Bv9ARM.ch04.html revision 32d1434aff6112327dffe188e3585ee0157c6e5f
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Advanced DNS Features</TITLE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="GENERATOR"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas GustafssonTITLE="BIND 9 Administrator Reference Manual"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceREL="PREVIOUS"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonTITLE="Name Server Configuration"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTITLE="The BIND 9 Lightweight Resolver"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas GustafssonCLASS="chapter"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceBGCOLOR="#FFFFFF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTEXT="#000000"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceLINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVLINK="#840084"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVHEADER"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsSUMMARY="Header navigation table"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>BIND 9 Administrator Reference Manual</TH
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsACCESSKEY="P"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsACCESSKEY="N"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="chapter"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Chapter 4. Advanced DNS Features</H1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Table of Contents</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch04.html#dynamic_update"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic Update</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch04.html#incremental_zone_transfers"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Incremental Zone Transfers (IXFR)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Split DNS</A
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>IPv6 Support in <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.1. Notify</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>DNS</ACRONYM
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> NOTIFY is a mechanism that allows master
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonservers to notify their slave servers of changes to a zone's data. In
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonresponse to a <B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> from a master server, the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonslave will check to see that its version of the zone is the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssoncurrent version and, if not, initiate a zone transfer.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>DNS</ACRONYM
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonFor more information about
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>, see the description of the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonHREF="Bv9ARM.ch06.html#boolean_options"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>Section 6.2.16.1</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonthe description of the zone option <B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>also-notify</B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonHREF="Bv9ARM.ch06.html#zone_transfers"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>Section 6.2.16.7</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonprotocol is specified in RFC 1996.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="dynamic_update"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.2. Dynamic Update</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Dynamic Update is a method for adding, replacing or deleting
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson records in a master server by sending it a special form of DNS
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson messages. The format and meaning of these messages is specified
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in RFC 2136.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic update is enabled on a zone-by-zone basis, by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce including an <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-update</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> clause in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>Updating of secure zones (zones using DNSSEC) follows
f6d93187a121da71416026756e190169a135ce1bMark Andrews RFC 3007: RRSIG and NSEC records affected by updates are automatically
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson regenerated by the server using an online zone key.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson Update authorization is based
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce on transaction signatures and an explicit server policy.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.2.1. The journal file</A
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews>All changes made to a zone using dynamic update are stored
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews in the zone's journal file. This file is automatically created
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews by the server when when the first dynamic update takes place.
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews The name of the journal file is formed by appending the extension
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews> to the name of the corresponding zone
32d1434aff6112327dffe188e3585ee0157c6e5fMark Andrews file unless specifically overridden. The journal file is in a
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson binary format and should not be edited manually.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>The server will also occasionally write ("dump")
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson the complete contents of the updated zone to its zone file.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson This is not done immediately after
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson each dynamic update, because that would be too slow when a large
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson zone is updated frequently. Instead, the dump is delayed by
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson up to 15 minutes, allowing additional updates to take place.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>When a server is restarted after a shutdown or crash, it will replay
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson the journal file to incorporate into the zone any updates that took
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson place after the last zone dump.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>Changes that result from incoming incremental zone transfers are also
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson journalled in a similar way.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>The zone files of dynamic zones cannot normally be edited by
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson hand because they are not guaranteed to contain the most recent
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson dynamic changes - those are only in the journal file.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson The only way to ensure that the zone file of a dynamic zone
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson is up to date is to run <B
f37eb9482057adf62de35e634bfd574e59676950Andreas GustafssonCLASS="command"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>If you have to make changes to a dynamic zone
a9f5be43488d374aeb222e8870d6b522f07530bbBrian Wellington manually, the following procedure will work: Disable dynamic updates
a9f5be43488d374aeb222e8870d6b522f07530bbBrian Wellington to the zone using
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="command"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>rndc freeze <VAR
a9f5be43488d374aeb222e8870d6b522f07530bbBrian WellingtonCLASS="replaceable"
a9f5be43488d374aeb222e8870d6b522f07530bbBrian Wellington This will also remove the zone's <TT
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="filename"
a9f5be43488d374aeb222e8870d6b522f07530bbBrian Wellington and update the master file. Edit the zone file. Run
a9f5be43488d374aeb222e8870d6b522f07530bbBrian WellingtonCLASS="command"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>rndc unfreeze <VAR
a9f5be43488d374aeb222e8870d6b522f07530bbBrian WellingtonCLASS="replaceable"
a9f5be43488d374aeb222e8870d6b522f07530bbBrian Wellington to reload the changed zone and re-enable dynamic updates.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="incremental_zone_transfers"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.3. Incremental Zone Transfers (IXFR)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The incremental zone transfer (IXFR) protocol is a way for
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonslave servers to transfer only changed data, instead of having to
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssontransfer the entire zone. The IXFR protocol is specified in RFC
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric LuceHREF="Bv9ARM.ch09.html#proposed_standards"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>Proposed Standards</A
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>When acting as a master, <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonsupports IXFR for those zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewhere the necessary change history information is available. These
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinclude master zones maintained by dynamic update and slave zones
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonwhose data was obtained by IXFR. For manually maintained master
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonzones, and for slave zones obtained by performing a full zone
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssontransfer (AXFR), IXFR is supported only if the option
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas GustafssonCLASS="command"
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafsson>ixfr-from-differences</B
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas GustafssonCLASS="userinput"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>When acting as a slave, <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonattempt to use IXFR unless
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceit is explicitly disabled. For more information about disabling
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIXFR, see the description of the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>request-ixfr</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN767"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.4. Split DNS</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Setting up different views, or visibility, of the DNS space to
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrewsinternal and external resolvers is usually referred to as a <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> setup. There are several reasons an organization
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewould want to set up its DNS this way.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One common reason for setting up a DNS system this way is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto hide "internal" DNS information from "external" clients on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet. There is some debate as to whether or not this is actually useful.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternal DNS information leaks out in many ways (via email headers,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor example) and most savvy "attackers" can find the information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethey need using other means.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Another common reason for setting up a Split DNS system is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto allow internal networks that are behind filters or in RFC 1918
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucespace (reserved IP space, as documented in RFC 1918) to resolve DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceon the Internet. Split DNS can also be used to allow mail from outside
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceback in to the internal network.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example of a split DNS setup:</P
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>Let's say a company named <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehas several corporate sites that have an internal network with reserved
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet Protocol (IP) space and an external demilitarized zone (DMZ),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceor "outside" section of a network, that is available to the public.</P
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> wants its internal clients
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto be able to resolve external hostnames and to exchange mail with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepeople on the outside. The company also wants its internal resolvers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto have access to certain internal-only zones that are not available
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceat all outside of the internal network.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to accomplish this, the company will set up two sets
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonof name servers. One set will be on the inside network (in the reserved
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIP space) and the other set will be on bastion hosts, which are "proxy"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehosts that can talk to both sides of its network, in the DMZ.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The internal servers will be configured to forward all queries,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexcept queries for <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, to the servers in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceDMZ. These internal servers will have complete sets of information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer>To protect the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonthe internal name servers must be configured to disallow all queries
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto these domains from any external hosts, including the bastion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The external servers, which are on the bastion hosts, will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe configured to serve the "public" version of the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis could include things such as the host records for public servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand mail exchange (MX) records (<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In addition, the public <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould have special MX records that contain wildcard (`*') records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepointing to the bastion hosts. This is needed because external mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers do not have any other way of looking up how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto those internal hosts. With the wildcard records, the mail will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe delivered to the bastion host, which can then forward it on to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here's an example of a wildcard MX record:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Now that they accept mail on behalf of anything in the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenetwork, the bastion hosts will need to know how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto internal hosts. In order for this to work properly, the resolvers on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion hosts will need to be configured to point to the internal
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonname servers for DNS resolution.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Queries for internal hostnames will be answered by the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers, and queries for external hostnames will be forwarded back
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceout to the DNS servers on the bastion hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order for all this to work properly, internal clients will
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrewsneed to be configured to query <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> the internal
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonname servers for DNS queries. This could also be enforced via selective
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefiltering on the network.</P
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>If everything has been set properly, <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal clients will now be able to:</P
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Look up any hostnames in the <VAR
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Look up any hostnames in the <VAR
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> domains.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Look up any hostnames on the Internet.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Exchange mail with internal AND external people.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Hosts on the Internet will be able to:</P
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Look up any hostnames in the <VAR
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Exchange mail with anyone in the <VAR
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example configuration for the setup we just
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce described above. Note that this is only configuration information;
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce for information on how to configure your zone files, see <A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch03.html#sample_configuration"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Section 3.1</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Internal DNS server config:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrewsacl externals { <VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="varname"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>bastion-ips-go-here</VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forward only;
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson forwarders { // forward to external servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="varname"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>bastion-ips-go-here</VAR
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-transfer { none; }; // sample allow-transfer (no one)
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-query { internals; externals; }; // restrict query access
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-recursion { internals; }; // restrict recursion
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonzone "site1.example.com" { // sample master zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson forwarders { }; // do normal iterative
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson // resolution (do not forward)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonzone "site2.example.com" { // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>External (bastion host) DNS server config:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> acl internals { 172.16.72.0/24; 192.168.1.0/24; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { bastion-ips-go-here; };
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-transfer { none; }; // sample allow-transfer (no one)
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-query { internals; externals; }; // restrict query access
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-recursion { internals; externals; }; // restrict recursion
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonzone "site1.example.com" { // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { another_bastion_host_maybe; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> (or equivalent) on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion host(s):</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> search ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.2
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is a short guide to setting up Transaction SIGnatures
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews(TSIG) based transaction security in <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. It describes changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto the configuration file as well as what changes are required for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedifferent features, including the process of creating transaction
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrewskeys and using transaction signatures with <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> primarily supports TSIG for server to server communication.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis includes zone transfer, notify, and recursive query messages.
2cd182921e1b04ccda0a56995c4cc491c882af04Mark AndrewsResolvers based on newer versions of <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 8 have limited support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TSIG might be most useful for dynamic update. A primary
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server for a dynamic zone should use access control to control
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson updates, but IP-based access control is insufficient.
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson The cryptographic access control provided by TSIG
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson is far superior. The <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews program supports TSIG via the <VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> command line options.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN858"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1. Generate Shared Keys for Each Pair of Hosts</A
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>A shared secret is generated to be shared between <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceAn arbitrary key name is chosen: "host1-host2.". The key name must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe the same on both hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN863"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1.1. Automatic Generation</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command will generate a 128 bit (16 byte) HMAC-MD5
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekey as described above. Longer keys are better, but shorter keys
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceare easier to read. Note that the maximum key length is 512 bits;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekeys longer than that will be digested with MD5 to produce a 128
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</KBD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The key is in the file <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNothing directly uses this file, but the base-64 encoded string
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrewsfollowing "<VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecan be extracted from the file and used as a shared secret:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>The string "<VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe used as the shared secret.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN874"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1.2. Manual Generation</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The shared secret is simply a random sequence of bits, encoded
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucein base-64. Most ASCII strings are valid base-64 strings (assuming
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe length is a multiple of 4 and only valid characters are used),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceso the shared secret can be manually generated.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Also, a known string can be run through <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucea similar program to generate base-64 encoded data.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN879"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.2. Copying the Shared Secret to Both Machines</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is beyond the scope of DNS. A secure transport mechanism
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould be used. This could be secure FTP, ssh, telephone, etc.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN882"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.3. Informing the Servers of the Key's Existence</A
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>Imagine <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceboth servers. The following is added to each server's <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> key host1-host2. {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce algorithm hmac-md5;
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>The algorithm, hmac-md5, is the only one supported by <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThe secret is the one generated above. Since this is a secret, it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceis recommended that either <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> be non-world
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucereadable, or the key directive be added to a non-world readable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefile that is included by <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>At this point, the key is recognized. This means that if the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceserver receives a message signed by this key, it can verify the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonsignature. If the signature is successfully verified, the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonresponse is signed by the same key.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN894"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.4. Instructing the Server to Use the Key</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Since keys are shared between two hosts only, the server must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe told when keys are to be used. The following is added to the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>, if the IP address of <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> server 10.1.2.3 {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys { host1-host2. ;};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Multiple keys may be present, but only the first is used.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis directive does not contain any secrets, so it may be in a world-readable
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
78d65c654251b02c41628914986723cbec93a7a1Andreas Gustafsson> sends a message that is a request
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrewsto that address, the message will be signed with the specified key. <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexpect any responses to signed messages to be signed with the same
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>A similar statement must be present in <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrewsconfiguration file (with <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>'s address) for <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrewssign request messages to <SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN910"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.5. TSIG Key Based Access Control</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> allows IP addresses and ranges to be specified in ACL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedefinitions and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson>allow-{ query | transfer | update }</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis has been extended to allow TSIG keys also. The above key would
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe denoted <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>key host1-host2.</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>An example of an allow-update directive would be:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> allow-update { key host1-host2. ;};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This allows dynamic updates to succeed only if the request
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce was signed by a key named
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1-host2.</B
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>You may want to read about the more
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> statement in <A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch06.html#dynamic_update_policies"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>Section 6.2.24.4</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN923"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.6. Errors</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The processing of TSIG signed messages can result in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce several errors. If a signed message is sent to a non-TSIG aware
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server, a FORMERR will be returned, since the server will not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce understand the record. This is a result of misconfiguration,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce since the server must be explicitly configured to send a TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed message to a specific server.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If a TSIG aware server receives a message signed by an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce unknown key, the response will be unsigned with the TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce extended error code set to BADKEY. If a TSIG aware server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce receives a message with a signature that does not validate, the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce response will be unsigned with the TSIG extended error code set
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to BADSIG. If a TSIG aware server receives a message with a time
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce outside of the allowed range, the response will be signed with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the TSIG extended error code set to BADTIME, and the time values
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be adjusted so that the response can be successfully
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified. In any of these cases, the message's rcode is set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN927"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a mechanism for automatically
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generating a shared secret between two hosts. There are several
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "modes" of <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> that specify how the key is
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews generated or assigned. <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson implements only one of these modes,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the Diffie-Hellman key exchange. Both hosts are required to have
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a Diffie-Hellman KEY record (although this record is not required
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be present in a zone). The <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must use signed messages, signed either by TSIG or SIG(0). The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce result of <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a shared secret that can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to sign messages with TSIG. <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used to delete shared secrets that it had previously
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> process is initiated by a client
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or server by sending a signed <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (including any appropriate KEYs) to a TKEY-aware server. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server response, if it indicates success, will contain a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> record and any appropriate keys. After
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this exchange, both participants have enough information to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce determine the shared secret; the exact process depends on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode. When using the Diffie-Hellman
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode, Diffie-Hellman keys are exchanged,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the shared secret is derived by both participants.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN942"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.7. SIG(0)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington> 9 partially supports DNSSEC SIG(0)
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington uses public/private keys to authenticate messages. Access control
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington is performed in the same manner as TSIG keys; privileges can be
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington granted or denied based on the key name.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When a SIG(0) signed message is received, it will only be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified if the key is known and trusted by the server; the server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will not attempt to locate and/or validate the key.</P
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>SIG(0) signing of multiple-message TCP streams is not
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>The only tool shipped with <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington generates SIG(0) signed messages is <B
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian WellingtonCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="DNSSEC"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8. DNSSEC</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Cryptographic authentication of DNS information is possible
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews through the DNS Security (<SPAN
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f6d93187a121da71416026756e190169a135ce1bMark Andrews>DNSSEC-bis</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>) extensions,
f6d93187a121da71416026756e190169a135ce1bMark Andrews defined in RFC <TBA>. This section describes the creation and use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of DNSSEC signed zones.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to set up a DNSSEC secure zone, there are a series
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews of steps which must be followed. <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson with several tools
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that are used in this process, which are explained in more detail
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews below. In all cases, the <VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian Wellington> option prints a
027e89d47af308db4b41761ca9f847c026b63ec8Andreas Gustafsson full list of parameters. Note that the DNSSEC tools require the
f6d93187a121da71416026756e190169a135ce1bMark Andrews keyset files to be in the working directory or the
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews directory specified by the <VAR
6383d77950149e7a94bf59d84f3e51e1aa4b3d95Brian WellingtonCLASS="option"
f6d93187a121da71416026756e190169a135ce1bMark Andrews that the tools shipped with BIND 9.2.x and earlier are not compatible
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson with the current ones.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>There must also be communication with the administrators of
f6d93187a121da71416026756e190169a135ce1bMark Andrews the parent and/or child zone to transmit keys. A zone's security
f6d93187a121da71416026756e190169a135ce1bMark Andrews status must be indicated by the parent zone for a DNSSEC capable
f6d93187a121da71416026756e190169a135ce1bMark Andrews resolver to trust its data. This is done through the presense
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews or absence of a <VAR
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
f6d93187a121da71416026756e190169a135ce1bMark Andrews> record at the delegation
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For other servers to trust data in this zone, they must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce either be statically configured with this zone's zone key or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone key of another zone above this one in the DNS tree.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN962"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.1. Generating Keys</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate keys.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A secure zone must contain one or more zone keys. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys will sign all other records in the zone, as well as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone keys of any secure delegated zones. Zone keys must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have the same name as the zone, a name type of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, and must be usable for authentication.
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson It is recommended that zone keys use a cryptographic algorithm
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson designated as "mandatory to implement" by the IETF; currently
f6d93187a121da71416026756e190169a135ce1bMark Andrews the only one is RSASHA1.</P
f6d93187a121da71416026756e190169a135ce1bMark Andrews>The following command will generate a 768 bit RSASHA1 key for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</KBD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Two output files will be produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 12345 is an example of a key tag). The key file names contain
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key name (<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>), algorithm (3
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The private key (in the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.private</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures, and the public key (in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file) is used for signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verification.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To generate another key with the same properties (but with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a different key tag), repeat the above command.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>The public keys should be inserted into the zone file by
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson including the <TT
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN982"
f6d93187a121da71416026756e190169a135ce1bMark Andrews>4.8.2. Signing the Zone</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signzone</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign a zone.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f6d93187a121da71416026756e190169a135ce1bMark Andrews> files corresponding
f6d93187a121da71416026756e190169a135ce1bMark Andrews to secure subzones should be present. The zone signer will
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews generate <VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews records for the zone, as well as <VAR
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews the child zones if <VAR
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
f6d93187a121da71416026756e190169a135ce1bMark Andrews> is specified.
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
f6d93187a121da71416026756e190169a135ce1bMark Andrews> is not specified then DS RRsets for
f6d93187a121da71416026756e190169a135ce1bMark Andrews the secure child zones need to be added manually.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command signs the zone, assuming it is in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file called <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default, all zone keys which have an available private key are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>dnssec-signzone -o child.example zone.child.example</KBD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be referenced by <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input file for the zone.</P
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="command"
f6d93187a121da71416026756e190169a135ce1bMark Andrews>dnssec-signzone</B
f6d93187a121da71416026756e190169a135ce1bMark Andrews> will also produce a
f6d93187a121da71416026756e190169a135ce1bMark Andrews keyset and dsset files and optionally a dlvset file. These
f6d93187a121da71416026756e190169a135ce1bMark Andrews are used to provide the parent zone administators with the
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>DNSKEYs</VAR
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews> (or their corresponding <VAR
f6d93187a121da71416026756e190169a135ce1bMark AndrewsCLASS="literal"
f6d93187a121da71416026756e190169a135ce1bMark Andrews records) that are the secure entry point to the zone.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN1004"
f6d93187a121da71416026756e190169a135ce1bMark Andrews>4.8.3. Configuring Servers</A
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>Unlike <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> 9 does not verify signatures on load,
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonso zone keys for authoritative zones do not need to be specified
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonin the configuration file.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The public key for any security root must be present in
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonthe configuration file's <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>trusted-keys</B
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonstatement, as described later in this document. </P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN1011"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>4.9. IPv6 Support in <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 fully supports all currently defined forms of IPv6
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name to address and address to name lookups. It will also use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IPv6 addresses to make queries when running on an IPv6 capable
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>For forward lookups, <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews> 9 supports only AAAA
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews records. The use of A6 records is deprecated by RFC 3363, and the
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews support for forward lookups in <ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews removed accordingly.
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews However, authoritative <ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews> 9 name servers still
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews load zone files containing A6 records correctly, answer queries
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews for A6 records, and accept zone transfer for a zone containing A6
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>For IPv6 reverse lookups, <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews the traditional "nibble" format used in the
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews> domain, as well as the older, deprecated
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews supported the "binary label" (also known as "bitstring") format.
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews The support of binary labels, however, is now completely removed
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews according to the changes in RFC 3363.
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews Any applications in <ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews> 9 do not understand
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews the format any more, and will return an error if given.
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews In particular, an authoritative <ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews server rejects to load a zone file containing binary labels.</P
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson>For an overview of the format and structure of IPv6 addresses,
035cd7b5bd983b3845da08680ac311c754809403Andreas GustafssonHREF="Bv9ARM.ch09.html#ipv6addresses"
38ba66e41bc93315422380d6c7ab41053963ed47Andreas Gustafsson>Section A.2.1</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN1029"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.1. Address Lookups Using AAAA Records</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The AAAA record is a parallel to the IPv4 A record. It
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifies the entire address in a single record. For
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
3eb9ec750c9088869170dda63e8899b2ba462823Mark Andrewshost 3600 IN AAAA 2001:db8::1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>It is recommended that IPv4-in-IPv6 mapped addresses not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used. If a host has an IPv4 address, use an A record, not
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews a AAAA, with <VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>::ffff:192.168.42.1</VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
5b5f4cca7833343cac382387ad86ff573b185d17Mark AndrewsNAME="AEN1035"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews>4.9.2. Address to Name Lookups Using Nibble Format</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When looking up an address in nibble format, the address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce components are simply reversed, just as in IPv4, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is appended to the resulting name.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, the following would provide reverse name lookup for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a host with address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>2001:db8::1</VAR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
3eb9ec750c9088869170dda63e8899b2ba462823Mark Andrews> $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
3eb9ec750c9088869170dda63e8899b2ba462823Mark Andrews1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVFOOTER"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsSUMMARY="Footer navigation table"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsACCESSKEY="P"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsACCESSKEY="H"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark AndrewsACCESSKEY="N"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Name Server Configuration</TD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>The <ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
2cd182921e1b04ccda0a56995c4cc491c882af04Mark Andrews>BIND</ACRONYM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 Lightweight Resolver</TD