Bv9ARM.ch04.html revision 6825f304c5f0cc2d4ba22fa2b6f7a431f9c1de59
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Copyright (C) 2000-2003 Internet Software Consortium.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Permission to use, copy, modify, and/or distribute this software for any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - purpose with or without fee is hereby granted, provided that the above
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - PERFORMANCE OF THIS SOFTWARE.
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h1 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h1></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
3ba6d0298ae3414ab12f1a6ae35e14b119f4311eAndreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Address Lookups Using AAAA Records</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.7">Address to Name Lookups Using Nibble Format</a></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce servers to notify their slave servers of changes to a zone's data. In
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce slave will check to see that its version of the zone is the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce current version and, if not, initiate a zone transfer.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For more information about <acronym class="acronym">DNS</acronym>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>NOTIFY</strong></span>, see the description of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the description of the zone option <span class="command"><strong>also-notify</strong></span> in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce protocol is specified in RFC 1996.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zones that it loads.
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Dynamic Update is a method for adding, replacing or deleting
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce records in a master server by sending it a special form of DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce messages. The format and meaning of these messages is specified
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson Dynamic update is enabled by including an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce clause in the <span class="command"><strong>zone</strong></span> statement.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the zone's <span class="command"><strong>update-policy</strong></span> is set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>local</code></strong>, updates to the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be permitted for the key <code class="varname">local-ddns</code>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which will be generated by <span class="command"><strong>named</strong></span> at startup.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Dynamic updates using Kerberos signed requests can be made
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Kerberos signed requests will be matched against the update
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce policies for the zone, using the Kerberos principal as the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signer for the request.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Updating of secure zones (zones using DNSSEC) follows RFC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 3007: RRSIG, NSEC and NSEC3 records affected by updates are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce automatically regenerated by the server using an online
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone key. Update authorization is based on transaction
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures and an explicit server policy.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="journal"></a>The journal file</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce All changes made to a zone using dynamic update are stored
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in the zone's journal file. This file is automatically created
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by the server when the first dynamic update takes place.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The name of the journal file is formed by appending the extension
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">.jnl</code> to the name of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce corresponding zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file unless specifically overridden. The journal file is in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce binary format and should not be edited manually.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The server will also occasionally write ("dump")
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the complete contents of the updated zone to its zone file.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This is not done immediately after
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce each dynamic update, because that would be too slow when a large
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson zone is updated frequently. Instead, the dump is delayed by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce up to 15 minutes, allowing additional updates to take place.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce During the dump process, transient files will be created
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson with the extensions <code class="filename">.jnw</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">.jbk</code>; under ordinary circumstances, these
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be removed when the dump is complete, and can be safely
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce When a server is restarted after a shutdown or crash, it will replay
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the journal file to incorporate into the zone any updates that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce place after the last zone dump.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Changes that result from incoming incremental zone transfers are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce journalled in a similar way.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The zone files of dynamic zones cannot normally be edited by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce hand because they are not guaranteed to contain the most recent
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dynamic changes — those are only in the journal file.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The only way to ensure that the zone file of a dynamic zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you have to make changes to a dynamic zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce manually, the following procedure will work:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Disable dynamic updates to the zone using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This will update the zone's master file with the changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce stored in its <code class="filename">.jnl</code> file.
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson Edit the zone file. Run
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson to reload the changed zone and re-enable dynamic updates.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will update the zone file with changes from the journal file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce without stopping dynamic updates; this may be useful for viewing
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the current zone state. To remove the <code class="filename">.jnl</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file after updating the zone file, use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc sync -clean</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The incremental zone transfer (IXFR) protocol is a way for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce slave servers to transfer only changed data, instead of having to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transfer the entire zone. The IXFR protocol is specified in RFC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When acting as a master, <acronym class="acronym">BIND</acronym> 9
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce supports IXFR for those zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce where the necessary change history information is available. These
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce include master zones maintained by dynamic update and slave zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce whose data was obtained by IXFR. For manually maintained master
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zones, and for slave zones obtained by performing a full zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transfer (AXFR), IXFR is supported only if the option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>ixfr-from-differences</strong></span> is set
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to <strong class="userinput"><code>yes</code></strong>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce attempt to use IXFR unless
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it is explicitly disabled. For more information about disabling
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of the <span class="command"><strong>server</strong></span> statement.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="split_dns"></a>Split DNS</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Setting up different views, or visibility, of the DNS space to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce internal and external resolvers is usually referred to as a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="emphasis"><em>Split DNS</em></span> setup. There are several
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce reasons an organization would want to set up its DNS this way.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce One common reason for setting up a DNS system this way is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to hide "internal" DNS information from "external" clients on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Internet. There is some debate as to whether or not this is actually
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Internal DNS information leaks out in many ways (via email headers,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for example) and most savvy "attackers" can find the information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce they need using other means.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce However, since listing addresses of internal servers that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce external clients cannot possibly reach can result in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce connection delays and other annoyances, an organization may
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce choose to use a Split DNS to present a consistent view of itself
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to the outside world.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Another common reason for setting up a Split DNS system is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to allow internal networks that are behind filters or in RFC 1918
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce space (reserved IP space, as documented in RFC 1918) to resolve DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce on the Internet. Split DNS can also be used to allow mail from outside
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce back in to the internal network.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce has several corporate sites that have an internal network with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Internet Protocol (IP) space and an external demilitarized zone (DMZ),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or "outside" section of a network, that is available to the public.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be able to resolve external hostnames and to exchange mail with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce people on the outside. The company also wants its internal resolvers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to have access to certain internal-only zones that are not available
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce at all outside of the internal network.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In order to accomplish this, the company will set up two sets
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of name servers. One set will be on the inside network (in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IP space) and the other set will be on bastion hosts, which are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce hosts that can talk to both sides of its network, in the DMZ.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson The internal servers will be configured to forward all queries,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and <code class="filename">site2.example.com</code>, to the servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DMZ. These internal servers will have complete sets of information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the internal name servers must be configured to disallow all queries
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to these domains from any external hosts, including the bastion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The external servers, which are on the bastion hosts, will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This could include things such as the host records for public servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should have special MX records that contain wildcard (`*') records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce pointing to the bastion hosts. This is needed because external mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce servers do not have any other way of looking up how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to those internal hosts. With the wildcard records, the mail will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be delivered to the bastion host, which can then forward it on to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce internal hosts.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Here's an example of a wildcard MX record:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Now that they accept mail on behalf of anything in the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce network, the bastion hosts will need to know how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to internal hosts. In order for this to work properly, the resolvers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the bastion hosts will need to be configured to point to the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name servers for DNS resolution.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Queries for internal hostnames will be answered by the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce servers, and queries for external hostnames will be forwarded back
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce out to the DNS servers on the bastion hosts.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In order for all this to work properly, internal clients will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce need to be configured to query <span class="emphasis"><em>only</em></span> the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name servers for DNS queries. This could also be enforced via
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce filtering on the network.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
ab19d688255b3a333a41b4ebe6f4213538e89c2aEric Luce internal clients will now be able to:
ab19d688255b3a333a41b4ebe6f4213538e89c2aEric Luce<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Look up any hostnames in the <code class="literal">site1</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">site2.example.com</code> zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Look up any hostnames in the <code class="literal">site1.internal</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">site2.internal</code> domains.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem">Look up any hostnames on the Internet.</li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem">Exchange mail with both internal and external people.</li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Hosts on the Internet will be able to:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Look up any hostnames in the <code class="literal">site1</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">site2.example.com</code> zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Exchange mail with anyone in the <code class="literal">site1</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">site2.example.com</code> zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Here is an example configuration for the setup we just
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce described above. Note that this is only configuration information;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Internal DNS server config:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { <code class="varname">bastion-ips-go-here</code>; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forward only;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // forward to external servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // sample allow-transfer (no one)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { none; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // restrict query access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // restrict recursion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// sample master zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // do normal iterative resolution (do not forward)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce External (bastion host) DNS server config:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { bastion-ips-go-here; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // sample allow-transfer (no one)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { none; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // default query access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // restrict cache access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query-cache { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // restrict recursion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { another_bastion_host_maybe; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In the <code class="filename">resolv.conf</code> (or equivalent) on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the bastion host(s):
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.2
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce messages, originally specified in RFC 2845. It allows DNS messages
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be cryptographically signed using a shared secret. TSIG can
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used in any DNS transaction, as a way to restrict access to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce certain server functions (e.g., recursive queries) to authorized
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce clients when IP-based access control is insufficient or needs to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be overridden, or as a way to ensure message authenticity when it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is critical to the integrity of the server, such as with dynamic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce UPDATE messages or zone transfers from a master to a slave server.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce It describes the configuration syntax and the process of creating
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce communication, and some of the tools included with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <acronym class="acronym">BIND</acronym> support it for sending messages to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span>:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">-k</code>, <code class="option">-l</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">-y</code> command line options, or via
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the <span class="command"><strong>key</strong></span> command when running
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce interactively.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">-k</code> and <code class="option">-y</code> command
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce line options.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce command; the output of the command is a <span class="command"><strong>key</strong></span> directive
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce suitable for inclusion in <code class="filename">named.conf</code>. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key name, algorithm and size can be specified by command line parameters;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Any string which is a valid DNS name can be used as a key name.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, a key to be shared between servers called
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be called "host1-host2.", and this key could be generated using:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce $ tsig-keygen host1-host2. > host1-host2.key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This key may then be copied to both hosts. The key name and secret
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must be identical on both hosts.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Note: copying a shared secret from one server to another is beyond
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the scope of the DNS. A secure transport mechanism should be used:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secure FTP, SSL, ssh, telephone, encrypted email, etc.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>tsig-keygen</strong></span> can also be run as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce additional configuration text for setting up dynamic DNS in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span>. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for details.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For a key shared between servers called
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the following could be added to each server's
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekey "host1-host2." {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce algorithm hmac-sha256;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (This is the same key generated above using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>tsig-keygen</strong></span>.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Since this text contains a secret, it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is recommended that either <code class="filename">named.conf</code> not be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce world-readable, or that the <span class="command"><strong>key</strong></span> directive
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be stored in a file which is not world-readable, and which is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce included in <code class="filename">named.conf</code> via the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>include</strong></span> directive.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Once a key has been added to <code class="filename">named.conf</code> and the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server has been restarted or reconfigured, the server can recognize
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key. If the server receives a message signed by the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key, it will be able to verify the signature. If the signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is valid, the response will be signed using the same key.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TSIG keys that are known to a server can be listed using the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce command <span class="command"><strong>rndc tsig-list</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson A server sending a request to another server must be told whether
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson to use a key, and if so, which key to use.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson For example, a key may be specified for each server in the
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson <span class="command"><strong>masters</strong></span> statement in the definition of a
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson slave zone; in this case, all SOA QUERY messages, NOTIFY
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson messages, and zone transfer requests (AXFR or IXFR) will be
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson signed using the specified key. Keys may also be specified
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson in the <span class="command"><strong>also-notify</strong></span> statement of a master
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson or slave zone, causing NOTIFY messages to be signed using
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson the specified key.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson Keys can also be specified in a <span class="command"><strong>server</strong></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson signed using the <span class="command"><strong>host1-host2.</strong></span> key:
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafssonserver 10.1.2.3 {
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson keys { host1-host2. ;};
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson statement, but only the first one is used. As this directive does
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson not contain secrets, it can be used in a world-readable file.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson would <span class="emphasis"><em>not</em></span> be signed, unless a similar
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson configuration file.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson Whenever any server sends a TSIG-signed DNS request, it will expect
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson the response to be signed with the same key. If a response is not
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson signed, or if the signature is not valid, the response will be
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson TSIG keys may be specified in ACL definitions and ACL directives
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson and <span class="command"><strong>allow-update</strong></span>.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson The above key would be denoted in an ACL element as
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson <span class="command"><strong>key host1-host2.</strong></span>
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson An example of an <span class="command"><strong>allow-update</strong></span> directive using
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafssonallow-update { !{ !localnets; any; }; key host1-host2. ;};
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson This allows dynamic updates to succeed only if the UPDATE
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson request comes from an address in <span class="command"><strong>localnets</strong></span>,
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson <span class="emphasis"><em>and</em></span> if it is signed using the
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson <span class="command"><strong>host1-host2.</strong></span> key.
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson the more flexible <span class="command"><strong>update-policy</strong></span> statement.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Processing of TSIG-signed messages can result in several errors:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If a TSIG-aware server receives a message signed by an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce unknown key, the response will be unsigned, with the TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce extended error code set to BADKEY.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If a TSIG-aware server receives a message from a known key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce but with an invalid signature, the response will be unsigned,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the TSIG extended error code set to BADSIG.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If a TSIG-aware server receives a message with a time
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce outside of the allowed range, the response will be signed, with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the TSIG extended error code set to BADTIME, and the time values
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be adjusted so that the response can be successfully
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In all of the above cases, the server will return a response code
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of NOTAUTH (not authenticated).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TKEY (Transaction KEY) is a mechanism for automatically negotiating
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a shared secret between two hosts, originally specified in RFC 2930.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce There are several TKEY "modes" that specify how a key is to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce one of these modes: Diffie-Hellman key exchange. Both hosts are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce required to have a KEY record with algorithm DH (though this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record is not required to be present in a zone).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The TKEY process is initiated by a client or server by sending
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson a query of type TKEY to a TKEY-aware server. The query must include
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce an appropriate KEY record in the additional section, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must be signed using either TSIG or SIG(0) with a previously
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce established key. The server's response, if successful, will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contain a TKEY record in its answer section. After this transaction,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce both participants will have enough information to calculate a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce shared secret using Diffie-Hellman key exchange. The shared secret
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce can then be used by to sign subsequent transactions between the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce two servers.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TSIG keys known by the server, including TKEY-negotiated keys, can
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TKEY-negotiated keys can be deleted from a server using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the TKEY protocol itself, by sending an authenticated TKEY query
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifying the "key deletion" mode.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transaction signatures as specified in RFC 2535 and RFC 2931.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce SIG(0) uses public/private keys to authenticate messages. Access control
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is performed in the same manner as TSIG keys; privileges can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce granted or denied in ACL directives based on the key name.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When a SIG(0) signed message is received, it will only be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified if the key is known and trusted by the server. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server will not attempt to recursively fetch or validate the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce SIG(0) signing of multiple-message TCP streams is not supported.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Cryptographic authentication of DNS information is possible
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce defined in RFC 4033, RFC 4034, and RFC 4035.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This section describes the creation and use of DNSSEC signed zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In order to set up a DNSSEC secure zone, there are a series
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of steps which must be followed. <acronym class="acronym">BIND</acronym>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with several tools
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that are used in this process, which are explained in more detail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce below. In all cases, the <code class="option">-h</code> option prints a
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson full list of parameters. Note that the DNSSEC tools require the
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson keyset files to be in the working directory or the
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson directory specified by the <code class="option">-d</code> option, and
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson that the tools shipped with BIND 9.2.x and earlier are not compatible
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the current ones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce There must also be communication with the administrators of
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson the parent and/or child zone to transmit keys. A zone's security
f1fd37f759991616d454ce371a2390da45141593Andreas Gustafsson status must be indicated by the parent zone for a DNSSEC capable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce resolver to trust its data. This is done through the presence
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or absence of a <code class="literal">DS</code> record at the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For other servers to trust data in this zone, they must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce either be statically configured with this zone's zone key or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone key of another zone above this one in the DNS tree.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate keys.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A secure zone must contain one or more zone keys. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys will sign all other records in the zone, as well as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone keys of any secure delegated zones. Zone keys must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have the same name as the zone, a name type of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>ZONE</strong></span>, and must be usable for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce authentication.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce It is recommended that zone keys use a cryptographic algorithm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce designated as "mandatory to implement" by the IETF; currently
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the only one is RSASHA1.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The following command will generate a 768-bit RSASHA1 key for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the <code class="filename">child.example</code> zone:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Two output files will be produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">Kchild.example.+005+12345.key</code> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">Kchild.example.+005+12345.private</code>
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson 12345 is an example of a key tag). The key filenames contain
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key name (<code class="filename">child.example.</code>),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce algorithm (3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The private key (in the <code class="filename">.private</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures, and the public key (in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">.key</code> file) is used for signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verification.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To generate another key with the same properties (but with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a different key tag), repeat the above command.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to get a key pair from a crypto hardware and build the key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The public keys should be inserted into the zone file by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce including the <code class="filename">.key</code> files using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>$INCLUDE</strong></span> statements.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The <span class="command"><strong>dnssec-signzone</strong></span> program is used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to sign a zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Any <code class="filename">keyset</code> files corresponding to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secure subzones should be present. The zone signer will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and <code class="literal">RRSIG</code> records for the zone, as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce well as <code class="literal">DS</code> for the child zones if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is not specified, then DS RRsets for the secure child
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zones need to be added manually.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The following command signs the zone, assuming it is in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file called <code class="filename">zone.child.example</code>. By
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default, all zone keys which have an available private key are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce One output file is produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">zone.child.example.signed</code>. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be referenced by <code class="filename">named.conf</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input file for the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p><span class="command"><strong>dnssec-signzone</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will also produce a keyset and dsset files and optionally a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dlvset file. These are used to provide the parent zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce administrators with the <code class="literal">DNSKEYs</code> (or their
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce corresponding <code class="literal">DS</code> records) that are the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secure entry point to the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To enable <span class="command"><strong>named</strong></span> to respond appropriately
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to DNS requests from DNSSEC aware clients,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (This is the default setting.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To enable <span class="command"><strong>named</strong></span> to validate answers from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must be set to <strong class="userinput"><code>yes</code></strong>, and the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-validation</strong></span> options must be set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If <span class="command"><strong>dnssec-validation</strong></span> is set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>auto</code></strong>, then a default
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce trust anchor for the DNS root zone will be used.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If it is set to <strong class="userinput"><code>yes</code></strong>, however,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then at least one trust anchor must be configured
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with a <span class="command"><strong>trusted-keys</strong></span> or
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>managed-keys</strong></span> statement in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">named.conf</code>, or DNSSEC validation
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will not occur. The default setting is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>yes</code></strong>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for zones that are used to form the first link in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic chain of trust. All keys listed in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are deemed to exist and only the listed keys will be used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to validated the DNSKEY RRset that they are from.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce automatically kept up to date via RFC 5011 trust anchor
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce maintenance.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>trusted-keys</strong></span> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>managed-keys</strong></span> are described in more detail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce later in this document.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 9 does not verify signatures on load, so zone keys for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce authoritative zones do not need to be specified in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configuration file.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce After DNSSEC gets established, a typical DNSSEC configuration
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will look something like the following. It has one or
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce more public keys for the root. This allows answers from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce outside the organization to be validated. It will also
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have several keys for parts of the namespace the organization
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce controls. These are here to ensure that <span class="command"><strong>named</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is immune to compromises in the DNSSEC components of the security
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of parent zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucemanaged-keys {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce /* Root Key */
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dgxbcDTClU0CRBdiieyLMNzXG3";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucetrusted-keys {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce /* Key for our organization's forward zone */
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce /* Key for our reverse zone. */
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson xOdNax071L18QqZnQQQAVVr+i
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson LhGTnNGp3HoWQLUIzKrJVZ3zg
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce gy3WwNT6kZo6c0tszYqbtvchm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce siaOdS0yOI6BgPsw+YZdzlYMa
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson IJGf4M4dyoKIhzdZyQ2bYQrjy
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Q4LB0lC7aOnsMyYKHHYeRvPxj
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IQXmdqgOJGq+vsevG06zW+1xg
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 59VvjSPsZJHeDCUyWYrvPZesZ
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DIRvhDD52SKvbheeTJUm6Ehkz
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dnssec-enable yes;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dnssec-validation yes;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce None of the keys listed in this example are valid. In particular,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the root key is not valid.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When DNSSEC validation is enabled and properly configured,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the resolver will reject any answers from signed, secure zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which fail to validate, and will return SERVFAIL to the client.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Responses may fail to validate for any of several reasons,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce including missing, expired, or invalid signatures, a key which
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce does not match the DS RRset in the parent zone, or an insecure
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce response from a zone which, according to its parent, should have
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce been secure.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When the validator receives a response from an unsigned zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that has a signed parent, it must confirm with the parent
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that the zone was intentionally left unsigned. It does
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this by verifying, via signed and validated NSEC/NSEC3 records,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that the parent zone contains no DS records for the child.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the validator <span class="emphasis"><em>can</em></span> prove that the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is insecure, then the response is accepted. However, if it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cannot, then it must assume an insecure response to be a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forgery; it rejects the response and logs an error.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The logged error reads "insecurity proof failed" and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "got insecure response; parent indicates it should be secure".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Prior to BIND 9.7, the logged error was "not insecure".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This referred to the zone, not the response.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>As of BIND 9.7.0 it is possible to change a dynamic zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce from insecure to signed and back again. A secure zone can use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce either NSEC or NSEC3 chains.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Changing a zone from insecure to secure can be done in two
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ways: using a dynamic DNS update, or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>For either method, you need to configure
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> so that it can see the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">K*</code> files which contain the public and private
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce parts of the keys that will be used to sign the zone. These files
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will have been generated by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in the key-directory, as specified in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce update-policy local;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>If one KSK and one ZSK DNSKEY key have been generated, this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configuration will cause all records in the zone to be signed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the ZSK, and the DNSKEY RRset to be signed with the KSK as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce well. An NSEC chain will be generated as part of the initial
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signing process.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > ttl 3600
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>While the update request will complete almost immediately,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone will not be completely signed until
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> has had time to walk the zone and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate the NSEC and RRSIG records. The NSEC record at the apex
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be added last, to signal that there is a complete NSEC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>If you wish to sign using NSEC3 instead of NSEC, you should
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce add an NSEC3PARAM record to the initial update request. If you
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce wish the NSEC3 chain to have the OPTOUT bit set, set it in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce flags field of the NSEC3PARAM record.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > ttl 3600
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce > update add example.net NSEC3PARAM 1 1 100 1234567890
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Again, this update request will complete almost
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce immediately; however, the record won't show up until
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> has had a chance to build/remove the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce relevant chain. A private type record will be created to record
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the state of the operation (see below for more details), and will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be removed once the operation completes.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>While the initial signing and NSEC/NSEC3 chain generation
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is happening, other updates are possible as well.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To enable automatic signing, add the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec allow</strong></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> can search the key directory for keys
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce matching the zone, insert them into the zone, and use them to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign the zone. It will do so only when it receives an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce functionality, but will also automatically adjust the zone's
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSKEY records on schedule according to the keys' timing metadata.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> will periodically search the key directory
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for keys matching the zone, and if the keys' metadata indicates
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that any change should be made the zone, such as adding, removing,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or revoking a key, then that action will be carried out. By default,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key directory is checked for changes every 60 minutes; this period
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> to check for key updates immediately.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If keys are present in the key directory the first time the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is loaded, the zone will be signed immediately, without waiting for an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce command. (Those commands can still be used when there are unscheduled
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key changes, however.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When new keys are added to a zone, the TTL is set to match that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then the TTL will be set to the TTL specified when the key was
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce any, or to the SOA TTL.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you wish the zone to be signed using NSEC3 instead of NSEC,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce submit an NSEC3PARAM record via dynamic update prior to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce scheduled publication and activation of the keys. If you wish the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce NSEC3 chain to have the OPTOUT bit set, set it in the flags field
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone immediately, but it will be stored for later reference. When
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record will appear in the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configured to allow dynamic updates, by adding an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>allow-update</strong></span> or
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>update-policy</strong></span> statement to the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configuration. If this has not been done, the configuration will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>The state of the signing process is signaled by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce private-type records (with a default type value of 65534). When
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signing is complete, these records will have a nonzero value for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the final octet (for those records which have a nonzero initial
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>The private type record format: If the first octet is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce non-zero then the record indicates that the zone needs to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed with the key matching the record, or that all signatures
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that match the record should be removed.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��algorithm�(octet�1)<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��key�id�in�network�order�(octet�2�and�3)<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��removal�flag�(octet�4)<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��complete�flag�(octet�5)<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Only records flagged as "complete" can be removed via
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dynamic update. Attempts to remove other private type records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be silently ignored.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>If the first octet is zero (this is a reserved algorithm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce number that should never appear in a DNSKEY record) then the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record indicates changes to the NSEC3 chains are in progress. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rest of the record contains an NSEC3PARAM record. The flag field
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce tells what operation to perform based on the flag bits.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��0x01�OPTOUT<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��0x80�CREATE<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��0x40�REMOVE<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce��0x20�NONSEC<br>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>As with insecure-to-secure conversions, rolling DNSSEC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys can be done in two ways: using a dynamic DNS update, or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p> To perform key rollovers via dynamic update, you need to add
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the <code class="filename">K*</code> files for the new keys so that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> can find them. You can then add the new
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSKEY RRs via dynamic update.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> will then cause the zone to be signed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the new keys. When the signing is complete the private type
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce records will be updated so that the last octet is non
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>If this is for a KSK you need to inform the parent and any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce trust anchor repositories of the new KSK.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>You should then wait for the maximum TTL in the zone before
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce removing the old DNSKEY. If it is a KSK that is being updated,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce you also need to wait for the DS RRset in the parent to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce updated and its TTL to expire. This ensures that all clients will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be able to verify at least one signature when you remove the old
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>The old DNSKEY can be removed via UPDATE. Take care to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specify the correct key.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> will clean out any signatures generated
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by the old key after the update completes.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>When a new key reaches its activation date (as set by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce automatically carry out the key rollover. If the key's algorithm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce has not previously been used to sign the zone, then the zone will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be fully signed as quickly as possible. However, if the new key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is replacing an existing key of the same algorithm, then the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone will be re-signed incrementally, with signatures from the
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson old key being replaced with signatures from the new key as their
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson signature validity periods expire. By default, this rollover
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson completes in 30 days, after which it will be safe to remove the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce old key from the DNSKEY RRset.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson<p>Add the new NSEC3PARAM record via dynamic update. When the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce new NSEC3 chain has been generated, the NSEC3PARAM flag field
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be zero. At this point you can remove the old NSEC3PARAM
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson record. The old chain will be removed after the update request
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce completes.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To do this, you just need to add an NSEC3PARAM record. When
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the conversion is complete, the NSEC chain will have been removed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the NSEC3PARAM record will have a zero flag field. The NSEC3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce chain will be generated before the NSEC chain is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce destroyed.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce remove all NSEC3PARAM records with a zero flag
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce field. The NSEC chain will be generated before the NSEC3 chain is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce removed.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To convert a signed zone to unsigned using dynamic DNS,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce delete all the DNSKEY records from the zone apex using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and associated NSEC3PARAM records will be removed automatically.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This will take place after the update request completes.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p> This requires the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>yes</code></strong> in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone statement is used, it should be removed or changed to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will periodically re-sign RRsets which have not been re-signed as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a result of some update action. The signature lifetimes will be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce adjusted so as to spread the re-sign load over time rather than
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce all at once.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="section"><div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce where all the NSEC3 records in the zone have the same OPTOUT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce records in the chain have mixed OPTOUT state.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce state of an individual NSEC3 record, the entire chain needs to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce changed if the OPTOUT state of an individual NSEC3 needs to be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce changed.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce anchor management. Using this feature allows
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> to keep track of changes to critical
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSSEC keys without any need for the operator to make changes to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configuration files.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To configure a validating resolver to use RFC 5011 to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce maintain a trust anchor, configure the trust anchor using a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>managed-keys</strong></span> statement. Information about
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this can be found in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To set up an authoritative zone for RFC 5011 trust anchor
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce maintenance, generate two (or more) key signing keys (KSKs) for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone. Sign the zone with one of them; this is the "active"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce KSK. All KSKs which do not sign the zone are "stand-by"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Any validating resolver which is configured to use the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce active KSK as an RFC 5011-managed trust anchor will take note
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of the stand-by KSKs in the zone's DNSKEY RRset, and store them
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson for future reference. The resolver will recheck the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce periodically, and after 30 days, if the new key is still there,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then the key will be accepted by the resolver as a valid trust
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce anchor for the zone. Any time after this 30-day acceptance
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce timer has completed, the active KSK can be revoked, and the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone can be "rolled over" to the newly accepted key.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>The easiest way to place a stand-by key in a zone is to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce use the "smart signing" features of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-keygen</strong></span> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce date in the past, but an activation date which is unset or in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record in the zone, but will not sign with it:</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>To revoke a key, the new command
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce REVOKED bit to the key flags and re-generates the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">K*.private</code> files.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>After revoking the active key, the zone must be signed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with both the revoked KSK and the new active KSK. (Smart
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signing takes care of this automatically.)</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Once a key has been revoked and used to sign the DNSKEY
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce RRset in which it appears, that key will never again be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce accepted as a valid trust anchor by the resolver. However,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce validation can proceed using the new active key (which had been
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce accepted by the resolver when it was a stand-by key).</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>See RFC 5011 for more details on key rollover
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce scenarios.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>When a key has been revoked, its key ID changes,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce increasing by 128, and wrapping around at 65535. So, for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<code class="filename">Kexample.com.+005+10128</code>".</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>If two keys have IDs exactly 128 apart, and one is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce revoked, then the two key IDs will collide, causing several
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce problems. To prevent this,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce another key is present which may collide. This checking will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce only occur if the new keys are written to the same directory
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which holds all other keys in use for that zone.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>Older versions of BIND 9 did not have this precaution.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Exercise caution if using key revocation on keys that were
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated by previous releases, or if using keys stored in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce multiple directories or on multiple machines.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>It is expected that a future release of BIND 9 will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce address this problem in a different way, by storing revoked
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson keys with their original unrevoked key IDs.</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PKCS#11 (Public Key Cryptography Standard #11) defines a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce platform-independent API for the control of hardware security
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce modules (HSMs) and other cryptographic support devices.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce BIND 9 is known to work with three HSMs: The AEP Keyper, which has
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce been tested with Debian Linux, Solaris x86 and Windows Server 2003;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic acceleration board, tested with Solaris x86. In
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce addition, BIND can be used with all current versions of SoftHSM,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a software-based HSM simulator library produced by the OpenDNSSEC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PKCS#11 makes use of a "provider library": a dynamically loadable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce library which provides a low-level PKCS#11 interface to drive the HSM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce hardware. The PKCS#11 provider library comes from the HSM vendor, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it is specific to the HSM to be controlled.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce There are two available mechanisms for PKCS#11 support in BIND 9:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL-based PKCS#11 and native PKCS#11. When using the first
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce mechanism, BIND uses a modified version of OpenSSL, which loads
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the provider library and operates the HSM indirectly; any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic operations not supported by the HSM can be carried
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce out by OpenSSL instead. The second mechanism enables BIND to bypass
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL completely; BIND loads the provider library itself, and uses
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the PKCS#11 API to drive the HSM directly.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.6"></a>Prerequisites</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce See the documentation provided by your HSM vendor for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce information about installing, initializing, testing and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce troubleshooting the HSM.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.7"></a>Native PKCS#11</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Native PKCS#11 mode will only work with an HSM capable of carrying
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce need. The HSM's provider library must have a complete implementation
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of the PKCS#11 API, so that all these functions are accessible. As of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this writing, only the Thales nShield HSM and SoftHSMv2 can be used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Note: Eventually, when more HSMs become capable of supporting
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be deprecated.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To build BIND with native PKCS#11, configure as follows:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd bind9</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/configure --enable-native-pkcs11 \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This will cause all BIND tools, including <span class="command"><strong>named</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce tools, to use the PKCS#11 provider library specified in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="replaceable"><code>provider-library-path</code></em> for cryptography.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (The provider library path can be overridden using the
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce <code class="option">-E</code> in <span class="command"><strong>named</strong></span> and the
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce <span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson the <span class="command"><strong>pkcs11-*</strong></span> tools.)
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<div class="titlepage"><div><div><h4 class="title">
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<a name="id-1.5.12.7.6"></a>Building SoftHSMv2</h4></div></div></div>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson SoftHSMv2, the latest development version of SoftHSM, is available
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="https://github.com/opendnssec/SoftHSMv2" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce It is a software library developed by the OpenDNSSEC project
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (<a class="link" href="http://www.opendnssec.org" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which provides a PKCS#11 interface to a virtual HSM, implemented in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the form of a SQLite3 database on the local filesystem. It provides
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce less security than a true HSM, but it allows you to experiment with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce native PKCS#11 when an HSM is not available. SoftHSMv2 can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configured to use either OpenSSL or the Botan library to perform
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic functions, but when using it for native PKCS#11 in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce BIND, OpenSSL is required.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce By default, the SoftHSMv2 configuration file is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="replaceable"><code>prefix</code></em> is configured at compile time).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This location can be overridden by the SOFTHSM2_CONF environment
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce variable. The SoftHSMv2 cryptographic store must be installed and
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson initialized before using it with BIND.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> make </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> make install </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8"></a>OpenSSL-based PKCS#11</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL-based PKCS#11 mode uses a modified version of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL library; stock OpenSSL does not fully support PKCS#11.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ISC provides a patch to OpenSSL to correct this. This patch is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce based on work originally done by the OpenSolaris project; it has been
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce modified by ISC to provide new features such as PIN management and
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson key-by-reference.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce There are two "flavors" of PKCS#11 support provided by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the patched OpenSSL, one of which must be chosen at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configuration time. The correct choice depends on the HSM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Use 'crypto-accelerator' with HSMs that have hardware
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic acceleration features, such as the SCA 6000
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce board. This causes OpenSSL to run all supported
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic operations in the HSM.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Use 'sign-only' with HSMs that are designed to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce function primarily as secure key storage devices, but lack
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce hardware acceleration. These devices are highly secure, but
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are not necessarily any faster at cryptography than the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce system CPU — often, they are slower. It is therefore
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce most efficient to use them only for those cryptographic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce functions that require access to the secured private key,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce such as zone signing, and to use the system CPU for all
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce other computationally-intensive operations. The AEP Keyper
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is an example of such a device.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The modified OpenSSL code is included in the BIND 9 release,
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson in the form of a context diff against the latest versions of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce there are separate diffs for each version. In the examples to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce follow, we use OpenSSL 0.9.8, but the same methods work with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL 1.0.0 through 1.0.2.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The OpenSSL patches as of this writing (January 2016)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ISC will provide updated patches as new versions of OpenSSL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are released. The version number in the following examples
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is expected to change.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Before building BIND 9 with PKCS#11 support, it will be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce necessary to build OpenSSL with the patch in place, and configure
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it with the path to your HSM's PKCS#11 provider library.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.8"></a>Patching OpenSSL</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson < bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The patch file may not be compatible with the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "patch" utility on all operating systems. You may need to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce install GNU patch.
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce When building OpenSSL, place it in a non-standard
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce location so that it does not interfere with OpenSSL libraries
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce elsewhere on the system. In the following examples, we choose
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to install into "/opt/pkcs11/usr". We will use this location
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce when we configure BIND 9.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Later, when building BIND 9, the location of the custom-built
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL library will need to be specified via configure.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.9"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The AEP Keyper is a highly secure key storage device,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce but does not provide hardware cryptographic acceleration. It
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce can carry out cryptographic operations, but it is probably
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce slower than your system's CPU. Therefore, we choose the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 'sign-only' flavor when building OpenSSL.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The Keyper-specific PKCS#11 provider library is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce delivered with the Keyper software. In this example, we place
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This library is only available for Linux as a 32-bit
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce binary. If we are compiling on a 64-bit Linux system, it is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce necessary to force a 32-bit build, by specifying -m32 in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce build options.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Finally, the Keyper library requires threads, so we
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must specify -pthread.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/Configure linux-generic32 -m32 -pthread \
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson --pk11-flavor=sign-only \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce After configuring, run "<span class="command"><strong>make</strong></span>"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce test</strong></span>" fails with "pthread_atfork() not found", you forgot to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce add the -pthread above.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.10"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The SCA-6000 PKCS#11 provider is installed as a system
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce library, libpkcs11. It is a true crypto accelerator, up to 4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce times faster than any CPU, so the flavor shall be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 'crypto-accelerator'.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In this example, we are building on Solaris x86 on an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce AMD64 system.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --pk11-flavor=crypto-accelerator \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce After configuring, run
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>make</strong></span> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>make test</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.11"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce SoftHSM (version 1) is a software library developed by the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenDNSSEC project
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (<a class="link" href="http://www.opendnssec.org" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which provides a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PKCS#11 interface to a virtual HSM, implemented in the form of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a SQLite3 database on the local filesystem. SoftHSM uses
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the Botan library to perform cryptographic functions. Though
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce less secure than a true HSM, it can allow you to experiment
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with PKCS#11 when an HSM is not available.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The SoftHSM cryptographic store must be installed and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce initialized before using it with OpenSSL, and the SOFTHSM_CONF
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce environment variable must always point to the SoftHSM configuration
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code> make </code></strong>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code> make install </code></strong>
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce SoftHSM can perform all cryptographic operations, but
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce since it only uses your system CPU, there is no advantage to using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it for anything but signing. Therefore, we choose the 'sign-only'
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce flavor when building OpenSSL.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --pk11-flavor=sign-only \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce After configuring, run "<span class="command"><strong>make</strong></span>"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and "<span class="command"><strong>make test</strong></span>".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Once you have built OpenSSL, run
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that PKCS#11 support was compiled in correctly. The output
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be one of the following lines, depending on the flavor
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (pkcs11) PKCS #11 engine support (sign only)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (pkcs11) PKCS #11 engine support (crypto accelerator)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce attempt to initialize the PKCS#11 engine. If it is able to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce do so successfully, it will report
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the output is correct, run
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>make install</strong></span>" which will install the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To link with the PKCS#11 provider, threads must be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce enabled in the BIND 9 build.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The PKCS#11 library for the AEP Keyper is currently
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce only available as a 32-bit binary. If we are building on a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 64-bit host, we must force a 32-bit build by adding "-m32" to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the CC options on the "configure" command line.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd /bind9</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/configure CC="gcc -m32" --enable-threads \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce To link with the PKCS#11 provider, threads must be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce enabled in the BIND 9 build.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>cd /bind9</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If configure complains about OpenSSL not working, you
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce may have a 32/64-bit architecture mismatch. Or, you may have
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce incorrectly specified the path to OpenSSL (it should be the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce same as the --prefix argument to the OpenSSL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h4 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.8.20"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson$ <strong class="userinput"><code>cd /bind9</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>/configure --enable-threads \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce After configuring, run
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>make</strong></span>",
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>make test</strong></span>" and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "<span class="command"><strong>make install</strong></span>".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Note: If "make test" fails in the "pkcs11" system test, you may
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have forgotten to set the SOFTHSM_CONF environment variable.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce BIND 9 includes a minimal set of tools to operate the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce HSM, including
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce within the HSM,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-list</strong></span> to list objects currently
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-tokens</strong></span> to list available tokens.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In UNIX/Linux builds, these tools are built only if BIND
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 9 is configured with the --with-pkcs11 option. (Note: If
86c1ac00da33c2ecc14f5ca69fba40186460ce57Andreas Gustafsson --with-pkcs11 is set to "yes", rather than to the path of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PKCS#11 provider, then the tools will be built but the
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson provider will be left undefined. Use the -m option or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PKCS11_PROVIDER environment variable to specify the path to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.10"></a>Using the HSM</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For OpenSSL-based PKCS#11, we must first set up the runtime
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce environment so the OpenSSL and PKCS#11 libraries can be loaded:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This causes <span class="command"><strong>named</strong></span> and other binaries to load
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rather than from the default location. This step is not necessary
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce when using native PKCS#11.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Some HSMs require other environment variables to be set.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, when operating an AEP Keyper, it is necessary to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specify the location of the "machine" file, which stores
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce information about the Keyper for use by the provider
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce library. If the machine file is in
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Such environment variables must be set whenever running
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce any tool that uses the HSM, including
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-keygen</strong></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-list</strong></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>pkcs11-destroy</strong></span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-keyfromlabel</strong></span>,
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson <span class="command"><strong>dnssec-signzone</strong></span>,
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson <span class="command"><strong>dnssec-keygen</strong></span>, and
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson <span class="command"><strong>named</strong></span>.
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson We can now create and use keys in the HSM. In this case,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce we will create a 2048 bit key and give it the label
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "sample-ksk":
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>pkcs11-list</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceobject[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceobject[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Before using this key to sign a zone, we must create a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce does this. In this case, we will be using the HSM key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "sample-ksk" as the key-signing key for "example.net":
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The resulting K*.key and K*.private files can now be used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to sign the zone. Unlike normal K* files, which contain both
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce public and private key data, these files will contain only the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce public key data, plus an identifier for the private key which
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce remains stored within the HSM. Signing with the private key takes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce place inside the HSM.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you wish to generate a second key in the HSM for use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce as a zone-signing key, follow the same procedure above, using a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce different keylabel, a smaller key size, and omitting "-f KSK"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce from the dnssec-keyfromlabel arguments:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce string which identifies the key. With native PKCS#11, the label is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a PKCS#11 URI string which may include other details about the key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the HSM, including its PIN. See
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Alternatively, you may prefer to generate a conventional
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce on-disk key, using dnssec-keygen:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This provides less security than an HSM key, but since
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce HSMs can be slow or cumbersome to use for security reasons, it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce may be more efficient to reserve HSM keys for use in the less
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce frequent key-signing operation. The zone-signing key can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rolled more frequently, if you wish, to compensate for a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce reduction in key security. (Note: When using native PKCS#11,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce there is no speed advantage to using on-disk keys, as cryptographic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce operations will be done by the HSM regardless.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Now you can sign the zone. (Note: If not using the -S
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce option to <span class="command"><strong>dnssec-signzone</strong></span>, it will be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce necessary to add the contents of both <code class="filename">K*.key</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce files to the zone master file before signing it.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVerifying the zone using the following algorithms:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNSEC3RSASHA1.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceZone signing complete:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceAlgorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.11"></a>Specifying the engine on the command line</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When using OpenSSL-based PKCS#11, the "engine" to be used by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce OpenSSL can be specified in <span class="command"><strong>named</strong></span> and all of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the BIND <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <engine>" command line option. If BIND 9 is built with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the --with-pkcs11 option, this option defaults to "pkcs11".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specifying the engine will generally not be necessary unless
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for some reason you wish to use a different OpenSSL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you wish to disable use of the "pkcs11" engine —
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for troubleshooting purposes, or because the HSM is unavailable
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson — set the engine to the empty string. For example:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce without the --with-pkcs11 option.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When built with native PKCS#11 mode, the "engine" option has a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce different meaning: it specifies the path to the PKCS#11 provider
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce library. This may be useful when testing a new provider library.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.12.12"></a>Running named with automatic zone re-signing</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you want <span class="command"><strong>named</strong></span> to dynamically re-sign zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce using HSM keys, and/or to to sign new records inserted via nsupdate,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this is accomplished by placing the PIN into the openssl.cnf file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (in the above examples,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The location of the openssl.cnf file can be overridden by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce setting the OPENSSL_CONF environment variable before running
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce openssl_conf = openssl_def
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce [ openssl_def ]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce engines = engine_section
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce [ engine_section ]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce pkcs11 = pkcs11_section
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce [ pkcs11_section ]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This will also allow the dnssec-* tools to access the HSM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce without PIN entry. (The pkcs11-* tools access the HSM directly,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce not via OpenSSL, so a PIN will still be required to use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In native PKCS#11 mode, the PIN can be provided in a file specified
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce as an attribute of the key's label. For example, if a key had the label
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then the PIN would be read from the file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Placing the HSM's PIN in a text file in this manner may reduce the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce security advantage of using an HSM. Be sure this is what you want to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce do before configuring the system in this way.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone data to be retrieved directly from an external database. There is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce no required format or schema. DLZ drivers exist for several different
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce database backends including PostgreSQL, MySQL, and LDAP and can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce written for any other.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce binary and were turned on via a configure option at compile time (for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Currently, the drivers provided in the BIND 9 tarball in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">contrib/dlz/drivers</code> are still linked this
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson In BIND 9.8 and higher, it is possible to link some DLZ modules
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson generic wrapper around a shared object implementing the DLZ API. The
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson "dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson are no longer necessary when using these dynamically linkable drivers,
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson but are still needed for the older drivers in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">contrib/dlz/drivers</code>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce conversion, and the lack of any internal caching, places significant
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce limits on the query performance of DLZ modules. Consequently, DLZ is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce not recommended for use on high-volume servers. However, it can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used in a hidden master configuration, with slaves retrieving zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce updates via AXFR. (Note, however, that DLZ has no built-in support for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNS notify; slaves are not automatically informed of changes to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zones in the database.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.13.6"></a>Configuring DLZ</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A DLZ database is configured with a <span class="command"><strong>dlz</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce statement in <code class="filename">named.conf</code>:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dlz example {
7aa594f0223f427f1382d77ae89aa890e5d9ff03Andreas Gustafsson database "dlopen driver.so <code class="option">args</code>";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This specifies a DLZ module to search when answering queries; the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce module is implemented in <code class="filename">driver.so</code> and is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce loaded at runtime by the dlopen DLZ driver. Multiple
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dlz</strong></span> statements can be specified; when
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce answering a query, all DLZ modules with <code class="option">search</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce set to <code class="literal">yes</code> will be queried to find out if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce they contain an answer for the query name; the best available
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce answer will be returned to the client.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The <code class="option">search</code> option in the above example can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce omitted, because <code class="literal">yes</code> is the default value.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If <code class="option">search</code> is set to <code class="literal">no</code>, then
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce match when a query is received. Instead, zones in this DLZ must be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce separately specified in a zone statement. This allows you to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configure a zone normally using standard zone option semantics,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce but specify a different database back-end for storage of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone's data. For example, to implement NXDOMAIN redirection using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a DLZ module for back-end storage of redirection rules:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce database "dlopen driver.so <code class="option">args</code>";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type redirect;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.13.7"></a>Sample DLZ Driver</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For guidance in implementation of DLZ modules, the directory
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">contrib/dlz/example</code> contains a basic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dynamically-linkable DLZ module--i.e., one which can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce loaded at runtime by the "dlopen" DLZ driver.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The example sets up a single zone, whose name is passed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to the module as an argument in the <span class="command"><strong>dlz</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In the above example, the module is configured to create a zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "example.nil", which can answer queries and AXFR requests, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce accept DDNS updates. At runtime, prior to any updates, the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contains an SOA, NS, and a single A record at the apex:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 123 900 600 86400 3600
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example.nil. 1800 IN A 10.53.0.1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The sample driver is capable of retrieving information about the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce querying client, and altering its response on the basis of this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce information. To demonstrate this feature, the example driver
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce responds to queries for "source-addr.<code class="option">zonename</code>>/TXT"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the source address of the query. Note, however, that this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record will *not* be included in AXFR or ANY responses. Normally,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this feature would be used to alter responses in some other fashion,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce e.g., by providing different address records for a particular name
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce depending on the network from which the query arrived.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Documentation of the DLZ module API can be found in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">contrib/dlz/example/README</code>. This directory also
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contains the header file <code class="filename">dlz_minimal.h</code>, which
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce defines the API and should be included by any dynamically-linkable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="dyndb-info"></a>DynDB (Dynamic Database)</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DynDB is an extension to BIND 9 which, like DLZ
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
aeb8fffc841865c3336383eadfd9987332a03286Andreas Gustafsson retrieved from an external database. Unlike DLZ, a DynDB module
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce provides a full-featured BIND zone database interface. Where
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DLZ translates DNS queries into real-time database lookups,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce resulting in relatively poor query performance, and is unable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to handle DNSSEC-signed data due to its limited API, a DynDB
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce module can pre-load an in-memory database from the external
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce data source, providing the same performance and functionality
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce as zones served natively by BIND.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A DynDB module supporting LDAP has been created by Red Hat
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and is available from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A sample DynDB module for testing and developer guidance
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is included with the BIND source code, in the directory
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">bin/tests/system/dyndb/driver</code>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.14.5"></a>Configuring DynDB</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A DynDB database is configured with a <span class="command"><strong>dyndb</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce statement in <code class="filename">named.conf</code>:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce dyndb example "driver.so" {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="replaceable"><code>parameters</code></em>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The file <code class="filename">driver.so</code> is a DynDB module which
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce implements the full DNS database API. Multiple
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dyndb</strong></span> statements can be specified, to load
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce different drivers or multiple instances of the same driver.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Zones provided by a DynDB module are added to the view's zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce table, and are treated as normal authoritative zones when BIND
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is responding to queries. Zone configuration is handled internally
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by the DynDB module.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The <em class="replaceable"><code>parameters</code></em> are passed as an opaque
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce string to the DynDB module's initialization routine. Configuration
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce syntax will differ depending on the driver.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.14.6"></a>Sample DynDB Module</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For guidance in implementation of DynDB modules, the directory
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">bin/tests/system/dyndb/driver</code>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contains a basic DynDB module.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The example sets up two zones, whose names are passed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to the module as arguments in the <span class="command"><strong>dyndb</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In the above example, the module is configured to create a zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "example.nil", which can answer queries and AXFR requests, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce accept DDNS updates. At runtime, prior to any updates, the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contains an SOA, NS, and a single A record at the apex:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example.nil. 86400 IN SOA example.nil. example.nil. (
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 0 28800 7200 604800 86400
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example.nil. 86400 IN A 127.0.0.1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When the zone is updated dynamically, the DynDB module will determine
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce whether the updated RR is an address (i.e., type A or AAAA) and if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce so, it will automatically update the corresponding PTR record in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce reverse zone. (Updates are not stored permanently; all updates are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce lost when the server is restarted.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <acronym class="acronym">BIND</acronym> 9 fully supports all currently
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce defined forms of IPv6 name to address and address to name
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce lookups. It will also use IPv6 addresses to make queries when
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce running on an IPv6 capable system.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce only AAAA records. RFC 3363 deprecated the use of A6 records,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and client-side support for A6 records was accordingly removed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce load zone files containing A6 records correctly, answer queries
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for A6 records, and accept zone transfer for a zone containing A6
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson the traditional "nibble" format used in the
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson <span class="emphasis"><em>ip6.int</em></span> domain.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Older versions of <acronym class="acronym">BIND</acronym> 9
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce supported the "binary label" (also known as "bitstring") format,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce but support of binary labels has been completely removed per
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the binary label format at all any more, and will return an
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson error if given.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name server will not load a zone file containing binary labels.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For an overview of the format and structure of IPv6 addresses,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.15.6"></a>Address Lookups Using AAAA Records</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The IPv6 AAAA record is a parallel to the IPv4 A record,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and, unlike the deprecated A6 record, specifies the entire
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IPv6 address in a single record. For example,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehost 3600 IN AAAA 2001:db8::1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Use of IPv4-in-IPv6 mapped addresses is not recommended.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If a host has an IPv4 address, use an A record, not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the address.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.5.15.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When looking up an address in nibble format, the address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce components are simply reversed, just as in IPv4, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="literal">ip6.arpa.</code> is appended to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce resulting name.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, the following would provide reverse name lookup for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a host with address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>