those
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in <span><strong class="command">update-policy</strong></span> or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">allow-update</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Updating of secure zones (zones using DNSSEC) follows RFC
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        3007: RRSIG, NSEC and NSEC3 records affected by updates are
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        automatically regenerated by the server using an online
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        zone key.  Update authorization is based on transaction
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        signatures and an explicit server policy.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="journal"></a>The journal file</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          All changes made to a zone using dynamic update are stored
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User          in the zone's journal file.  This file is automatically created
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          by the server when the first dynamic update takes place.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          The name of the journal file is formed by appending the extension
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <code class="filename">.jnl</code> to the name of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          corresponding zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          file unless specifically overridden.  The journal file is in a
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User          binary format and should not be edited manually.
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          The server will also occasionally write ("dump")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the complete contents of the updated zone to its zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is not done immediately after
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          each dynamic update, because that would be too slow when a large
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone is updated frequently.  Instead, the dump is delayed by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          up to 15 minutes, allowing additional updates to take place.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When a server is restarted after a shutdown or crash, it will replay
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User              the journal file to incorporate into the zone any updates that
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews          took
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          place after the last zone dump.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          Changes that result from incoming incremental zone transfers are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          also
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater          journalled in a similar way.
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          The zone files of dynamic zones cannot normally be edited by
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater          hand because they are not guaranteed to contain the most recent
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          dynamic changes &#8212; those are only in the journal file.
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater          The only way to ensure that the zone file of a dynamic zone
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater          is up to date is to run <span><strong class="command">rndc stop</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          If you have to make changes to a dynamic zone
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater          manually, the following procedure will work: Disable dynamic updates
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater              to the zone using
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater          <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This will also remove the zone's <code class="filename">.jnl</code> file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          and update the master file.  Edit the zone file.  Run
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          to reload the changed zone and re-enable dynamic updates.
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater        </p>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater</div>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        The incremental zone transfer (IXFR) protocol is a way for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        slave servers to transfer only changed data, instead of having to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        transfer the entire zone. The IXFR protocol is specified in RFC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        When acting as a master, <acronym class="acronym">BIND</acronym> 9
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        supports IXFR for those zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        where the necessary change history information is available. These
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        include master zones maintained by dynamic update and slave zones
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        whose data was obtained by IXFR.  For manually maintained master
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        zones, and for slave zones obtained by performing a full zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        transfer (AXFR), IXFR is supported only if the option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">ixfr-from-differences</strong></span> is set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to <strong class="userinput"><code>yes</code></strong>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater        attempt to use IXFR unless
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater        it is explicitly disabled. For more information about disabling
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater        IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater        of the <span><strong class="command">server</strong></span> statement.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2570513"></a>Split DNS</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Setting up different views, or visibility, of the DNS space to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        internal and external resolvers is usually referred to as a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="emphasis"><em>Split DNS</em></span> setup. There are several
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        reasons an organization would want to set up its DNS this way.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        One common reason for setting up a DNS system this way is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to hide "internal" DNS information from "external" clients on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Internet. There is some debate as to whether or not this is actually
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews        useful.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Internal DNS information leaks out in many ways (via email headers,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        for example) and most savvy "attackers" can find the information
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        they need using other means.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        However, since listing addresses of internal servers that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        external clients cannot possibly reach can result in
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        connection delays and other annoyances, an organization may
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        choose to use a Split DNS to present a consistent view of itself
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        to the outside world.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      </p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        Another common reason for setting up a Split DNS system is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        to allow internal networks that are behind filters or in RFC 1918
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        space (reserved IP space, as documented in RFC 1918) to resolve DNS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        on the Internet. Split DNS can also be used to allow mail from outside
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        back in to the internal network.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<div class="sect2" lang="en">
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<div class="titlepage"><div><div><h3 class="title">
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<a name="id2570531"></a>Example split DNS setup</h3></div></div></div>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        (<code class="literal">example.com</code>)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        has several corporate sites that have an internal network with
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        reserved
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        or "outside" section of a network, that is available to the public.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to be able to resolve external hostnames and to exchange mail with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        people on the outside. The company also wants its internal resolvers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        to have access to certain internal-only zones that are not available
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        at all outside of the internal network.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In order to accomplish this, the company will set up two sets
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        of name servers. One set will be on the inside network (in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        reserved
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        IP space) and the other set will be on bastion hosts, which are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        "proxy"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        hosts that can talk to both sides of its network, in the DMZ.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The internal servers will be configured to forward all queries,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        and <code class="filename">site2.example.com</code>, to the servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        DMZ. These internal servers will have complete sets of information
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        and <code class="filename">site2.internal</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        the internal name servers must be configured to disallow all queries
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        to these domains from any external hosts, including the bastion
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        hosts.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        The external servers, which are on the bastion hosts, will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This could include things such as the host records for public servers
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        should have special MX records that contain wildcard (`*') records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        pointing to the bastion hosts. This is needed because external mail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        servers do not have any other way of looking up how to deliver mail
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        to those internal hosts. With the wildcard records, the mail will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        be delivered to the bastion host, which can then forward it on to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        internal hosts.
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews      </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Here's an example of a wildcard MX record:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Now that they accept mail on behalf of anything in the internal
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        network, the bastion hosts will need to know how to deliver mail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to internal hosts. In order for this to work properly, the resolvers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        on
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        the bastion hosts will need to be configured to point to the internal
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        name servers for DNS resolution.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        Queries for internal hostnames will be answered by the internal
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        servers, and queries for external hostnames will be forwarded back
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        out to the DNS servers on the bastion hosts.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        In order for all this to work properly, internal clients will
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        need to be configured to query <span class="emphasis"><em>only</em></span> the internal
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        name servers for DNS queries. This could also be enforced via
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        selective
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        filtering on the network.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        internal clients will now be able to:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="itemizedlist"><ul type="disc">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            Look up any hostnames in the <code class="literal">site1</code>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            and
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            <code class="literal">site2.example.com</code> zones.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<li>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Look up any hostnames in the <code class="literal">site1.internal</code> and
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            <code class="literal">site2.internal</code> domains.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<li>Look up any hostnames on the Internet.</li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<li>Exchange mail with both internal and external people.</li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</ul></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        Hosts on the Internet will be able to:
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul type="disc">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            Look up any hostnames in the <code class="literal">site1</code>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            and
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            <code class="literal">site2.example.com</code> zones.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </li>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            Exchange mail with anyone in the <code class="literal">site1</code> and
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            <code class="literal">site2.example.com</code> zones.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </li>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</ul></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        Here is an example configuration for the setup we just
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        described above. Note that this is only configuration information;
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        Internal DNS server config:
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      </p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<pre class="programlisting">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useracl externals { <code class="varname">bastion-ips-go-here</code>; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useroptions {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    ...
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    ...
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    forward only;
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    forwarders {                                // forward to external servers
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        <code class="varname">bastion-ips-go-here</code>;
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    allow-transfer { none; };                   // sample allow-transfer (no one)
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    allow-query { internals; externals; };      // restrict query access
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    allow-recursion { internals; };             // restrict recursion
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    ...
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    ...
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User};
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userzone "site1.example.com" {                      // sample master zone
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  type master;
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  file "m/site1.example.com";
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  forwarders { };                               // do normal iterative
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User                                                // resolution (do not forward)
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-query { internals; externals; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-transfer { internals; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User};
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userzone "site2.example.com" {                      // sample slave zone
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  type slave;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  file "s/site2.example.com";
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  masters { 172.16.72.3; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  forwarders { };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-query { internals; externals; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-transfer { internals; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User};
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userzone "site1.internal" {
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  type master;
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  file "m/site1.internal";
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  forwarders { };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  allow-query { internals; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-transfer { internals; }
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User};
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userzone "site2.internal" {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  type slave;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  file "s/site2.internal";
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  masters { 172.16.72.3; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  forwarders { };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-query { internals };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  allow-transfer { internals; }
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt};
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</pre>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        External (bastion host) DNS server config:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<pre class="programlisting">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useracl externals { bastion-ips-go-here; };
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useroptions {
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  ...
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-transfer { none; };                     // sample allow-transfer (no one)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-query { any; };                         // default query access
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  allow-query-cache { internals; externals; };  // restrict cache access
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  allow-recursion { internals; externals; };    // restrict recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site1.example.com" {                      // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type master;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  file "m/site1.foo.com";
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-transfer { internals; externals; };
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews};
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterzone "site2.example.com" {
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  type slave;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  file "s/site2.foo.com";
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  masters { another_bastion_host_maybe; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-transfer { internals; externals; }
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        In the <code class="filename">resolv.conf</code> (or equivalent) on
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce        the bastion host(s):
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      </p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<pre class="programlisting">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucesearch ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.2
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaternameserver 172.16.72.3
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaternameserver 172.16.72.4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce<div class="sect1" lang="en">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<a name="tsig"></a>TSIG</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        This is a short guide to setting up Transaction SIGnatures
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        to the configuration file as well as what changes are required for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        different features, including the process of creating transaction
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        to server communication.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        This includes zone transfer, notify, and recursive query messages.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        for TSIG.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce        TSIG can also be useful for dynamic update. A primary
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        server for a dynamic zone should control access to the dynamic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        update service, but IP-based access control is insufficient.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        The cryptographic access control provided by TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        is far superior. The <span><strong class="command">nsupdate</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        program supports TSIG via the <code class="option">-k</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <code class="option">-y</code> command line options or inline by use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        of the <span><strong class="command">key</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h3 class="title">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="id2571169"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          An arbitrary key name is chosen: "host1-host2.". The key name must
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce          be the same on both hosts.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </p>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce<div class="sect3" lang="en">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id2571186"></a>Automatic Generation</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            The following command will generate a 128-bit (16 byte) HMAC-MD5
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            key as described above. Longer keys are better, but shorter keys
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            are easier to read. Note that the maximum key length is 512 bits;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            keys longer than that will be digested with MD5 to produce a
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            128-bit key.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater          </p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce            Nothing directly uses this file, but the base-64 encoded string
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            following "<code class="literal">Key:</code>"
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater            can be extracted from the file and used as a shared secret:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce            be used as the shared secret.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="sect3" lang="en">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id2571224"></a>Manual Generation</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The shared secret is simply a random sequence of bits, encoded
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            in base-64. Most ASCII strings are valid base-64 strings (assuming
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            the length is a multiple of 4 and only valid characters are used),
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            so the shared secret can be manually generated.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            a similar program to generate base-64 encoded data.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="sect2" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h3 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2571242"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is beyond the scope of DNS. A secure transport mechanism
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          should be used. This could be secure FTP, ssh, telephone, etc.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect2" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h3 class="title">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571253"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          are
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          both servers. The following is added to each server's <code class="filename">named.conf</code> file:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<pre class="programlisting">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userkey host1-host2. {
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User  algorithm hmac-md5;
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User  secret "La/E5CjG9O+os1jq0a2jdA==";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</pre>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The secret is the one generated above. Since this is a secret, it
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          is recommended that either <code class="filename">named.conf</code> be non-world
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          readable, or the key directive be added to a non-world readable
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          file that is included by
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <code class="filename">named.conf</code>.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          At this point, the key is recognized. This means that if the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          server receives a message signed by this key, it can verify the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          signature. If the signature is successfully verified, the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          response is signed by the same key.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect2" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h3 class="title">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571292"></a>Instructing the Server to Use the Key</h3></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          Since keys are shared between two hosts only, the server must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          10.1.2.3:
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<pre class="programlisting">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userserver 10.1.2.3 {
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User  keys { host1-host2. ;};
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User};
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</pre>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Multiple keys may be present, but only the first is used.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          This directive does not contain any secrets, so it may be in a
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          world-readable
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          file.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          If <span class="emphasis"><em>host1</em></span> sends a message that is a request
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          expect any responses to signed messages to be signed with the same
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          key.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          sign request messages to <span class="emphasis"><em>host1</em></span>.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="sect2" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h3 class="title">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571486"></a>TSIG Key Based Access Control</h3></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          to be specified in ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          definitions and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <span><strong class="command">allow-{ query | transfer | update }</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          directives.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This has been extended to allow TSIG keys also. The above key would
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          be denoted <span><strong class="command">key host1-host2.</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          An example of an allow-update directive would be:
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinallow-update { key host1-host2. ;};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          This allows dynamic updates to succeed only if the request
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          You may want to read about the more powerful
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <span><strong class="command">update-policy</strong></span> statement in
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect2" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h3 class="title">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571531"></a>Errors</h3></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The processing of TSIG signed messages can result in
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          several errors. If a signed message is sent to a non-TSIG aware
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          server, a FORMERR (format error) will be returned, since the server will not
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          understand the record. This is a result of misconfiguration,
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          since the server must be explicitly configured to send a TSIG
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          signed message to a specific server.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          If a TSIG aware server receives a message signed by an
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          unknown key, the response will be unsigned with the TSIG
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          extended error code set to BADKEY. If a TSIG aware server
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          receives a message with a signature that does not validate, the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          response will be unsigned with the TSIG extended error code set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to BADSIG. If a TSIG aware server receives a message with a time
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          outside of the allowed range, the response will be signed with
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          the TSIG extended error code set to BADTIME, and the time values
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will be adjusted so that the response can be successfully
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          verified. In any of these cases, the message's rcode (response code) is set to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          NOTAUTH (not authenticated).
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect1" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571613"></a>TKEY</h2></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p><span><strong class="command">TKEY</strong></span>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        is a mechanism for automatically generating a shared secret
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        between two hosts.  There are several "modes" of
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> that specify how the key is generated
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only one of
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User        these modes, the Diffie-Hellman key exchange.  Both hosts are
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        required to have a Diffie-Hellman KEY record (although this
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        record is not required to be present in a zone).  The
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> process must use signed messages,
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        signed either by TSIG or SIG(0).  The result of
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also be
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        used to delete shared secrets that it had previously
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The <span><strong class="command">TKEY</strong></span> process is initiated by a
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        client
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        or server by sending a signed <span><strong class="command">TKEY</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        query
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        (including any appropriate KEYs) to a TKEY-aware server.  The
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        server response, if it indicates success, will contain a
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        After
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        this exchange, both participants have enough information to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        determine the shared secret; the exact process depends on the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> mode.  When using the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        Diffie-Hellman
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        exchanged,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and the shared secret is derived by both participants.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect1" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<a name="id2571662"></a>SIG(0)</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            transaction signatures as specified in RFC 2535 and RFC2931.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        SIG(0)
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        uses public/private keys to authenticate messages.  Access control
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        is performed in the same manner as TSIG keys; privileges can be
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        granted or denied based on the key name.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        When a SIG(0) signed message is received, it will only be
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        verified if the key is known and trusted by the server; the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        will not attempt to locate and/or validate the key.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        SIG(0) signing of multiple-message TCP streams is not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        supported.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="sect1" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Cryptographic authentication of DNS information is possible
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        defined in RFC 4033, RFC 4034, and RFC 4035.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        This section describes the creation and use of DNSSEC signed zones.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        In order to set up a DNSSEC secure zone, there are a series
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        of steps which must be followed.  <acronym class="acronym">BIND</acronym>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        9 ships
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        with several tools
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        that are used in this process, which are explained in more detail
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        below.  In all cases, the <code class="option">-h</code> option prints a
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        full list of parameters.  Note that the DNSSEC tools require the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        keyset files to be in the working directory or the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        directory specified by the <code class="option">-d</code> option, and
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        that the tools shipped with BIND 9.2.x and earlier are not compatible
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        with the current ones.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        There must also be communication with the administrators of
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        the parent and/or child zone to transmit keys.  A zone's security
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        status must be indicated by the parent zone for a DNSSEC capable
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        resolver to trust its data.  This is done through the presence
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        or absence of a <code class="literal">DS</code> record at the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        delegation
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        point.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User      </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        For other servers to trust data in this zone, they must
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        either be statically configured with this zone's zone key or the
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        zone key of another zone above this one in the DNS tree.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h3 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2571799"></a>Generating Keys</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <span><strong class="command">dnssec-keygen</strong></span> program is used to
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          generate keys.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          A secure zone must contain one or more zone keys.  The
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          zone keys will sign all other records in the zone, as well as
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          the zone keys of any secure delegated zones.  Zone keys must
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          have the same name as the zone, a name type of
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <span><strong class="command">ZONE</strong></span>, and must be usable for
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          authentication.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          It is recommended that zone keys use a cryptographic algorithm
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          designated as "mandatory to implement" by the IETF; currently
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          the only one is RSASHA1.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The following command will generate a 768-bit RSASHA1 key for
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User          the <code class="filename">child.example</code> zone:
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          Two output files will be produced:
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <code class="filename">Kchild.example.+005+12345.key</code> and
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <code class="filename">Kchild.example.+005+12345.private</code>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          (where
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          12345 is an example of a key tag).  The key filenames contain
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          the key name (<code class="filename">child.example.</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          algorithm (3
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          this case).
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The private key (in the <code class="filename">.private</code>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          file) is
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          used to generate signatures, and the public key (in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">.key</code> file) is used for signature
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          verification.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          To generate another key with the same properties (but with
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          a different key tag), repeat the above command.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to get a key pair from a crypto hardware and build the key
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The public keys should be inserted into the zone file by
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          including the <code class="filename">.key</code> files using
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User          <span><strong class="command">$INCLUDE</strong></span> statements.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="sect2" lang="en">
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571878"></a>Signing the Zone</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          The <span><strong class="command">dnssec-signzone</strong></span> program is used
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          to sign a zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          Any <code class="filename">keyset</code> files corresponding to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          secure subzones should be present.  The zone signer will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          and <code class="literal">RRSIG</code> records for the zone, as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          well as <code class="literal">DS</code> for the child zones if
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews          is not specified, then DS RRsets for the secure child
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          zones need to be added manually.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The following command signs the zone, assuming it is in a
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          file called <code class="filename">zone.child.example</code>.  By
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                default, all zone keys which have an available private key are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                used to generate signatures.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          One output file is produced:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">zone.child.example.signed</code>.  This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          should be referenced by <code class="filename">named.conf</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          as the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          input file for the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will also produce a keyset and dsset files and optionally a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          dlvset file.  These are used to provide the parent zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          administrators with the <code class="literal">DNSKEYs</code> (or their
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          corresponding <code class="literal">DS</code> records) that are the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          secure entry point to the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2571959"></a>Configuring Servers</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          To enable <span><strong class="command">named</strong></span> to respond appropriately
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          to DNS requests from DNSSEC aware clients,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          To enable <span><strong class="command">named</strong></span> to validate answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          other servers both <span><strong class="command">dnssec-enable</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">dnssec-validation</strong></span> must be set and some
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> must be configured
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          into <code class="filename">named.conf</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          for zones that are used to form the first link in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          cryptographic chain of trust.  All keys listed in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          are deemed to exist and only the listed keys will be used
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          to validated the DNSKEY RRset that they are from.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <span><strong class="command">trusted-keys</strong></span> are described in more detail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          later in this document.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          9 does not verify signatures on load, so zone keys for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          authoritative zones do not need to be specified in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          configuration file.
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          After DNSSEC gets established, a typical DNSSEC configuration
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will look something like the following.  It has a one or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          more public keys for the root.  This allows answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          outside the organization to be validated.  It will also
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          have several keys for parts of the namespace the organization
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          controls.  These are here to ensure that named is immune
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to compromises in the DNSSEC components of the security
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          of parent zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintrusted-keys {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        /* Root Key */
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt/* Key for our organization's forward zone */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinexample.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                      SCThlHf3xiYleDbt/o1OTQ09A0=";
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein/* Key for our reverse zone. */
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useroptions {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        dnssec-enable yes;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        dnssec-validation yes;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h3 class="title">Note</h3>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          None of the keys listed in this example are valid.  In particular,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          the root key is not valid.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2572102"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <acronym class="acronym">BIND</acronym> 9 fully supports all currently
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        defined forms of IPv6
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        name to address and address to name lookups.  It will also use
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews        IPv6 addresses to make queries when running on an IPv6 capable
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        system.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        only AAAA records.  RFC 3363 deprecated the use of A6 records,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and client-side support for A6 records was accordingly removed
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        from <acronym class="acronym">BIND</acronym> 9.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        load zone files containing A6 records correctly, answer queries
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews        for A6 records, and accept zone transfer for a zone containing A6
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        records.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        the traditional "nibble" format used in the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        <span class="emphasis"><em>ip6.int</em></span> domain.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Older versions of <acronym class="acronym">BIND</acronym> 9
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        supported the "binary label" (also known as "bitstring") format,
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        but support of binary labels has been completely removed per
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        RFC 3363.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        the binary label format at all any more, and will return an
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        error if given.
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        name server will not load a zone file containing binary labels.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        For an overview of the format and structure of IPv6 addresses,
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater        see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2572164"></a>Address Lookups Using AAAA Records</h3></div></div></div>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          The IPv6 AAAA record is a parallel to the IPv4 A record,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          and, unlike the deprecated A6 record, specifies the entire
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          IPv6 address in a single record.  For example,
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        </p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<pre class="programlisting">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User$ORIGIN example.com.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunthost            3600    IN      AAAA    2001:db8::1
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</pre>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<p>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater          Use of IPv4-in-IPv6 mapped addresses is not recommended.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          If a host has an IPv4 address, use an A record, not
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          the address.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        </p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="sect2" lang="en">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="titlepage"><div><div><h3 class="title">
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<a name="id2572185"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          When looking up an address in nibble format, the address
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          components are simply reversed, just as in IPv4, and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <code class="literal">ip6.arpa.</code> is appended to the
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          resulting name.
d3907d27cc138f45772d3d63082ae02c7659148aAutomatic Updater          For example, the following would provide reverse name lookup for
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          a host with address
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          <code class="literal">2001:db8::1</code>.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<pre class="programlisting">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews</pre>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews</div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</div>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews</div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<div class="navfooter">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<hr>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<table width="100%" summary="Navigation footer">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<tr>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<td width="40%" align="left">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<td width="20%" align="center">�</td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</tr>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<tr>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</tr>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</table>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</body>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</html>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater