Bv9ARM.ch04.html revision 6101b9f0d904a708e900a74abc16d1e0eda67264
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - Permission to use, copy, modify, and distribute this software for any
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - purpose with or without fee is hereby granted, provided that the above
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - copyright notice and this permission notice appear in all copies.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<!-- $Id: Bv9ARM.ch04.html,v 1.62 2005/12/05 02:08:04 marka Exp $ -->
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<table width="100%" summary="Navigation header">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552097">Split DNS</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552616">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552758">Copying the Shared Secret to Both Machines</a></span></dt>
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552769">Informing the Servers of the Key's Existence</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552808">Instructing the Server to Use the Key</a></span></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552866">TSIG Key Based Access Control</a></span></dt>
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552910">Errors</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552924">TKEY</a></span></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552973">SIG(0)</a></span></dt>
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2553110">Generating Keys</a></span></dt>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2553248">Signing the Zone</a></span></dt>
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2553326">Configuring Servers</a></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2553401">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2553531">Address Lookups Using AAAA Records</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2553553">Address to Name Lookups Using Nibble Format</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="notify"></a>Notify</h2></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span class="acronym">DNS</span> NOTIFY is a mechanism that allows master
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson servers to notify their slave servers of changes to a zone's data. In
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson slave will check to see that its version of the zone is the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington current version and, if not, initiate a zone transfer.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews For more information about <span class="acronym">DNS</span>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">NOTIFY</strong></span>, see the description of the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews the description of the zone option <span><strong class="command">also-notify</strong></span> in
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington protocol is specified in RFC 1996.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews As slave zone can also be a master to other slaves, named,
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews zones that it loads.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Dynamic Update is a method for adding, replacing or deleting
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews records in a master server by sending it a special form of DNS
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews messages. The format and meaning of these messages is specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Dynamic update is enabled by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington including an <span><strong class="command">allow-update</strong></span> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">update-policy</strong></span> clause in the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">zone</strong></span> statement.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Updating of secure zones (zones using DNSSEC) follows
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington RFC 3007: RRSIG and NSEC records affected by updates are automatically
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington regenerated by the server using an online zone key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Update authorization is based
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington on transaction signatures and an explicit server policy.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="journal"></a>The journal file</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews All changes made to a zone using dynamic update are stored
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley in the zone's journal file. This file is automatically created
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley by the server when the first dynamic update takes place.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The name of the journal file is formed by appending the extension
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <code class="filename">.jnl</code> to the name of the
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley corresponding zone
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley file unless specifically overridden. The journal file is in a
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley binary format and should not be edited manually.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The server will also occasionally write ("dump")
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the complete contents of the updated zone to its zone file.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is not done immediately after
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington each dynamic update, because that would be too slow when a large
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone is updated frequently. Instead, the dump is delayed by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington up to 15 minutes, allowing additional updates to take place.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews When a server is restarted after a shutdown or crash, it will replay
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews the journal file to incorporate into the zone any updates that
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson place after the last zone dump.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Changes that result from incoming incremental zone transfers are
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews journalled in a similar way.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews The zone files of dynamic zones cannot normally be edited by
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews hand because they are not guaranteed to contain the most recent
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews dynamic changes - those are only in the journal file.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The only way to ensure that the zone file of a dynamic zone
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews is up to date is to run <span><strong class="command">rndc stop</strong></span>.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews If you have to make changes to a dynamic zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington manually, the following procedure will work: Disable dynamic updates
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews to the zone using
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews This will also remove the zone's <code class="filename">.jnl</code> file
b71fc1e8f2cc331ab00ba2d4b5f142dd58e26449David Lawrence and update the master file. Edit the zone file. Run
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews to reload the changed zone and re-enable dynamic updates.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
09ab886382ad9e7149d9b72b4cf9a03ae4a1cddfDavid Lawrence The incremental zone transfer (IXFR) protocol is a way for
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson slave servers to transfer only changed data, instead of having to
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson transfer the entire zone. The IXFR protocol is specified in RFC
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson When acting as a master, <span class="acronym">BIND</span> 9
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson supports IXFR for those zones
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson where the necessary change history information is available. These
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson include master zones maintained by dynamic update and slave zones
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson whose data was obtained by IXFR. For manually maintained master
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zones, and for slave zones obtained by performing a full zone
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews transfer (AXFR), IXFR is supported only if the option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">ixfr-from-differences</strong></span> is set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to <strong class="userinput"><code>yes</code></strong>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When acting as a slave, <span class="acronym">BIND</span> 9 will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington attempt to use IXFR unless
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington it is explicitly disabled. For more information about disabling
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the <span><strong class="command">server</strong></span> statement.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552097"></a>Split DNS</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Setting up different views, or visibility, of the DNS space to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal and external resolvers is usually referred to as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>Split DNS</em></span> setup. There are several
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington reasons an organization would want to set up its DNS this way.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington One common reason for setting up a DNS system this way is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to hide "internal" DNS information from "external" clients on the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internet. There is some debate as to whether or not this is actually
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internal DNS information leaks out in many ways (via email headers,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for example) and most savvy "attackers" can find the information
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington they need using other means.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington However, since listing addresses of internal servers that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington external clients cannot possibly reach can result in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington connection delays and other annoyances, an organization may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington choose to use a Split DNS to present a consistant view of itself
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the outside world.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Another common reason for setting up a Split DNS system is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to allow internal networks that are behind filters or in RFC 1918
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington space (reserved IP space, as documented in RFC 1918) to resolve DNS
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington on the Internet. Split DNS can also be used to allow mail from outside
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington back in to the internal network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Here is an example of a split DNS setup:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington has several corporate sites that have an internal network with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internet Protocol (IP) space and an external demilitarized zone (DMZ),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or "outside" section of a network, that is available to the public.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be able to resolve external hostnames and to exchange mail with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington people on the outside. The company also wants its internal resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to have access to certain internal-only zones that are not available
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington at all outside of the internal network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In order to accomplish this, the company will set up two sets
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of name servers. One set will be on the inside network (in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington IP space) and the other set will be on bastion hosts, which are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington hosts that can talk to both sides of its network, in the DMZ.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington The internal servers will be configured to forward all queries,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington and <code class="filename">site2.example.com</code>, to the servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DMZ. These internal servers will have complete sets of information
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington and <code class="filename">site2.internal</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the internal name servers must be configured to disallow all queries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to these domains from any external hosts, including the bastion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The external servers, which are on the bastion hosts, will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This could include things such as the host records for public servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington should have special MX records that contain wildcard (`*') records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington pointing to the bastion hosts. This is needed because external mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers do not have any other way of looking up how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to those internal hosts. With the wildcard records, the mail will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be delivered to the bastion host, which can then forward it on to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Here's an example of a wildcard MX record:
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Now that they accept mail on behalf of anything in the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network, the bastion hosts will need to know how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to internal hosts. In order for this to work properly, the resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion hosts will need to be configured to point to the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name servers for DNS resolution.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Queries for internal hostnames will be answered by the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers, and queries for external hostnames will be forwarded back
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington out to the DNS servers on the bastion hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In order for all this to work properly, internal clients will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington need to be configured to query <span class="emphasis"><em>only</em></span> the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name servers for DNS queries. This could also be enforced via
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington filtering on the network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal clients will now be able to:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look up any hostnames in the <code class="literal">site1</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.example.com</code> zones.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Look up any hostnames in the <code class="literal">site1.internal</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.internal</code> domains.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li>Look up any hostnames on the Internet.</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li>Exchange mail with internal AND external people.</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Hosts on the Internet will be able to:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look up any hostnames in the <code class="literal">site1</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Exchange mail with anyone in the <code class="literal">site1</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Here is an example configuration for the setup we just
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington described above. Note that this is only configuration information;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internal DNS server config:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { <code class="varname">bastion-ips-go-here</code>; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forward only;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { // forward to external servers
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="varname">bastion-ips-go-here</code>;
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews allow-transfer { none; }; // sample allow-transfer (no one)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; }; // restrict query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-recursion { internals; }; // restrict recursion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonzone "site1.example.com" { // sample master zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { }; // do normal iterative
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews // resolution (do not forward)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonzone "site2.example.com" { // sample slave zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews allow-query { internals };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington External (bastion host) DNS server config:
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { bastion-ips-go-here; };
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington allow-transfer { none; }; // sample allow-transfer (no one)
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington allow-query { any; }; // default query access
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington allow-query-cache { internals; externals; }; // restrict cache access
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington allow-recursion { internals; externals; }; // restrict recursion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonzone "site1.example.com" { // sample slave zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { another_bastion_host_maybe; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In the <code class="filename">resolv.conf</code> (or equivalent) on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion host(s):
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrewsnameserver 172.16.72.2
6430d5b4ef551b71f0b69d4c65dee00d387558e0Andreas Gustafssonnameserver 172.16.72.3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.4
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews This is a short guide to setting up Transaction SIGnatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (TSIG) based transaction security in <span class="acronym">BIND</span>. It describes changes
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to the configuration file as well as what changes are required for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington different features, including the process of creating transaction
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keys and using transaction signatures with <span class="acronym">BIND</span>.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span class="acronym">BIND</span> primarily supports TSIG for server
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to server communication.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This includes zone transfer, notify, and recursive query messages.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Resolvers based on newer versions of <span class="acronym">BIND</span> 8 have limited support
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington TSIG can also be useful for dynamic update. A primary
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server for a dynamic zone should control access to the dynamic
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews update service, but IP-based access control is insufficient.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The cryptographic access control provided by TSIG
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews is far superior. The <span><strong class="command">nsupdate</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington program supports TSIG via the <code class="option">-k</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">-y</code> command line options or inline by use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the <span><strong class="command">key</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552616"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An arbitrary key name is chosen: "host1-host2.". The key name must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be the same on both hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552701"></a>Automatic Generation</h4></div></div></div>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews The following command will generate a 128 bit (16 byte) HMAC-MD5
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington key as described above. Longer keys are better, but shorter keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are easier to read. Note that the maximum key length is 512 bits;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keys longer than that will be digested with MD5 to produce a 128
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
754768580f991d35f5346a9fdb14e45d46648692Brian Wellington Nothing directly uses this file, but the base-64 encoded string
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington following "<code class="literal">Key:</code>"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be extracted from the file and used as a shared secret:
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
c60d524c4928c47901672b1c79f6bc86bf856063Andreas Gustafsson be used as the shared secret.
c60d524c4928c47901672b1c79f6bc86bf856063Andreas Gustafsson<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552740"></a>Manual Generation</h4></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The shared secret is simply a random sequence of bits, encoded
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in base-64. Most ASCII strings are valid base-64 strings (assuming
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the length is a multiple of 4 and only valid characters are used),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington so the shared secret can be manually generated.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a similar program to generate base-64 encoded data.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552758"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is beyond the scope of DNS. A secure transport mechanism
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington should be used. This could be secure FTP, ssh, telephone, etc.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552769"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson both servers. The following is added to each server's <code class="filename">named.conf</code> file:
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafssonkey host1-host2. {
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson algorithm hmac-md5;
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson The algorithm, hmac-md5, is the only one supported by <span class="acronym">BIND</span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The secret is the one generated above. Since this is a secret, it
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is recommended that either <code class="filename">named.conf</code> be non-world
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington readable, or the key directive be added to a non-world readable
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington file that is included by
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews At this point, the key is recognized. This means that if the
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews server receives a message signed by this key, it can verify the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signature. If the signature is successfully verified, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response is signed by the same key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552808"></a>Instructing the Server to Use the Key</h3></div></div></div>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Since keys are shared between two hosts only, the server must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver 10.1.2.3 {
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keys { host1-host2. ;};
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Multiple keys may be present, but only the first is used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This directive does not contain any secrets, so it may be in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington world-readable
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews If <span class="emphasis"><em>host1</em></span> sends a message that is a request
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews expect any responses to signed messages to be signed with the same
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sign request messages to <span class="emphasis"><em>host1</em></span>.
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552866"></a>TSIG Key Based Access Control</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="acronym">BIND</span> allows IP addresses and ranges
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be specified in ACL
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington definitions and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-{ query | transfer | update }</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This has been extended to allow TSIG keys also. The above key would
c60d524c4928c47901672b1c79f6bc86bf856063Andreas Gustafsson be denoted <span><strong class="command">key host1-host2.</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An example of an allow-update directive would be:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonallow-update { key host1-host2. ;};
fa342c624a5e7df0d10ef34586f8cfffbcd92c69Brian Wellington This allows dynamic updates to succeed only if the request
fa342c624a5e7df0d10ef34586f8cfffbcd92c69Brian Wellington was signed by a key named
fa342c624a5e7df0d10ef34586f8cfffbcd92c69Brian Wellington "<span><strong class="command">host1-host2.</strong></span>".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington You may want to read about the more
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2552910"></a>Errors</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The processing of TSIG signed messages can result in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington several errors. If a signed message is sent to a non-TSIG aware
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server, a FORMERR will be returned, since the server will not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington understand the record. This is a result of misconfiguration,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington since the server must be explicitly configured to send a TSIG
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed message to a specific server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If a TSIG aware server receives a message signed by an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unknown key, the response will be unsigned with the TSIG
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington extended error code set to BADKEY. If a TSIG aware server
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington receives a message with a signature that does not validate, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response will be unsigned with the TSIG extended error code set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to BADSIG. If a TSIG aware server receives a message with a time
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington outside of the allowed range, the response will be signed with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the TSIG extended error code set to BADTIME, and the time values
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will be adjusted so that the response can be successfully
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington verified. In any of these cases, the message's rcode is set to
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington<a name="id2552924"></a>TKEY</h2></div></div></div>
7db1c16561b71b3dd51418d9abd245537fb54870Brian Wellington<p><span><strong class="command">TKEY</strong></span>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington is a mechanism for automatically generating a shared secret
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington between two hosts. There are several "modes" of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> that specify how the key is generated
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or assigned. <span class="acronym">BIND</span> 9 implements only one of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington these modes, the Diffie-Hellman key exchange. Both hosts are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington required to have a Diffie-Hellman KEY record (although this
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington record is not required to be present in a zone). The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> process must use signed messages,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed either by TSIG or SIG(0). The result of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to delete shared secrets that it had previously
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <span><strong class="command">TKEY</strong></span> process is initiated by a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or server by sending a signed <span><strong class="command">TKEY</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (including any appropriate KEYs) to a TKEY-aware server. The
e78c072771b6c113d173132ed2853860664d80a0Andreas Gustafsson server response, if it indicates success, will contain a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington this exchange, both participants have enough information to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington determine the shared secret; the exact process depends on the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> mode. When using the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Diffie-Hellman
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson and the shared secret is derived by both participants.
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a name="id2552973"></a>SIG(0)</h2></div></div></div>
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington <span class="acronym">BIND</span> 9 partially supports DNSSEC SIG(0)
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson transaction signatures as specified in RFC 2535 and RFC2931.
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson uses public/private keys to authenticate messages. Access control
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is performed in the same manner as TSIG keys; privileges can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington granted or denied based on the key name.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When a SIG(0) signed message is received, it will only be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington verified if the key is known and trusted by the server; the server
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will not attempt to locate and/or validate the key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SIG(0) signing of multiple-message TCP streams is not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The only tool shipped with <span class="acronym">BIND</span> 9 that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
99f467f016d9354c7548b7d24b65ac986b118a52Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
99f467f016d9354c7548b7d24b65ac986b118a52Andreas Gustafsson<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Cryptographic authentication of DNS information is possible
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington defined in RFC 4033, RFC 4034 and RFC 4035.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This section describes the creation and use of DNSSEC signed zones.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews In order to set up a DNSSEC secure zone, there are a series
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of steps which must be followed. <span class="acronym">BIND</span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington with several tools
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that are used in this process, which are explained in more detail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington below. In all cases, the <code class="option">-h</code> option prints a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington full list of parameters. Note that the DNSSEC tools require the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keyset files to be in the working directory or the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington directory specified by the <code class="option">-d</code> option, and
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews that the tools shipped with BIND 9.2.x and earlier are not compatible
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington with the current ones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington There must also be communication with the administrators of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the parent and/or child zone to transmit keys. A zone's security
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington status must be indicated by the parent zone for a DNSSEC capable
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington resolver to trust its data. This is done through the presense
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews or absence of a <code class="literal">DS</code> record at the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For other servers to trust data in this zone, they must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington either be statically configured with this zone's zone key or the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone key of another zone above this one in the DNS tree.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a name="id2553110"></a>Generating Keys</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The <span><strong class="command">dnssec-keygen</strong></span> program is used to
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson generate keys.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson A secure zone must contain one or more zone keys. The
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zone keys will sign all other records in the zone, as well as
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the zone keys of any secure delegated zones. Zone keys must
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson have the same name as the zone, a name type of
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span><strong class="command">ZONE</strong></span>, and must be usable for
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson authentication.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson It is recommended that zone keys use a cryptographic algorithm
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson designated as "mandatory to implement" by the IETF; currently
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the only one is RSASHA1.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The following command will generate a 768 bit RSASHA1 key for
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the <code class="filename">child.example</code> zone:
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Two output files will be produced:
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <code class="filename">Kchild.example.+005+12345.key</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">Kchild.example.+005+12345.private</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 12345 is an example of a key tag). The key file names contain
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the key name (<code class="filename">child.example.</code>),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The private key (in the <code class="filename">.private</code>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews used to generate signatures, and the public key (in the
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <code class="filename">.key</code> file) is used for signature
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews verification.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews To generate another key with the same properties (but with
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews a different key tag), repeat the above command.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews The public keys should be inserted into the zone file by
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews including the <code class="filename">.key</code> files using
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span><strong class="command">$INCLUDE</strong></span> statements.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<div class="titlepage"><div><div><h3 class="title">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<a name="id2553248"></a>Signing the Zone</h3></div></div></div>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington The <span><strong class="command">dnssec-signzone</strong></span> program is used
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Any <code class="filename">keyset</code> files corresponding
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to secure subzones should be present. The zone signer will
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington records for the zone, as well as <code class="literal">DS</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the child zones if <code class="literal">'-d'</code> is specified.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington If <code class="literal">'-d'</code> is not specified then
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington DS RRsets for
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the secure child zones need to be added manually.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The following command signs the zone, assuming it is in a
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington file called <code class="filename">zone.child.example</code>. By
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington default, all zone keys which have an available private key are
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington used to generate signatures.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington One output file is produced:
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="filename">zone.child.example.signed</code>. This
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington should be referenced by <code class="filename">named.conf</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington input file for the zone.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<p><span><strong class="command">dnssec-signzone</strong></span>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington will also produce a keyset and dsset files and optionally a
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington dlvset file. These are used to provide the parent zone
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington administators with the <code class="literal">DNSKEYs</code> (or their
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington corresponding <code class="literal">DS</code> records) that are the
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington secure entry point to the zone.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<div class="titlepage"><div><div><h3 class="title">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<a name="id2553326"></a>Configuring Servers</h3></div></div></div>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington To enable <span><strong class="command">named</strong></span> to respond appropriately
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to DNS requests from DNSSEC aware clients
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington To enable <span><strong class="command">named</strong></span> to validate answers from
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington other servers both <span><strong class="command">dnssec-enable</strong></span> and
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span><strong class="command">dnssec-validate</strong></span> must be set and some
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington some <span><strong class="command">trusted-keys</strong></span> must be configured
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington into <code class="filename">named.conf</code>.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington for zones that are used to form the first link the the
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington cryptographic chain of trust. All keys listed in
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington are deemed to exist and only the listed keys will be used
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews to validated the DNSKEY RRset that they are from.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span><strong class="command">trusted-keys</strong></span> are described in more detail
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews later in this document.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Unlike <span class="acronym">BIND</span> 8, <span class="acronym">BIND</span>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews 9 does not verify signatures on load, so zone keys for
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews authoritative zones do not need to be specified in the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews configuration file.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews After DNSSEC gets established, a typical DNSSEC configuration
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews will look something like the following. It has a one or
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews more public keys for the root. This allows answers from
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews outside the organization to be validated. It will also
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews have several keys for parts of the namespace the organization
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews controls. These are here to ensure that named is immune
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews to compromises in the DNSSEC components of the security
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews of parent zones.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrewstrusted-keys {
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews /* Root Key */
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews/* Key for out organizations forward zone */
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrewsexample.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews/* Key for our reverse zone. */
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews dnssec-enable yes;
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews dnssec-validation yes;
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews None of the keys listed in this example are valid. In particular
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews the root key is not valid.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a name="id2553401"></a>IPv6 Support in <span class="acronym">BIND</span> 9</h2></div></div></div>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span class="acronym">BIND</span> 9 fully supports all currently
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews defined forms of IPv6
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews name to address and address to name lookups. It will also use
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews IPv6 addresses to make queries when running on an IPv6 capable
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews For forward lookups, <span class="acronym">BIND</span> 9 supports
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews only AAAA records. RFC 3363 deprecated the use of A6 records,
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews and client-side support for A6 records was accordingly removed
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews However, authoritative <span class="acronym">BIND</span> 9 name servers still
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews load zone files containing A6 records correctly, answer queries
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews for A6 records, and accept zone transfer for a zone containing A6
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews For IPv6 reverse lookups, <span class="acronym">BIND</span> 9 supports
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews the traditional "nibble" format used in the
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews <span class="emphasis"><em>ip6.int</em></span> domain.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Older versions of <span class="acronym">BIND</span> 9
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews supported the "binary label" (also known as "bitstring") format,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews but support of binary labels has been completely removed per
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Many applications in <span class="acronym">BIND</span> 9 do not understand
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews the binary label format at all any more, and will return an
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews error if given.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews In particular, an authoritative <span class="acronym">BIND</span> 9
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews name server will not load a zone file containing binary labels.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews For an overview of the format and structure of IPv6 addresses,
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="titlepage"><div><div><h3 class="title">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a name="id2553531"></a>Address Lookups Using AAAA Records</h3></div></div></div>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews The IPv6 AAAA record is a parallel to the IPv4 A record,
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews and, unlike the deprecated A6 record, specifies the entire
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews IPv6 address in a single record. For example,
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrewshost 3600 IN AAAA 2001:db8::1
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews Use of IPv4-in-IPv6 mapped addresses is not recommended.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews If a host has an IPv4 address, use an A record, not
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews the address.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<div class="titlepage"><div><div><h3 class="title">
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<a name="id2553553"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews When looking up an address in nibble format, the address
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews components are simply reversed, just as in IPv4, and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <code class="literal">ip6.arpa.</code> is appended to the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews resulting name.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson For example, the following would provide reverse name lookup for
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson a host with address
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<table width="100%" summary="Navigation footer">
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
5bf504f5534eab29c9e52f6e8b75c73b3901743fMark Andrews<td width="40%" align="right" valign="top">�Chapter�5.�The <span class="acronym">BIND</span> 9 Lightweight Resolver</td>