Bv9ARM.ch04.html revision 3a5fe5abf08f16b8d31ab8ee9a788063110ef000
59602f2a7c4e4809941583bed3e94cd26e628f1aTinderbox User - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
19558a04decde0e7261d489d92d04ad88104217bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews - purpose with or without fee is hereby granted, provided that the above
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews - copyright notice and this permission notice appear in all copies.
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e5a6871cd0635ecdb2bf792316a2d8c53206f4b2Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<!-- $Id: Bv9ARM.ch04.html,v 1.103 2009/11/11 01:14:42 tbox Exp $ -->
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d5637bdbb931ff79fced3d4858d83212ea58ed15Tinderbox User<title>Chapter�4.�Advanced DNS Features</title>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d5637bdbb931ff79fced3d4858d83212ea58ed15Tinderbox User<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<table width="100%" summary="Navigation header">
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title">
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570568">Split DNS</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570654">Example split DNS setup</a></span></dt></dl></dd>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571088">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571229">Copying the Shared Secret to Both Machines</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571240">Informing the Servers of the Key's Existence</a></span></dt>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571345">Instructing the Server to Use the Key</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571539">TSIG Key Based Access Control</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571588">Errors</a></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571602">TKEY</a></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571651">SIG(0)</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571719">Generating Keys</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571798">Signing the Zone</a></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571879">Configuring Servers</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572061">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572328">Address Lookups Using AAAA Records</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572349">Address to Name Lookups Using Nibble Format</a></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User<a name="notify"></a>Notify</h2></div></div></div>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews servers to notify their slave servers of changes to a zone's data. In
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt slave will check to see that its version of the zone is the
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt current version and, if not, initiate a zone transfer.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt For more information about <acronym class="acronym">DNS</acronym>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <span><strong class="command">NOTIFY</strong></span>, see the description of the
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
e76dfff967cfbe00f4d1540434832e4499a9cd83Tinderbox User the description of the zone option <span><strong class="command">also-notify</strong></span> in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User protocol is specified in RFC 1996.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews zones that it loads.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Dynamic Update is a method for adding, replacing or deleting
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews records in a master server by sending it a special form of DNS
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt messages. The format and meaning of these messages is specified
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in RFC 2136.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Dynamic update is enabled by including an
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews clause in the <span><strong class="command">zone</strong></span> statement.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User If the zone's <span><strong class="command">update-policy</strong></span> is set to
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt will be permitted for the key <code class="varname">local-ddns</code>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews The <span><strong class="command">tkey-gssapi-credential</strong></span> and
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <span><strong class="command">tkey-domain</strong></span> clauses in the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">options</strong></span> statement enable the
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews server to negotiate keys that can be matched against those
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User in <span><strong class="command">update-policy</strong></span> or
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <span><strong class="command">allow-update</strong></span>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User automatically regenerated by the server using an online
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews zone key. Update authorization is based on transaction
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews signatures and an explicit server policy.
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews<div class="titlepage"><div><div><h3 class="title">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="journal"></a>The journal file</h3></div></div></div>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User All changes made to a zone using dynamic update are stored
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User in the zone's journal file. This file is automatically created
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews by the server when the first dynamic update takes place.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The name of the journal file is formed by appending the extension
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews <code class="filename">.jnl</code> to the name of the
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews corresponding zone
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews file unless specifically overridden. The journal file is in a
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews binary format and should not be edited manually.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The server will also occasionally write ("dump")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the complete contents of the updated zone to its zone file.
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User This is not done immediately after
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews each dynamic update, because that would be too slow when a large
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zone is updated frequently. Instead, the dump is delayed by
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews up to 15 minutes, allowing additional updates to take place.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User During the dump process, transient files will be created
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews with the extensions <code class="filename">.jnw</code> and
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews <code class="filename">.jbk</code>; under ordinary circumstances, these
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User will be removed when the dump is complete, and can be safely
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews When a server is restarted after a shutdown or crash, it will replay
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt the journal file to incorporate into the zone any updates that
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User place after the last zone dump.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Changes that result from incoming incremental zone transfers are
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews journalled in a similar way.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The zone files of dynamic zones cannot normally be edited by
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews hand because they are not guaranteed to contain the most recent
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt dynamic changes — those are only in the journal file.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The only way to ensure that the zone file of a dynamic zone
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User is up to date is to run <span><strong class="command">rndc stop</strong></span>.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews If you have to make changes to a dynamic zone
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt manually, the following procedure will work: Disable dynamic updates
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to the zone using
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson This will also remove the zone's <code class="filename">.jnl</code> file
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User and update the master file. Edit the zone file. Run
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt to reload the changed zone and re-enable dynamic updates.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The incremental zone transfer (IXFR) protocol is a way for
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater slave servers to transfer only changed data, instead of having to
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User transfer the entire zone. The IXFR protocol is specified in RFC
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User When acting as a master, <acronym class="acronym">BIND</acronym> 9
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson supports IXFR for those zones
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User where the necessary change history information is available. These
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews include master zones maintained by dynamic update and slave zones
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt whose data was obtained by IXFR. For manually maintained master
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zones, and for slave zones obtained by performing a full zone
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User transfer (AXFR), IXFR is supported only if the option
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User <span><strong class="command">ixfr-from-differences</strong></span> is set
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User to <strong class="userinput"><code>yes</code></strong>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User attempt to use IXFR unless
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User it is explicitly disabled. For more information about disabling
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User of the <span><strong class="command">server</strong></span> statement.
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fab54780409846f7c71f6026d665f18c77c649efTinderbox User<a name="id2570568"></a>Split DNS</h2></div></div></div>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Setting up different views, or visibility, of the DNS space to
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User internal and external resolvers is usually referred to as a
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <span class="emphasis"><em>Split DNS</em></span> setup. There are several
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater reasons an organization would want to set up its DNS this way.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews One common reason for setting up a DNS system this way is
933799f3641f4f78445d015008bad0038900a82aTinderbox User to hide "internal" DNS information from "external" clients on the
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Internet. There is some debate as to whether or not this is actually
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Internal DNS information leaks out in many ways (via email headers,
4151211e6649332f7b5a55870cbe37128bcc7b29Tinderbox User for example) and most savvy "attackers" can find the information
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews they need using other means.
ac2e2800b4ac9cbe4cb756d967f4583c611eb75eMark Andrews However, since listing addresses of internal servers that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater external clients cannot possibly reach can result in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater connection delays and other annoyances, an organization may
f525041ae26958385b697cf82a30f108577024b6Tinderbox User choose to use a Split DNS to present a consistent view of itself
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User to the outside world.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Another common reason for setting up a Split DNS system is
3ec8f7777ea2b04fc1ebb63077f0916f63b1011aTinderbox User to allow internal networks that are behind filters or in RFC 1918
c218e22e3e6cbd409b61a14f1480b5ce5c70bfc1Tinderbox User space (reserved IP space, as documented in RFC 1918) to resolve DNS
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User on the Internet. Split DNS can also be used to allow mail from outside
933799f3641f4f78445d015008bad0038900a82aTinderbox User back in to the internal network.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="id2570654"></a>Example split DNS setup</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (<code class="literal">example.com</code>)
bac4435d473c9a0281507524f084480c34aa942aTinderbox User has several corporate sites that have an internal network with
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Internet Protocol (IP) space and an external demilitarized zone (DMZ),
c2abd6efeb9affa70aabb63da2acb23e135cf7f2Mark Andrews or "outside" section of a network, that is available to the public.
f525041ae26958385b697cf82a30f108577024b6Tinderbox User <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to be able to resolve external hostnames and to exchange mail with
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater people on the outside. The company also wants its internal resolvers
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User to have access to certain internal-only zones that are not available
5e82fe9a56d17bfbd120817d00d28c5952ab4ddcTinderbox User at all outside of the internal network.
f2f7a53ba0ba69cfe8c505eea16f71bad9d8d449Tinderbox User In order to accomplish this, the company will set up two sets
c26604a73c4ce907ef6392f38b3fac838b1873a9Tinderbox User of name servers. One set will be on the inside network (in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IP space) and the other set will be on bastion hosts, which are
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews hosts that can talk to both sides of its network, in the DMZ.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The internal servers will be configured to forward all queries,
ba8b771c371967dd1254c7fa82ebe4158ee04b24Tinderbox User except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews and <code class="filename">site2.example.com</code>, to the servers
76408aae412cda298c5e43da0eebb23c875a4426Tinderbox User DMZ. These internal servers will have complete sets of information
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and <code class="filename">site2.internal</code>.
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the internal name servers must be configured to disallow all queries
757ff043760e4743dda1a10e7d58349275934902Tinderbox User to these domains from any external hosts, including the bastion
757ff043760e4743dda1a10e7d58349275934902Tinderbox User The external servers, which are on the bastion hosts, will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User This could include things such as the host records for public servers
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews should have special MX records that contain wildcard (`*') records
ba8b771c371967dd1254c7fa82ebe4158ee04b24Tinderbox User pointing to the bastion hosts. This is needed because external mail
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User servers do not have any other way of looking up how to deliver mail
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews to those internal hosts. With the wildcard records, the mail will
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User be delivered to the bastion host, which can then forward it on to
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User internal hosts.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Here's an example of a wildcard MX record:
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Now that they accept mail on behalf of anything in the internal
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User network, the bastion hosts will need to know how to deliver mail
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews to internal hosts. In order for this to work properly, the resolvers
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the bastion hosts will need to be configured to point to the internal
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User name servers for DNS resolution.
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont Queries for internal hostnames will be answered by the internal
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont servers, and queries for external hostnames will be forwarded back
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont out to the DNS servers on the bastion hosts.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont In order for all this to work properly, internal clients will
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews need to be configured to query <span class="emphasis"><em>only</em></span> the internal
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews name servers for DNS queries. This could also be enforced via
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont filtering on the network.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt internal clients will now be able to:
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont Look up any hostnames in the <code class="literal">site1</code>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <code class="literal">site2.example.com</code> zones.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Look up any hostnames in the <code class="literal">site1.internal</code> and
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <code class="literal">site2.internal</code> domains.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li>Exchange mail with both internal and external people.</li>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Hosts on the Internet will be able to:
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Look up any hostnames in the <code class="literal">site1</code>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <code class="literal">site2.example.com</code> zones.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Exchange mail with anyone in the <code class="literal">site1</code> and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="literal">site2.example.com</code> zones.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Here is an example configuration for the setup we just
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews described above. Note that this is only configuration information;
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Internal DNS server config:
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox Useracl externals { <code class="varname">bastion-ips-go-here</code>; };
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews forward only;
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews // forward to external servers
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt // sample allow-transfer (no one)
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews allow-transfer { none; };
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt // restrict query access
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews allow-query { internals; externals; };
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews // restrict recursion
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt allow-recursion { internals; };
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews// sample master zone
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews type master;
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews // do normal iterative resolution (do not forward)
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews forwarders { };
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews allow-query { internals; externals; };
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews allow-transfer { internals; };
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User// sample slave zone
757ff043760e4743dda1a10e7d58349275934902Tinderbox User masters { 172.16.72.3; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews forwarders { };
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews allow-query { internals; externals; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews allow-transfer { internals; };
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson forwarders { };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-query { internals; };
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews allow-transfer { internals; }
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt masters { 172.16.72.3; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews forwarders { };
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User allow-query { internals };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews External (bastion host) DNS server config:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrewsacl externals { bastion-ips-go-here; };
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont // sample allow-transfer (no one)
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews allow-transfer { none; };
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews // default query access
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews allow-query { any; };
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews // restrict cache access
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews allow-query-cache { internals; externals; };
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont // restrict recursion
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont allow-recursion { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample slave zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { another_bastion_host_maybe; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In the <code class="filename">resolv.conf</code> (or equivalent) on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion host(s):
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.2
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.4
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="tsig"></a>TSIG</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is a short guide to setting up Transaction SIGnatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the configuration file as well as what changes are required for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington different features, including the process of creating transaction
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to server communication.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This includes zone transfer, notify, and recursive query messages.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington TSIG can also be useful for dynamic update. A primary
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server for a dynamic zone should control access to the dynamic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington update service, but IP-based access control is insufficient.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The cryptographic access control provided by TSIG
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews is far superior. The <span><strong class="command">nsupdate</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews program supports TSIG via the <code class="option">-k</code> and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">-y</code> command line options or inline by use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews of the <span><strong class="command">key</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
646fed0d28be4387e3e32fb0f5732a1f58b572baTinderbox User<a name="id2571088"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater An arbitrary key name is chosen: "host1-host2.". The key name must
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater be the same on both hosts.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="titlepage"><div><div><h4 class="title">
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<a name="id2571105"></a>Automatic Generation</h4></div></div></div>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater The following command will generate a 128-bit (16 byte) HMAC-SHA256
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater key as described above. Longer keys are better, but shorter keys
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater are easier to read. Note that the maximum key length is the digest
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater length, here 256 bits.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Nothing directly uses this file, but the base-64 encoded string
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User following "<code class="literal">Key:</code>"
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User can be extracted from the file and used as a shared secret:
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews be used as the shared secret.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="titlepage"><div><div><h4 class="title">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<a name="id2571211"></a>Manual Generation</h4></div></div></div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The shared secret is simply a random sequence of bits, encoded
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews in base-64. Most ASCII strings are valid base-64 strings (assuming
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the length is a multiple of 4 and only valid characters are used),
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews so the shared secret can be manually generated.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt a similar program to generate base-64 encoded data.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<div class="titlepage"><div><div><h3 class="title">
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<a name="id2571229"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont This is beyond the scope of DNS. A secure transport mechanism
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews should be used. This could be secure FTP, ssh, telephone, etc.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="id2571240"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont both servers. The following is added to each server's <code class="filename">named.conf</code> file:
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupontkey host1-host2. {
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont algorithm hmac-sha256;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The secret is the one generated above. Since this is a secret, it
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is recommended that either <code class="filename">named.conf</code> be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington non-world readable, or the key directive be added to a non-world
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington readable file that is included by <code class="filename">named.conf</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington At this point, the key is recognized. This means that if the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server receives a message signed by this key, it can verify the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signature. If the signature is successfully verified, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response is signed by the same key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571345"></a>Instructing the Server to Use the Key</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Since keys are shared between two hosts only, the server must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsserver 10.1.2.3 {
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews keys { host1-host2. ;};
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Multiple keys may be present, but only the first is used.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This directive does not contain any secrets, so it may be in a
33d1cff1dd63494ffa00fac695a793f00c4ebf0bTinderbox User world-readable
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If <span class="emphasis"><em>host1</em></span> sends a message that is a request
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews expect any responses to signed messages to be signed with the same
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
bac4435d473c9a0281507524f084480c34aa942aTinderbox User configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews sign request messages to <span class="emphasis"><em>host1</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571539"></a>TSIG Key Based Access Control</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be specified in ACL
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington definitions and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-{ query | transfer | update }</strong></span>
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews This has been extended to allow TSIG keys also. The above key would
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be denoted <span><strong class="command">key host1-host2.</strong></span>
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User An example of an <span><strong class="command">allow-update</strong></span> directive would be:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonallow-update { key host1-host2. ;};
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows dynamic updates to succeed only if the request
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the more flexible <span><strong class="command">update-policy</strong></span> statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571588"></a>Errors</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The processing of TSIG signed messages can result in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington several errors. If a signed message is sent to a non-TSIG aware
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server, a FORMERR (format error) will be returned, since the server will not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington understand the record. This is a result of misconfiguration,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington since the server must be explicitly configured to send a TSIG
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed message to a specific server.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews If a TSIG aware server receives a message signed by an
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont unknown key, the response will be unsigned with the TSIG
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater extended error code set to BADKEY. If a TSIG aware server
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont receives a message with a signature that does not validate, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater response will be unsigned with the TSIG extended error code set
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to BADSIG. If a TSIG aware server receives a message with a time
6d114a4c5cddb176ae5199eee154c0273d652ba4Tinderbox User outside of the allowed range, the response will be signed with
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User the TSIG extended error code set to BADTIME, and the time values
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews will be adjusted so that the response can be successfully
0e91f17da8a29086876a88962e0a3482094b6057Evan Hunt verified. In any of these cases, the message's rcode (response code) is set to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews NOTAUTH (not authenticated).
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<a name="id2571602"></a>TKEY</h2></div></div></div>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<p><span><strong class="command">TKEY</strong></span>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User is a mechanism for automatically generating a shared secret
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User between two hosts. There are several "modes" of
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User <span><strong class="command">TKEY</strong></span> that specify how the key is generated
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont these modes, the Diffie-Hellman key exchange. Both hosts are
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont required to have a Diffie-Hellman KEY record (although this
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont record is not required to be present in a zone). The
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">TKEY</strong></span> process must use signed messages,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed either by TSIG or SIG(0). The result of
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews used to delete shared secrets that it had previously
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews The <span><strong class="command">TKEY</strong></span> process is initiated by a
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews or server by sending a signed <span><strong class="command">TKEY</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (including any appropriate KEYs) to a TKEY-aware server. The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server response, if it indicates success, will contain a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington this exchange, both participants have enough information to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington determine the shared secret; the exact process depends on the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> mode. When using the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Diffie-Hellman
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and the shared secret is derived by both participants.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="id2571651"></a>SIG(0)</h2></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont transaction signatures as specified in RFC 2535 and RFC 2931.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User uses public/private keys to authenticate messages. Access control
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont is performed in the same manner as TSIG keys; privileges can be
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User granted or denied based on the key name.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When a SIG(0) signed message is received, it will only be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews verified if the key is known and trusted by the server; the server
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews will not attempt to locate and/or validate the key.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SIG(0) signing of multiple-message TCP streams is not
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
646fed0d28be4387e3e32fb0f5732a1f58b572baTinderbox User generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Cryptographic authentication of DNS information is possible
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews defined in RFC 4033, RFC 4034, and RFC 4035.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This section describes the creation and use of DNSSEC signed zones.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User In order to set up a DNSSEC secure zone, there are a series
cc5a9ce75af9870f2cb9e2bf00548c2f7e6398d6Automatic Updater of steps which must be followed. <acronym class="acronym">BIND</acronym>
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User with several tools
bac4435d473c9a0281507524f084480c34aa942aTinderbox User that are used in this process, which are explained in more detail
ba8b771c371967dd1254c7fa82ebe4158ee04b24Tinderbox User below. In all cases, the <code class="option">-h</code> option prints a
2beefc22e6debdb72d7b2a069787ff565fc79ec4Tinderbox User full list of parameters. Note that the DNSSEC tools require the
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater keyset files to be in the working directory or the
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater directory specified by the <code class="option">-d</code> option, and
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater that the tools shipped with BIND 9.2.x and earlier are not compatible
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater with the current ones.
1a63fb1d1448ed3f8fd7227ae57be67c2e71279eMark Andrews There must also be communication with the administrators of
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User the parent and/or child zone to transmit keys. A zone's security
f33f2b8afe60de897c53cdcb17911f10b552699fTinderbox User status must be indicated by the parent zone for a DNSSEC capable
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews resolver to trust its data. This is done through the presence
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews or absence of a <code class="literal">DS</code> record at the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews For other servers to trust data in this zone, they must
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews either be statically configured with this zone's zone key or the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews zone key of another zone above this one in the DNS tree.
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User<div class="titlepage"><div><div><h3 class="title">
7c8e44a2dc1121dbe3b615c9c934f37fb1741bb9Tinderbox User<a name="id2571719"></a>Generating Keys</h3></div></div></div>
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User The <span><strong class="command">dnssec-keygen</strong></span> program is used to
861836e5f5df62bfaea9ad8923a05278d5ab2f3dTinderbox User generate keys.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater A secure zone must contain one or more zone keys. The
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User zone keys will sign all other records in the zone, as well as
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater the zone keys of any secure delegated zones. Zone keys must
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater have the same name as the zone, a name type of
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User <span><strong class="command">ZONE</strong></span>, and must be usable for
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User authentication.
2beefc22e6debdb72d7b2a069787ff565fc79ec4Tinderbox User It is recommended that zone keys use a cryptographic algorithm
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater designated as "mandatory to implement" by the IETF; currently
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the only one is RSASHA1.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The following command will generate a 768-bit RSASHA1 key for
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the <code class="filename">child.example</code> zone:
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Two output files will be produced:
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <code class="filename">Kchild.example.+005+12345.key</code> and
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <code class="filename">Kchild.example.+005+12345.private</code>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater 12345 is an example of a key tag). The key filenames contain
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the key name (<code class="filename">child.example.</code>),
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The private key (in the <code class="filename">.private</code>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater used to generate signatures, and the public key (in the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <code class="filename">.key</code> file) is used for signature
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater To generate another key with the same properties (but with
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater a different key tag), repeat the above command.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater to get a key pair from a crypto hardware and build the key
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The public keys should be inserted into the zone file by
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater including the <code class="filename">.key</code> files using
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">$INCLUDE</strong></span> statements.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h3 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id2571798"></a>Signing the Zone</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <span><strong class="command">dnssec-signzone</strong></span> program is used
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User to sign a zone.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Any <code class="filename">keyset</code> files corresponding to
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User secure subzones should be present. The zone signer will
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews and <code class="literal">RRSIG</code> records for the zone, as
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews well as <code class="literal">DS</code> for the child zones if
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews is not specified, then DS RRsets for the secure child
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater zones need to be added manually.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The following command signs the zone, assuming it is in a
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater file called <code class="filename">zone.child.example</code>. By
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater default, all zone keys which have an available private key are
1404d301dd9e7e487a247b803f63909cd10cdf72Tinderbox User used to generate signatures.
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater One output file is produced:
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <code class="filename">zone.child.example.signed</code>. This
1404d301dd9e7e487a247b803f63909cd10cdf72Tinderbox User should be referenced by <code class="filename">named.conf</code>
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater input file for the zone.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<p><span><strong class="command">dnssec-signzone</strong></span>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater will also produce a keyset and dsset files and optionally a
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater dlvset file. These are used to provide the parent zone
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater administrators with the <code class="literal">DNSKEYs</code> (or their
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater corresponding <code class="literal">DS</code> records) that are the
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater secure entry point to the zone.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<div class="titlepage"><div><div><h3 class="title">
19dbf2e20df03f2b81ed1f347e27718084374059Automatic Updater<a name="id2571879"></a>Configuring Servers</h3></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater To enable <span><strong class="command">named</strong></span> to respond appropriately
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater to DNS requests from DNSSEC aware clients,
1404d301dd9e7e487a247b803f63909cd10cdf72Tinderbox User <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater (This is the default setting.)
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater To enable <span><strong class="command">named</strong></span> to validate answers from
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater other servers, the <span><strong class="command">dnssec-enable</strong></span> and
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <span><strong class="command">dnssec-validation</strong></span> options must both be
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews set to yes (the default setting in <acronym class="acronym">BIND</acronym> 9.5
3040b455151b1e1173193933664b2891b6159f24Mark Andrews and later), and at least one trust anchor must be configured
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User with a <span><strong class="command">trusted-keys</strong></span> or
3e1a17d65ec6227900f388ba2f7561365f7d4f5cTinderbox User <span><strong class="command">managed-keys</strong></span> statement in
7dd02af3c9350553e1d52d980a7812425b3f1295Automatic Updater <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
8aa098c6334de11c8fd117d30851cc457813c410Mark Andrews for zones that are used to form the first link in the
8aa098c6334de11c8fd117d30851cc457813c410Mark Andrews cryptographic chain of trust. All keys listed in
73537e8418e0c030063dbd863cf57feec026030aTinderbox User <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
2beefc22e6debdb72d7b2a069787ff565fc79ec4Tinderbox User are deemed to exist and only the listed keys will be used
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington to validated the DNSKEY RRset that they are from.
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User <span><strong class="command">managed-keys</strong></span> are trusted keys which are
01f91b9cd440833f66e7476e43659655cb52ad10Automatic Updater automatically kept up to date via RFC 5011 trust anchor
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews <span><strong class="command">trusted-keys</strong></span> and
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews <span><strong class="command">managed-keys</strong></span> are described in more detail
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews later in this document.
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews 9 does not verify signatures on load, so zone keys for
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews authoritative zones do not need to be specified in the
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews configuration file.
f45f40ec2814a5ff1ed443c968772a1b2e25c462Mark Andrews After DNSSEC gets established, a typical DNSSEC configuration
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User will look something like the following. It has one or
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User more public keys for the root. This allows answers from
2bd56b2684882faf74a2b29cb0914e6671d8005bTinderbox User outside the organization to be validated. It will also
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews have several keys for parts of the namespace the organization
bac4435d473c9a0281507524f084480c34aa942aTinderbox User controls. These are here to ensure that <span><strong class="command">named</strong></span>
169f44b082b340b952e26c0fdb930c102a957752Mark Andrews is immune to compromises in the DNSSEC components of the security
bac4435d473c9a0281507524f084480c34aa942aTinderbox User of parent zones.
a8677ecad546c955406b341eb8344ed06768b11eTinderbox Usermanaged-keys {
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User /* Root Key */
11b6b0d74bb8dd6bd1ce0b60ba7f9b66323f06d4Tinderbox User "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrews 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrews dgxbcDTClU0CRBdiieyLMNzXG3";
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrewstrusted-keys {
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrews /* Key for our organization's forward zone */
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrews example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
05d81eae94425a5124e07626af4bcc178960bd0eMark Andrews 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
c0cc232ba92b92c1c5a48d49449ef56f7ca05b56Tinderbox User F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
bac4435d473c9a0281507524f084480c34aa942aTinderbox User /* Key for our reverse zone. */
08a1e53c738c425390557196a2ba5039e5afd364Mark Andrews 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
1efe84be7849c5327001ad7dbad93d92c66c1389Mark Andrews xOdNax071L18QqZnQQQAVVr+i
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews LhGTnNGp3HoWQLUIzKrJVZ3zg
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews gy3WwNT6kZo6c0tszYqbtvchm
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews siaOdS0yOI6BgPsw+YZdzlYMa
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews IJGf4M4dyoKIhzdZyQ2bYQrjy
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews IQXmdqgOJGq+vsevG06zW+1xg
1efe84be7849c5327001ad7dbad93d92c66c1389Mark Andrews 59VvjSPsZJHeDCUyWYrvPZesZ
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews DIRvhDD52SKvbheeTJUm6Ehkz
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews dnssec-enable yes;
f6ba5791728d244650c1887d8dd8ed771fd50a1dMark Andrews dnssec-validation yes;
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt None of the keys listed in this example are valid. In particular,
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt the root key is not valid.
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt When DNSSEC validation is enabled and properly configured,
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt the resolver will reject any answers from signed, secure zones
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt which fail to validate, and will return SERVFAIL to the client.
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User Responses may fail to validate for any of several reasons,
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt including missing, expired, or invalid signatures, a key which
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt does not match the DS RRset in the parent zone, or an insecure
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt response from a zone which, according to its parent, should have
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When the validator receives a response from an unsigned zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that has a signed parent, it must confirm with the parent
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that the zone was intentionally left unsigned. It does
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this by verifying, via signed and validated NSEC/NSEC3 records,
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater that the parent zone contains no DS records for the child.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If the validator <span class="emphasis"><em>can</em></span> prove that the zone
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews is insecure, then the response is accepted. However, if it
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews cannot, then it must assume an insecure response to be a
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews forgery; it rejects the response and logs an error.
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews The logged error reads "insecurity proof failed" and
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews "got insecure response; parent indicates it should be secure".
9f8051ea406dc3d98bb205df82cfc4d668a25d6eTinderbox User (Prior to BIND 9.7, the logged error was "not insecure".
8f3657636521817d2971ae29aa3fb66e33709753Mark Andrews This referred to the zone, not the response.)
be0d1ec971748020cb0382e02b4642b493ea1e7bTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
be0d1ec971748020cb0382e02b4642b493ea1e7bTinderbox User<a name="id2572061"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <acronym class="acronym">BIND</acronym> 9 fully supports all currently
5b56652059e2c22185a0b2bb1f5e58eb89a44426Tinderbox User defined forms of IPv6 name to address and address to name
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User lookups. It will also use IPv6 addresses to make queries when
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User running on an IPv6 capable system.
9f8051ea406dc3d98bb205df82cfc4d668a25d6eTinderbox User For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
f525041ae26958385b697cf82a30f108577024b6Tinderbox User only AAAA records. RFC 3363 deprecated the use of A6 records,
be0d1ec971748020cb0382e02b4642b493ea1e7bTinderbox User and client-side support for A6 records was accordingly removed
ff62ab3c2e6274f19190ded15548c723d38bbbe3Automatic Updater from <acronym class="acronym">BIND</acronym> 9.
ee23b913b6acccad68cf5af480b9e289a3d00510Tinderbox User However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
ee23b913b6acccad68cf5af480b9e289a3d00510Tinderbox User load zone files containing A6 records correctly, answer queries
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User for A6 records, and accept zone transfer for a zone containing A6
ee23b913b6acccad68cf5af480b9e289a3d00510Tinderbox User For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
2beefc22e6debdb72d7b2a069787ff565fc79ec4Tinderbox User the traditional "nibble" format used in the
9e8ee4ffd77aa2974cecbdbb2b122156b8d3a27aTinderbox User <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="emphasis"><em>ip6.int</em></span> domain.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Older versions of <acronym class="acronym">BIND</acronym> 9
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User supported the "binary label" (also known as "bitstring") format,
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User but support of binary labels has been completely removed per
9dde9ce5558696850b6b9850a8475ae518409518Tinderbox User Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
ecbc7ebb243a1f8a5dc6f28185ffe9e61d3b2102Mark Andrews the binary label format at all any more, and will return an
21b353c36cb484d022a0df8cb39c602649a46ae6Tinderbox User error if given.
21b353c36cb484d022a0df8cb39c602649a46ae6Tinderbox User In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
ecbc7ebb243a1f8a5dc6f28185ffe9e61d3b2102Mark Andrews name server will not load a zone file containing binary labels.
ecbc7ebb243a1f8a5dc6f28185ffe9e61d3b2102Mark Andrews For an overview of the format and structure of IPv6 addresses,
ecbc7ebb243a1f8a5dc6f28185ffe9e61d3b2102Mark Andrews see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
c0cc232ba92b92c1c5a48d49449ef56f7ca05b56Tinderbox User<div class="titlepage"><div><div><h3 class="title">
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews<a name="id2572328"></a>Address Lookups Using AAAA Records</h3></div></div></div>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews The IPv6 AAAA record is a parallel to the IPv4 A record,
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews and, unlike the deprecated A6 record, specifies the entire
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews IPv6 address in a single record. For example,
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrewshost 3600 IN AAAA 2001:db8::1
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews Use of IPv4-in-IPv6 mapped addresses is not recommended.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews If a host has an IPv4 address, use an A record, not
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews the address.
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews<div class="titlepage"><div><div><h3 class="title">
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews<a name="id2572349"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews When looking up an address in nibble format, the address
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews components are simply reversed, just as in IPv4, and
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <code class="literal">ip6.arpa.</code> is appended to the
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt resulting name.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User For example, the following would provide reverse name lookup for
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User a host with address
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<table width="100%" summary="Navigation footer">
fca737c98d2be3ef944cc96320c040fdb5f160e3Tinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
fca737c98d2be3ef944cc96320c040fdb5f160e3Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
51374c645c0e6dd77c369c13834c751785f96f14Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>