Bv9ARM.ch04.html revision 727f5b8846457a33d06f515a10a7e1aa849ddf18
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Advanced DNS Features</TITLE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="GENERATOR"
841179549b6433e782c164a562eb3422f603533dAndreas GustafssonCONTENT="Modular DocBook HTML Stylesheet Version 1.61
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas GustafssonTITLE="BIND 9 Administrator Reference Manual"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceREL="PREVIOUS"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonTITLE="Name Server Configuration"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTITLE="The BIND 9 Lightweight Resolver"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas GustafssonCLASS="chapter"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceBGCOLOR="#FFFFFF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTEXT="#000000"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceLINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVLINK="#840084"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVHEADER"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>BIND 9 Administrator Reference Manual</TH
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="chapter"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Chapter 4. Advanced DNS Features</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Table of Contents</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch04.html#dynamic_update"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic Update</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch04.html#incremental_zone_transfers"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Incremental Zone Transfers (IXFR)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Split DNS</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>IPv6 Support in <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.1. Notify</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="acronym"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> NOTIFY is a mechanism that allows master
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonservers to notify their slave servers of changes to a zone's data. In
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonresponse to a <B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> from a master server, the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonslave will check to see that its version of the zone is the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssoncurrent version and, if not, initiate a zone transfer.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="acronym"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonFor more information about
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>, see the description of the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonHREF="Bv9ARM.ch06.html#boolean_options"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Section 6.2.14.1</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonthe description of the zone option <B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>also-notify</B
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonHREF="Bv9ARM.ch06.html#zone_transfers"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Section 6.2.14.6</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="command"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonprotocol is specified in RFC 1996.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="dynamic_update"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.2. Dynamic Update</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Dynamic Update is a method for adding, replacing or deleting
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson records in a master server by sending it a special form of DNS
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson messages. The format and meaning of these messages is specified
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in RFC 2136.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic update is enabled on a zone-by-zone basis, by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce including an <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-update</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> clause in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>Updating of secure zones (zones using DNSSEC) follows
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson RFC 3007: SIG and NXT records affected by updates are automatically
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson regenerated by the server using an online zone key.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson Update authorization is based
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce on transaction signatures and an explicit server policy.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.2.1. The journal file</A
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>All changes made to a zone using dynamic update are stored in the
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson zone's journal file. This file is automatically created by the
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson server when when the first dynamic update takes place. The name of
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson the journal file is formed by appending the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson name of the corresponding zone file. The journal file is in a
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson binary format and should not be edited manually.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>The server will also occasionally write ("dump")
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson the complete contents of the updated zone to its zone file.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson This is not done immediately after
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson each dynamic update, because that would be too slow when a large
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson zone is updated frequently. Instead, the dump is delayed by
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson up to 15 minutes, allowing additional updates to take place.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>When a server is restarted after a shutdown or crash, it will replay
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson the journal file to incorporate into the zone any updates that took
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson place after the last zone dump.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>Changes that result from incoming incremental zone transfers are also
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson journalled in a similar way.</P
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson>The zone files of dynamic zones cannot normally be edited by
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson hand because they are not guaranteed to contain the most recent
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson dynamic changes - those are only in the journal file.
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson The only way to ensure that the zone file of a dynamic zone
f37eb9482057adf62de35e634bfd574e59676950Andreas Gustafsson is up to date is to run <B
f37eb9482057adf62de35e634bfd574e59676950Andreas GustafssonCLASS="command"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>If you have to make changes to a dynamic zone
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson manually, the following procedure will work: Shut down
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson the server using <B
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="command"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson> (sending a signal
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="command"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="emphasis"
21163ca842b7969eade26710b4eae72ab0a99c0cAndreas Gustafsson sufficient). Wait for the server to exit,
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="emphasis"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="filename"
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson> file, edit the zone file,
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson and restart the server. Removing the <TT
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas GustafssonCLASS="filename"
21163ca842b7969eade26710b4eae72ab0a99c0cAndreas Gustafsson file is necessary because the manual edits will not be
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson present in the journal, rendering it inconsistent with the
eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson contents of the zone file.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="incremental_zone_transfers"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.3. Incremental Zone Transfers (IXFR)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The incremental zone transfer (IXFR) protocol is a way for
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonslave servers to transfer only changed data, instead of having to
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssontransfer the entire zone. The IXFR protocol is specified in RFC
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric LuceHREF="Bv9ARM.ch09.html#proposed_standards"
fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>Proposed Standards</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When acting as a master, <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonsupports IXFR for those zones
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewhere the necessary change history information is available. These
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinclude master zones maintained by dynamic update and slave zones
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonwhose data was obtained by IXFR. For manually maintained master
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonzones, and for slave zones obtained by performing a full zone
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssontransfer (AXFR), IXFR is supported only if the option
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas GustafssonCLASS="command"
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafsson>ixfr-from-differences</B
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas GustafssonCLASS="userinput"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When acting as a slave, <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
7fca810d8735063703afff4208c8e92cf6b5ca6aAndreas Gustafssonattempt to use IXFR unless
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceit is explicitly disabled. For more information about disabling
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIXFR, see the description of the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>request-ixfr</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.4. Split DNS</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Setting up different views, or visibility, of the DNS space to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal and external resolvers is usually referred to as a <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> setup. There are several reasons an organization
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewould want to set up its DNS this way.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One common reason for setting up a DNS system this way is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto hide "internal" DNS information from "external" clients on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet. There is some debate as to whether or not this is actually useful.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternal DNS information leaks out in many ways (via email headers,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor example) and most savvy "attackers" can find the information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethey need using other means.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Another common reason for setting up a Split DNS system is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto allow internal networks that are behind filters or in RFC 1918
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucespace (reserved IP space, as documented in RFC 1918) to resolve DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceon the Internet. Split DNS can also be used to allow mail from outside
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceback in to the internal network.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example of a split DNS setup:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Let's say a company named <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehas several corporate sites that have an internal network with reserved
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet Protocol (IP) space and an external demilitarized zone (DMZ),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceor "outside" section of a network, that is available to the public.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> wants its internal clients
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto be able to resolve external hostnames and to exchange mail with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepeople on the outside. The company also wants its internal resolvers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto have access to certain internal-only zones that are not available
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceat all outside of the internal network.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to accomplish this, the company will set up two sets
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonof name servers. One set will be on the inside network (in the reserved
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIP space) and the other set will be on bastion hosts, which are "proxy"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehosts that can talk to both sides of its network, in the DMZ.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The internal servers will be configured to forward all queries,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexcept queries for <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, to the servers in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceDMZ. These internal servers will have complete sets of information
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer>To protect the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonthe internal name servers must be configured to disallow all queries
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto these domains from any external hosts, including the bastion
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The external servers, which are on the bastion hosts, will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe configured to serve the "public" version of the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis could include things such as the host records for public servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand mail exchange (MX) records (<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In addition, the public <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould have special MX records that contain wildcard (`*') records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepointing to the bastion hosts. This is needed because external mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers do not have any other way of looking up how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto those internal hosts. With the wildcard records, the mail will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe delivered to the bastion host, which can then forward it on to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here's an example of a wildcard MX record:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Now that they accept mail on behalf of anything in the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenetwork, the bastion hosts will need to know how to deliver mail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto internal hosts. In order for this to work properly, the resolvers on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion hosts will need to be configured to point to the internal
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonname servers for DNS resolution.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Queries for internal hostnames will be answered by the internal
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers, and queries for external hostnames will be forwarded back
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceout to the DNS servers on the bastion hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order for all this to work properly, internal clients will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceneed to be configured to query <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> the internal
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonname servers for DNS queries. This could also be enforced via selective
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefiltering on the network.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If everything has been set properly, <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal clients will now be able to:</P
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Look up any hostnames in the <TT
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Look up any hostnames in the <TT
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> domains.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Look up any hostnames on the Internet.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Exchange mail with internal AND external people.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Hosts on the Internet will be able to:</P
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Look up any hostnames in the <TT
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Exchange mail with anyone in the <TT
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example configuration for the setup we just
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce described above. Note that this is only configuration information;
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce for information on how to configure your zone files, see <A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch03.html#sample_configuration"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Section 3.1</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Internal DNS server config:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="varname"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>bastion-ips-go-here</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forward only;
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson forwarders { // forward to external servers
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="varname"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>bastion-ips-go-here</TT
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-transfer { none; }; // sample allow-transfer (no one)
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-query { internals; externals; }; // restrict query access
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-recursion { internals; }; // restrict recursion
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonzone "site1.example.com" { // sample master zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson forwarders { }; // do normal iterative
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson // resolution (do not forward)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonzone "site2.example.com" { // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>External (bastion host) DNS server config:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> acl internals { 172.16.72.0/24; 192.168.1.0/24; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { bastion-ips-go-here; };
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-transfer { none; }; // sample allow-transfer (no one)
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-query { internals; externals; }; // restrict query access
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson allow-recursion { internals; externals; }; // restrict recursion
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonzone "site1.example.com" { // sample slave zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { another_bastion_host_maybe; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; }
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> (or equivalent) on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion host(s):</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> search ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.2
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.4
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is a short guide to setting up Transaction SIGnatures
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce(TSIG) based transaction security in <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. It describes changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto the configuration file as well as what changes are required for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedifferent features, including the process of creating transaction
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekeys and using transaction signatures with <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> primarily supports TSIG for server to server communication.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis includes zone transfer, notify, and recursive query messages.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceResolvers based on newer versions of <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 8 have limited support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TSIG might be most useful for dynamic update. A primary
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server for a dynamic zone should use access control to control
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson updates, but IP-based access control is insufficient.
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson The cryptographic access control provided by TSIG
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson is far superior. The <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce program supports TSIG via the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> command line options.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1. Generate Shared Keys for Each Pair of Hosts</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A shared secret is generated to be shared between <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceAn arbitrary key name is chosen: "host1-host2.". The key name must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe the same on both hosts.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1.1. Automatic Generation</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command will generate a 128 bit (16 byte) HMAC-MD5
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekey as described above. Longer keys are better, but shorter keys
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceare easier to read. Note that the maximum key length is 512 bits;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekeys longer than that will be digested with MD5 to produce a 128
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The key is in the file <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNothing directly uses this file, but the base-64 encoded string
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefollowing "<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecan be extracted from the file and used as a shared secret:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The string "<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe used as the shared secret.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.1.2. Manual Generation</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The shared secret is simply a random sequence of bits, encoded
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucein base-64. Most ASCII strings are valid base-64 strings (assuming
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe length is a multiple of 4 and only valid characters are used),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceso the shared secret can be manually generated.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Also, a known string can be run through <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucea similar program to generate base-64 encoded data.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.2. Copying the Shared Secret to Both Machines</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is beyond the scope of DNS. A secure transport mechanism
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould be used. This could be secure FTP, ssh, telephone, etc.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.3. Informing the Servers of the Key's Existence</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceboth servers. The following is added to each server's <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> key host1-host2. {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce algorithm hmac-md5;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The algorithm, hmac-md5, is the only one supported by <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThe secret is the one generated above. Since this is a secret, it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceis recommended that either <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> be non-world
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucereadable, or the key directive be added to a non-world readable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefile that is included by <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>At this point, the key is recognized. This means that if the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceserver receives a message signed by this key, it can verify the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonsignature. If the signature is successfully verified, the
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafssonresponse is signed by the same key.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.4. Instructing the Server to Use the Key</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Since keys are shared between two hosts only, the server must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe told when keys are to be used. The following is added to the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, if the IP address of <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> server 10.1.2.3 {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys { host1-host2. ;};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Multiple keys may be present, but only the first is used.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis directive does not contain any secrets, so it may be in a world-readable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
78d65c654251b02c41628914986723cbec93a7a1Andreas Gustafsson> sends a message that is a request
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto that address, the message will be signed with the specified key. <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexpect any responses to signed messages to be signed with the same
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A similar statement must be present in <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceconfiguration file (with <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>'s address) for <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
78d65c654251b02c41628914986723cbec93a7a1Andreas Gustafssonsign request messages to <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.5. TSIG Key Based Access Control</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> allows IP addresses and ranges to be specified in ACL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedefinitions and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson>allow-{ query | transfer | update }</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis has been extended to allow TSIG keys also. The above key would
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe denoted <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>key host1-host2.</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>An example of an allow-update directive would be:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> allow-update { key host1-host2. ;};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This allows dynamic updates to succeed only if the request
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce was signed by a key named
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1-host2.</B
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>You may want to read about the more
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> statement in <A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch06.html#dynamic_update_policies"
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>Section 6.2.22.4</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.5.6. Errors</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The processing of TSIG signed messages can result in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce several errors. If a signed message is sent to a non-TSIG aware
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server, a FORMERR will be returned, since the server will not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce understand the record. This is a result of misconfiguration,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce since the server must be explicitly configured to send a TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed message to a specific server.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If a TSIG aware server receives a message signed by an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce unknown key, the response will be unsigned with the TSIG
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce extended error code set to BADKEY. If a TSIG aware server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce receives a message with a signature that does not validate, the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce response will be unsigned with the TSIG extended error code set
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to BADSIG. If a TSIG aware server receives a message with a time
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce outside of the allowed range, the response will be signed with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the TSIG extended error code set to BADTIME, and the time values
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be adjusted so that the response can be successfully
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified. In any of these cases, the message's rcode is set to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a mechanism for automatically
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generating a shared secret between two hosts. There are several
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "modes" of <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> that specify how the key is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated or assigned. <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson implements only one of these modes,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the Diffie-Hellman key exchange. Both hosts are required to have
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a Diffie-Hellman KEY record (although this record is not required
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be present in a zone). The <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must use signed messages, signed either by TSIG or SIG(0). The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce result of <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a shared secret that can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to sign messages with TSIG. <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used to delete shared secrets that it had previously
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> process is initiated by a client
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or server by sending a signed <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (including any appropriate KEYs) to a TKEY-aware server. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server response, if it indicates success, will contain a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> record and any appropriate keys. After
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this exchange, both participants have enough information to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce determine the shared secret; the exact process depends on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode. When using the Diffie-Hellman
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode, Diffie-Hellman keys are exchanged,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the shared secret is derived by both participants.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.7. SIG(0)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 partially supports DNSSEC SIG(0) transaction
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures as specified in RFC 2535. SIG(0) uses public/private
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys to authenticate messages. Access control is performed in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce same manner as TSIG keys; privileges can be granted or denied
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce based on the key name.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When a SIG(0) signed message is received, it will only be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified if the key is known and trusted by the server; the server
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will not attempt to locate and/or validate the key.</P
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>SIG(0) signing of multiple-message TCP streams is not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 does not ship with any tools that generate SIG(0)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed messages.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="DNSSEC"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8. DNSSEC</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Cryptographic authentication of DNS information is possible
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce through the DNS Security (<I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>) extensions,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce defined in RFC 2535. This section describes the creation and use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of DNSSEC signed zones.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to set up a DNSSEC secure zone, there are a series
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of steps which must be followed. <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson with several tools
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that are used in this process, which are explained in more detail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce below. In all cases, the "<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>" option prints a
027e89d47af308db4b41761ca9f847c026b63ec8Andreas Gustafsson full list of parameters. Note that the DNSSEC tools require the
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson keyset and signedkey files to be in the working directory, and
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson that the tools shipped with BIND 9.0.x are not fully compatible
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson with the current ones.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>There must also be communication with the administrators of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the parent and/or child zone to transmit keys and signatures. A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone's security status must be indicated by the parent zone for a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSSEC capable resolver to trust its data.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For other servers to trust data in this zone, they must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce either be statically configured with this zone's zone key or the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone key of another zone above this one in the DNS tree.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.1. Generating Keys</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate keys.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A secure zone must contain one or more zone keys. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys will sign all other records in the zone, as well as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone keys of any secure delegated zones. Zone keys must
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have the same name as the zone, a name type of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, and must be usable for authentication.
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson It is recommended that zone keys use a cryptographic algorithm
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson designated as "mandatory to implement" by the IETF; currently
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson these are RSASHA1 and DSA.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command will generate a 768 bit DSA key for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Two output files will be produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 12345 is an example of a key tag). The key file names contain
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key name (<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>), algorithm (3
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The private key (in the <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.private</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures, and the public key (in the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file) is used for signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verification.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To generate another key with the same properties (but with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a different key tag), repeat the above command.</P
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>The public keys should be inserted into the zone file by
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson including the <TT
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas GustafssonCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.2. Creating a Keyset</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-makekeyset</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to create a key set from one or more keys.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Once the zone keys have been generated, a key set must be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce built for transmission to the administrator of the parent zone,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce so that the parent zone can sign the keys with its own zone key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and correctly indicate the security status of this zone. When
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce building a key set, the list of keys to be included and the TTL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of the set must be specified, and the desired signature validity
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce period of the parent's signature may also be specified.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The list of keys to be inserted into the key set may also
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce included non-zone keys present at the top of the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-makekeyset</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> may also be used at other
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce names in the zone.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command generates a key set containing the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce above key and another key similarly generated, with a TTL of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 3600 and a signature validity period of 10 days starting from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. This file should be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transmitted to the parent to be signed. It includes the keys,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce as well as signatures over the key set generated by the zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys themselves, which are used to prove ownership of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce private keys and encode the desired validity period.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.3. Signing the Child's Keyset</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signkey</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign one child's keyset.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zone has any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce delegations which are secure, for example,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> administrator should receive
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keyset files for each secure subzone. These keys must be signed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by this zone's zone keys.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command signs the child's key set with the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be both transmitted back to the child and retained. It
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce includes all keys (the child's keys) from the keyset file and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures generated by this zone's zone keys.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.4. Signing the Zone</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signzone</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign a zone.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>signedkey</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> files corresponding to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secure subzones should be present, as well as a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>signedkey</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file for this zone generated by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the parent (if there is one). The zone signer will generate
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> records for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone, as well as incorporate the zone key signature from the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce parent and indicate the security status at all delegation
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command signs the zone, assuming it is in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file called <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default, all zone keys which have an available private key are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signzone -o child.example zone.child.example</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be referenced by <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input file for the zone.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.8.5. Configuring Servers</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson> 9 does not verify signatures on load,
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonso zone keys for authoritative zones do not need to be specified
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonin the configuration file.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The public key for any security root must be present in
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonthe configuration file's <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>trusted-keys</B
ff5760e233f6ab75e33783b6dd48f961ce04d933Andreas Gustafssonstatement, as described later in this document. </P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9. IPv6 Support in <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 fully supports all currently defined forms of IPv6
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name to address and address to name lookups. It will also use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IPv6 addresses to make queries when running on an IPv6 capable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For forward lookups, <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 supports both A6 and AAAA
ea91cb523112b44b4d2799ac7eb5e878721f2a59Eric Luce records. The use of AAAA records is deprecated, but it is still
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce useful for hosts to have both AAAA and A6 records to maintain
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce backward compatibility with installations where AAAA records are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce still used. In fact, the stub resolvers currently shipped with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce most operating system support only AAAA lookups, because following
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A6 chains is much harder than doing A or AAAA lookups.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For IPv6 reverse lookups, <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 supports the new
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson "binary label" (also known as "bitstring")
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson format used in the <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce domain, as well as the older, deprecated "nibble" format used in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 includes a new lightweight resolver library and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce resolver daemon which new applications may choose to use to avoid
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson the complexities of A6 chain following and binary labels, see <A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Chapter 5</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>. Alternatively, applications can link with a stub
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson resolver that supports A and AAAA records only and rely on the server to
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson synthesize AAAA recorsd from A6 chains (<A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Section 6.2.14.13</A
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson>For an overview of the format and structure of IPv6 addresses,
035cd7b5bd983b3845da08680ac311c754809403Andreas GustafssonHREF="Bv9ARM.ch09.html#ipv6addresses"
035cd7b5bd983b3845da08680ac311c754809403Andreas Gustafsson>Section A.3.1</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.1. Address Lookups Using AAAA Records</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The AAAA record is a parallel to the IPv4 A record. It
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifies the entire address in a single record. For
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonhost 3600 IN AAAA 3ffe:8050:201:1860:42::1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>While their use is deprecated, they are useful to support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce older IPv6 applications. They should not be added where they
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are not absolutely necessary.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.2. Address Lookups Using A6 Records</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The A6 record is more flexible than the AAAA record, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is therefore more complicated. The A6 record can be used to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce form a chain of A6 records, each specifying part of the IPv6
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce address. It can also be used to specify the entire record as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce well. For example, this record supplies the same data as the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce AAAA record in the previous example:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonhost 3600 IN A6 0 3ffe:8050:201:1860:42::1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.2.1. A6 Chains</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A6 records are designed to allow network
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce renumbering. This works when an A6 record only specifies the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce part of the address space the domain owner controls. For
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example, a host may be at a company named "company." It has
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce two ISPs which provide IPv6 address space for it. These two
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ISPs fully specify the IPv6 prefix they supply.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In the company's address space:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonhost 3600 IN A6 64 0:0:0:0:42::1 company.example1.net.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonhost 3600 IN A6 64 0:0:0:0:42::1 company.example2.net.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ISP1 will use:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssoncompany 3600 IN A6 0 3ffe:8050:201:1860::
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ISP2 will use:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssoncompany 3600 IN A6 0 1234:5678:90ab:fffa::
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is looked up,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the resolver (in the resolver daemon or caching name server)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will find two partial A6 records, and will use the additional
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name to find the remainder of the data.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect3"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.2.2. A6 Records for DNS Servers</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When an A6 record specifies the address of a name
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server, it should use the full address rather than specifying
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a partial address. For example:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson@ 14400 IN NS ns0
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson 14400 IN NS ns1
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonns0 14400 IN A6 0 3ffe:8050:201:1860:42::1
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonns1 14400 IN A 192.168.42.1
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>It is recommended that IPv4-in-IPv6 mapped addresses not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used. If a host has an IPv4 address, use an A record, not
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce an A6, with <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>::ffff:192.168.42.1</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.3. Address to Name Lookups Using Nibble Format</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>While the use of nibble format to look up names is
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson deprecated, it is supported for backwards compatibility with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce existing IPv6 applications.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When looking up an address in nibble format, the address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce components are simply reversed, just as in IPv4, and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is appended to the resulting name.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, the following would provide reverse name lookup for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a host with address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>3ffe:8050:201:1860:42::1</TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.int.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.4. Address to Name Lookups Using Binary Label Format</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Binary labels can start and end on any bit boundary,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rather than on a multiple of 4 bits as in the nibble
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce format. They also use <I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> rather than
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>To replicate the previous example using binary labels:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson\[x0042000000000001/64] 14400 IN PTR host.example.com.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>4.9.5. Using DNAME for Delegation of IPv6 Reverse Addresses</A
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>In IPv6, the same host may have many addresses from many
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce network providers. Since the trailing portion of the address
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce usually remains constant, <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce reduce the number of zone files used for reverse mapping that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce need to be maintained.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For example, consider a host which has two providers
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce therefore two IPv6 addresses. Since the host chooses its own 64
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce bit host address portion, the provider address is the only part
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that changes:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonhost IN A6 64 ::1234:5678:1212:5675 cust1.example.net.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson IN A6 64 ::1234:5678:1212:5675 subnet5.example2.net.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssoncust1 IN A6 48 0:0:0:dddd:: ipv6net.example.net.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonipv6net IN A6 0 aa:bb:cccc::
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonsubnet5 IN A6 48 0:0:0:1:: ipv6net2.example2.net.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafssonipv6net2 IN A6 0 6666:5555:4::
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This sets up forward lookups. To handle the reverse lookups,
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafssonthe provider <TT
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewould have:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson\[xdddd/16] IN DNAME ipv6-rev.example.com.
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> would have:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson\[x0001/16] IN DNAME ipv6-rev.example.com.
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas GustafssonCLASS="literal"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce needs only one zone file to handle both of these reverse
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce mappings:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson\[x1234567812125675/64] IN PTR host.example.com.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVFOOTER"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson>Name Server Configuration</TD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 Lightweight Resolver</TD