doc/arm/Bv9ARM.ch04.html

	Bv9ARM.ch04.html revision 2cc6eb92f9443695bc32fa6eed372d983d261a35
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<!-- $Id: Bv9ARM.ch04.html,v 1.89 2009/01/09 01:11:52 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�4.�Advanced DNS Features</title>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="chapter" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570513">Split DNS</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570531">Example split DNS setup</a></span></dt></dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571169">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571242">Copying the Shared Secret to Both Machines</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571253">Informing the Servers of the Key's Existence</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571292">Instructing the Server to Use the Key</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571486">TSIG Key Based Access Control</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571531">Errors</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571613">TKEY</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571662">SIG(0)</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571799">Generating Keys</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571878">Signing the Zone</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571959">Configuring Servers</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572102">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572164">Address Lookups Using AAAA Records</a></span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572185">Address to Name Lookups Using Nibble Format</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="notify"></a>Notify</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        servers to notify their slave servers of changes to a zone's data. In
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        slave will check to see that its version of the zone is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        current version and, if not, initiate a zone transfer.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        For more information about <acronym class="acronym">DNS</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">NOTIFY</strong></span>, see the description of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        the description of the zone option <span><strong class="command">also-notify</strong></span> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        protocol is specified in RFC 1996.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<h3 class="title">Note</h3>
58d9e9169e7ab4355a0b0bfc13bc616bc5247dfeAutomatic Updater        As a slave zone can also be a master to other slaves, named,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
58d9e9169e7ab4355a0b0bfc13bc616bc5247dfeAutomatic Updater        cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        zones that it loads.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Dynamic Update is a method for adding, replacing or deleting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        records in a master server by sending it a special form of DNS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        messages.  The format and meaning of these messages is specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in RFC 2136.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews        Dynamic update is enabled by including an
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        clause in the <span><strong class="command">zone</strong></span> statement.  The
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        <span><strong class="command">tkey-gssapi-credential</strong></span> and
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        <span><strong class="command">tkey-domain</strong></span> clauses in the
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        <span><strong class="command">options</strong></span>        statement enable the
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        server to negotiate keys that can be matched against those
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        in <span><strong class="command">update-policy</strong></span> or
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        <span><strong class="command">allow-update</strong></span>.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater      </p>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater<p>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        Updating of secure zones (zones using DNSSEC) follows RFC
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        3007: RRSIG, NSEC and NSEC3 records affected by updates are
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews        automatically regenerated by the server using an online
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater        zone key.  Update authorization is based on transaction
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews        signatures and an explicit server policy.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews      </p>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="journal"></a>The journal file</h3></div></div></div>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater<p>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          All changes made to a zone using dynamic update are stored
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          in the zone's journal file.  This file is automatically created
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          by the server when the first dynamic update takes place.
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          The name of the journal file is formed by appending the extension
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">.jnl</code> to the name of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          corresponding zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file unless specifically overridden.  The journal file is in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          binary format and should not be edited manually.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The server will also occasionally write ("dump")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the complete contents of the updated zone to its zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is not done immediately after
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          each dynamic update, because that would be too slow when a large
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone is updated frequently.  Instead, the dump is delayed by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          up to 15 minutes, allowing additional updates to take place.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          When a server is restarted after a shutdown or crash, it will replay
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein              the journal file to incorporate into the zone any updates that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          took
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          place after the last zone dump.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Changes that result from incoming incremental zone transfers are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          also
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          journalled in a similar way.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The zone files of dynamic zones cannot normally be edited by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          hand because they are not guaranteed to contain the most recent
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          dynamic changes &#8212; those are only in the journal file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The only way to ensure that the zone file of a dynamic zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is up to date is to run <span><strong class="command">rndc stop</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          If you have to make changes to a dynamic zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          manually, the following procedure will work: Disable dynamic updates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein              to the zone using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          This will also remove the zone's <code class="filename">.jnl</code> file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          and update the master file.  Edit the zone file.  Run
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to reload the changed zone and re-enable dynamic updates.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        The incremental zone transfer (IXFR) protocol is a way for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        slave servers to transfer only changed data, instead of having to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        transfer the entire zone. The IXFR protocol is specified in RFC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        When acting as a master, <acronym class="acronym">BIND</acronym> 9
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        supports IXFR for those zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        where the necessary change history information is available. These
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        include master zones maintained by dynamic update and slave zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        whose data was obtained by IXFR.  For manually maintained master
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        zones, and for slave zones obtained by performing a full zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        transfer (AXFR), IXFR is supported only if the option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">ixfr-from-differences</strong></span> is set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to <strong class="userinput"><code>yes</code></strong>.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        attempt to use IXFR unless
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        it is explicitly disabled. For more information about disabling
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        of the <span><strong class="command">server</strong></span> statement.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<a name="id2570513"></a>Split DNS</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Setting up different views, or visibility, of the DNS space to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        internal and external resolvers is usually referred to as a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="emphasis"><em>Split DNS</em></span> setup. There are several
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        reasons an organization would want to set up its DNS this way.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        One common reason for setting up a DNS system this way is
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        to hide "internal" DNS information from "external" clients on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Internet. There is some debate as to whether or not this is actually
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        useful.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        Internal DNS information leaks out in many ways (via email headers,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        for example) and most savvy "attackers" can find the information
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        they need using other means.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        However, since listing addresses of internal servers that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        external clients cannot possibly reach can result in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        connection delays and other annoyances, an organization may
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        choose to use a Split DNS to present a consistent view of itself
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to the outside world.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Another common reason for setting up a Split DNS system is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to allow internal networks that are behind filters or in RFC 1918
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        space (reserved IP space, as documented in RFC 1918) to resolve DNS
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        on the Internet. Split DNS can also be used to allow mail from outside
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        back in to the internal network.
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews      </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2570531"></a>Example split DNS setup</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        (<code class="literal">example.com</code>)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        has several corporate sites that have an internal network with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        reserved
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        or "outside" section of a network, that is available to the public.
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews      </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to be able to resolve external hostnames and to exchange mail with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        people on the outside. The company also wants its internal resolvers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to have access to certain internal-only zones that are not available
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        at all outside of the internal network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In order to accomplish this, the company will set up two sets
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        of name servers. One set will be on the inside network (in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        reserved
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        IP space) and the other set will be on bastion hosts, which are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        "proxy"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        hosts that can talk to both sides of its network, in the DMZ.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The internal servers will be configured to forward all queries,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and <code class="filename">site2.example.com</code>, to the servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        DMZ. These internal servers will have complete sets of information
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and <code class="filename">site2.internal</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        the internal name servers must be configured to disallow all queries
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to these domains from any external hosts, including the bastion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        hosts.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
2cc6eb92f9443695bc32fa6eed372d983d261a35Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The external servers, which are on the bastion hosts, will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This could include things such as the host records for public servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        should have special MX records that contain wildcard (`*') records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        pointing to the bastion hosts. This is needed because external mail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        servers do not have any other way of looking up how to deliver mail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to those internal hosts. With the wildcard records, the mail will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        be delivered to the bastion host, which can then forward it on to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        internal hosts.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Here's an example of a wildcard MX record:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Now that they accept mail on behalf of anything in the internal
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        network, the bastion hosts will need to know how to deliver mail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to internal hosts. In order for this to work properly, the resolvers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        the bastion hosts will need to be configured to point to the internal
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        name servers for DNS resolution.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Queries for internal hostnames will be answered by the internal
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        servers, and queries for external hostnames will be forwarded back
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        out to the DNS servers on the bastion hosts.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In order for all this to work properly, internal clients will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        need to be configured to query <span class="emphasis"><em>only</em></span> the internal
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        name servers for DNS queries. This could also be enforced via
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        selective
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        filtering on the network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        internal clients will now be able to:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Look up any hostnames in the <code class="literal">site1</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="literal">site2.example.com</code> zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Look up any hostnames in the <code class="literal">site1.internal</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="literal">site2.internal</code> domains.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>Look up any hostnames on the Internet.</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>Exchange mail with both internal and external people.</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Hosts on the Internet will be able to:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Look up any hostnames in the <code class="literal">site1</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            and
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews            <code class="literal">site2.example.com</code> zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Exchange mail with anyone in the <code class="literal">site1</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="literal">site2.example.com</code> zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Here is an example configuration for the setup we just
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        described above. Note that this is only configuration information;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Internal DNS server config:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl internals { 172.16.72.0/24; 192.168.1.0/24; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrewsacl externals { <code class="varname">bastion-ips-go-here</code>; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    forward only;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    forwarders {                                // forward to external servers
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce        <code class="varname">bastion-ips-go-here</code>;
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce    };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    allow-transfer { none; };                   // sample allow-transfer (no one)
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce    allow-query { internals; externals; };      // restrict query access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    allow-recursion { internals; };             // restrict recursion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterzone "site1.example.com" {                      // sample master zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews  type master;
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  file "m/site1.example.com";
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  forwarders { };                               // do normal iterative
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater                                                // resolution (do not forward)
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-query { internals; externals; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-transfer { internals; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.example.com" {                      // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type slave;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "s/site2.example.com";
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  masters { 172.16.72.3; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  forwarders { };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-transfer { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterzone "site1.internal" {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "m/site1.internal";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  forwarders { };
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  allow-query { internals; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-transfer { internals; }
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.internal" {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type slave;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "s/site2.internal";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query { internals };
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        External (bastion host) DNS server config:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl internals { 172.16.72.0/24; 192.168.1.0/24; };
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { bastion-ips-go-here; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoptions {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-transfer { none; };                     // sample allow-transfer (no one)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query { any; };                         // default query access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query-cache { internals; externals; };  // restrict cache access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  allow-recursion { internals; externals; };    // restrict recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  ...
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "site1.example.com" {                      // sample slave zone
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "m/site1.foo.com";
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce  allow-transfer { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.example.com" {
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  type slave;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  file "s/site2.foo.com";
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  masters { another_bastion_host_maybe; };
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater  allow-transfer { internals; externals; }
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater</pre>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        In the <code class="filename">resolv.conf</code> (or equivalent) on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        the bastion host(s):
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Lucesearch ...
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaternameserver 172.16.72.2
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaternameserver 172.16.72.3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce<div class="sect1" lang="en">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="tsig"></a>TSIG</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        This is a short guide to setting up Transaction SIGnatures
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        to the configuration file as well as what changes are required for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        different features, including the process of creating transaction
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        to server communication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This includes zone transfer, notify, and recursive query messages.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        for TSIG.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        TSIG can also be useful for dynamic update. A primary
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        server for a dynamic zone should control access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        update service, but IP-based access control is insufficient.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The cryptographic access control provided by TSIG
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        is far superior. The <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        program supports TSIG via the <code class="option">-k</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <code class="option">-y</code> command line options or inline by use
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        of the <span><strong class="command">key</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571169"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          An arbitrary key name is chosen: "host1-host2.". The key name must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be the same on both hosts.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect3" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h4 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571186"></a>Automatic Generation</h4></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            The following command will generate a 128-bit (16 byte) HMAC-MD5
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            key as described above. Longer keys are better, but shorter keys
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            are easier to read. Note that the maximum key length is 512 bits;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            keys longer than that will be digested with MD5 to produce a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            128-bit key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Nothing directly uses this file, but the base-64 encoded string
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            following "<code class="literal">Key:</code>"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            can be extracted from the file and used as a shared secret:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            be used as the shared secret.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect3" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h4 class="title">
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews<a name="id2571224"></a>Manual Generation</h4></div></div></div>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The shared secret is simply a random sequence of bits, encoded
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            in base-64. Most ASCII strings are valid base-64 strings (assuming
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the length is a multiple of 4 and only valid characters are used),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            so the shared secret can be manually generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            a similar program to generate base-64 encoded data.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571242"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This is beyond the scope of DNS. A secure transport mechanism
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          should be used. This could be secure FTP, ssh, telephone, etc.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571253"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          both servers. The following is added to each server's <code class="filename">named.conf</code> file:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkey host1-host2. {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  algorithm hmac-md5;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  secret "La/E5CjG9O+os1jq0a2jdA==";
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The secret is the one generated above. Since this is a secret, it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is recommended that either <code class="filename">named.conf</code> be non-world
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          readable, or the key directive be added to a non-world readable
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file that is included by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">named.conf</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          At this point, the key is recognized. This means that if the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          server receives a message signed by this key, it can verify the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          signature. If the signature is successfully verified, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          response is signed by the same key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id2571292"></a>Instructing the Server to Use the Key</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Since keys are shared between two hosts only, the server must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater          for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          10.1.2.3:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinserver 10.1.2.3 {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  keys { host1-host2. ;};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Multiple keys may be present, but only the first is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This directive does not contain any secrets, so it may be in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          world-readable
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          If <span class="emphasis"><em>host1</em></span> sends a message that is a request
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater          to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          expect any responses to signed messages to be signed with the same
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          sign request messages to <span class="emphasis"><em>host1</em></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571486"></a>TSIG Key Based Access Control</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to be specified in ACL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          definitions and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-{ query | transfer | update }</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          directives.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This has been extended to allow TSIG keys also. The above key would
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be denoted <span><strong class="command">key host1-host2.</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          An example of an allow-update directive would be:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinallow-update { key host1-host2. ;};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This allows dynamic updates to succeed only if the request
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          You may want to read about the more powerful
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          <span><strong class="command">update-policy</strong></span> statement in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571531"></a>Errors</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The processing of TSIG signed messages can result in
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater          several errors. If a signed message is sent to a non-TSIG aware
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          server, a FORMERR (format error) will be returned, since the server will not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          understand the record. This is a result of misconfiguration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          since the server must be explicitly configured to send a TSIG
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          signed message to a specific server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews          If a TSIG aware server receives a message signed by an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          unknown key, the response will be unsigned with the TSIG
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          extended error code set to BADKEY. If a TSIG aware server
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews          receives a message with a signature that does not validate, the
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews          response will be unsigned with the TSIG extended error code set
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews          to BADSIG. If a TSIG aware server receives a message with a time
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          outside of the allowed range, the response will be signed with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the TSIG extended error code set to BADTIME, and the time values
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          will be adjusted so that the response can be successfully
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          verified. In any of these cases, the message's rcode (response code) is set to
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater          NOTAUTH (not authenticated).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571613"></a>TKEY</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">TKEY</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        is a mechanism for automatically generating a shared secret
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        between two hosts.  There are several "modes" of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> that specify how the key is generated
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only one of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        these modes, the Diffie-Hellman key exchange.  Both hosts are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        required to have a Diffie-Hellman KEY record (although this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        record is not required to be present in a zone).  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> process must use signed messages,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        signed either by TSIG or SIG(0).  The result of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also be
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        used to delete shared secrets that it had previously
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews        generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The <span><strong class="command">TKEY</strong></span> process is initiated by a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        client
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        or server by sending a signed <span><strong class="command">TKEY</strong></span>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        (including any appropriate KEYs) to a TKEY-aware server.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        server response, if it indicates success, will contain a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        After
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        this exchange, both participants have enough information to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        determine the shared secret; the exact process depends on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> mode.  When using the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Diffie-Hellman
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        exchanged,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and the shared secret is derived by both participants.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571662"></a>SIG(0)</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            transaction signatures as specified in RFC 2535 and RFC2931.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        SIG(0)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        uses public/private keys to authenticate messages.  Access control
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        is performed in the same manner as TSIG keys; privileges can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        granted or denied based on the key name.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        When a SIG(0) signed message is received, it will only be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        verified if the key is known and trusted by the server; the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        will not attempt to locate and/or validate the key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        SIG(0) signing of multiple-message TCP streams is not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        supported.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Cryptographic authentication of DNS information is possible
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        defined in RFC 4033, RFC 4034, and RFC 4035.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This section describes the creation and use of DNSSEC signed zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        In order to set up a DNSSEC secure zone, there are a series
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        of steps which must be followed.  <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        9 ships
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        with several tools
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        that are used in this process, which are explained in more detail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        below.  In all cases, the <code class="option">-h</code> option prints a
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        full list of parameters.  Note that the DNSSEC tools require the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        keyset files to be in the working directory or the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        directory specified by the <code class="option">-d</code> option, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        that the tools shipped with BIND 9.2.x and earlier are not compatible
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        with the current ones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        There must also be communication with the administrators of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        the parent and/or child zone to transmit keys.  A zone's security
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        status must be indicated by the parent zone for a DNSSEC capable
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews        resolver to trust its data.  This is done through the presence
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        or absence of a <code class="literal">DS</code> record at the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        delegation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        point.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        For other servers to trust data in this zone, they must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        either be statically configured with this zone's zone key or the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        zone key of another zone above this one in the DNS tree.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2571799"></a>Generating Keys</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <span><strong class="command">dnssec-keygen</strong></span> program is used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          generate keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          A secure zone must contain one or more zone keys.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone keys will sign all other records in the zone, as well as
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews          the zone keys of any secure delegated zones.  Zone keys must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          have the same name as the zone, a name type of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">ZONE</strong></span>, and must be usable for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          authentication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          It is recommended that zone keys use a cryptographic algorithm
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          designated as "mandatory to implement" by the IETF; currently
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the only one is RSASHA1.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The following command will generate a 768-bit RSASHA1 key for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the <code class="filename">child.example</code> zone:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Two output files will be produced:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">Kchild.example.+005+12345.key</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">Kchild.example.+005+12345.private</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (where
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          12345 is an example of a key tag).  The key filenames contain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          the key name (<code class="filename">child.example.</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          algorithm (3
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          this case).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The private key (in the <code class="filename">.private</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file) is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          used to generate signatures, and the public key (in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="filename">.key</code> file) is used for signature
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          verification.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          To generate another key with the same properties (but with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          a different key tag), repeat the above command.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to get a key pair from a crypto hardware and build the key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The public keys should be inserted into the zone file by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          including the <code class="filename">.key</code> files using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">$INCLUDE</strong></span> statements.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571878"></a>Signing the Zone</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The <span><strong class="command">dnssec-signzone</strong></span> program is used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to sign a zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Any <code class="filename">keyset</code> files corresponding to
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater          secure subzones should be present.  The zone signer will
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater          generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater          and <code class="literal">RRSIG</code> records for the zone, as
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater          well as <code class="literal">DS</code> for the child zones if
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater          <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is not specified, then DS RRsets for the secure child
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zones need to be added manually.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The following command signs the zone, assuming it is in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          file called <code class="filename">zone.child.example</code>.  By
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                default, all zone keys which have an available private key are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                used to generate signatures.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          One output file is produced:
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          <code class="filename">zone.child.example.signed</code>.  This
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          file
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          should be referenced by <code class="filename">named.conf</code>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          as the
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          input file for the zone.
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater        </p>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater<p><span><strong class="command">dnssec-signzone</strong></span>
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater          will also produce a keyset and dsset files and optionally a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          dlvset file.  These are used to provide the parent zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          administrators with the <code class="literal">DNSKEYs</code> (or their
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          corresponding <code class="literal">DS</code> records) that are the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          secure entry point to the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2571959"></a>Configuring Servers</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          To enable <span><strong class="command">named</strong></span> to respond appropriately
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to DNS requests from DNSSEC aware clients,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          To enable <span><strong class="command">named</strong></span> to validate answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          other servers both <span><strong class="command">dnssec-enable</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">dnssec-validation</strong></span> must be set and some
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> must be configured
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          into <code class="filename">named.conf</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          for zones that are used to form the first link in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          cryptographic chain of trust.  All keys listed in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          are deemed to exist and only the listed keys will be used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          to validated the DNSKEY RRset that they are from.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          <span><strong class="command">trusted-keys</strong></span> are described in more detail
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          later in this document.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          9 does not verify signatures on load, so zone keys for
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          authoritative zones do not need to be specified in the
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          configuration file.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater        </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          After DNSSEC gets established, a typical DNSSEC configuration
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          will look something like the following.  It has a one or
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          more public keys for the root.  This allows answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          outside the organization to be validated.  It will also
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          have several keys for parts of the namespace the organization
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          controls.  These are here to ensure that named is immune
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews          to compromises in the DNSSEC components of the security
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews          of parent zones.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        </p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<pre class="programlisting">
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrewstrusted-keys {
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        /* Root Key */
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews/* Key for our organization's forward zone */
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrewsexample.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
58d9e9169e7ab4355a0b0bfc13bc616bc5247dfeAutomatic Updater                      SCThlHf3xiYleDbt/o1OTQ09A0=";
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews/* Key for our reverse zone. */
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updateroptions {
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        ...
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        dnssec-enable yes;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        dnssec-validation yes;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater};
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews</pre>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<h3 class="title">Note</h3>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater          None of the keys listed in this example are valid.  In particular,
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater          the root key is not valid.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        </div>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater</div>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater</div>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<div class="sect1" lang="en">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<a name="id2572102"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        <acronym class="acronym">BIND</acronym> 9 fully supports all currently
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        defined forms of IPv6
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        name to address and address to name lookups.  It will also use
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        IPv6 addresses to make queries when running on an IPv6 capable
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        system.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      </p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        only AAAA records.  RFC 3363 deprecated the use of A6 records,
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        and client-side support for A6 records was accordingly removed
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        from <acronym class="acronym">BIND</acronym> 9.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        load zone files containing A6 records correctly, answer queries
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        for A6 records, and accept zone transfer for a zone containing A6
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        records.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      </p>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<p>
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        the traditional "nibble" format used in the
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        <span class="emphasis"><em>ip6.int</em></span> domain.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        Older versions of <acronym class="acronym">BIND</acronym> 9
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        supported the "binary label" (also known as "bitstring") format,
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        but support of binary labels has been completely removed per
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        RFC 3363.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        the binary label format at all any more, and will return an
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews        error if given.
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews        name server will not load a zone file containing binary labels.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater      </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater        For an overview of the format and structure of IPv6 addresses,
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater        see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater      </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<div class="sect2" lang="en">
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<div class="titlepage"><div><div><h3 class="title">
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<a name="id2572164"></a>Address Lookups Using AAAA Records</h3></div></div></div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          The IPv6 AAAA record is a parallel to the IPv4 A record,
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          and, unlike the deprecated A6 record, specifies the entire
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          IPv6 address in a single record.  For example,
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater        </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<pre class="programlisting">
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater$ORIGIN example.com.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updaterhost            3600    IN      AAAA    2001:db8::1
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater</pre>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          Use of IPv4-in-IPv6 mapped addresses is not recommended.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          If a host has an IPv4 address, use an A record, not
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          the address.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater        </p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater</div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<div class="sect2" lang="en">
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<div class="titlepage"><div><div><h3 class="title">
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<a name="id2572185"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<p>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          When looking up an address in nibble format, the address
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          components are simply reversed, just as in IPv4, and
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          <code class="literal">ip6.arpa.</code> is appended to the
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          resulting name.
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          For example, the following would provide reverse name lookup for
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater          a host with address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="literal">2001:db8::1</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater</div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater</div>
cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="40%" align="left">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<td width="20%" align="center">�</td>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</body>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</html>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews