f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<HTML

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><HEAD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TITLE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Advanced Concepts</TITLE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><META

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson"><LINK

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.html"><LINK

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch03.html"><LINK

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch05.html"></HEAD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><BODY

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TABLE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TR

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TH

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>BIND 9 Administrator Reference Manual</TH

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TR

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TR

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Prev</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Next</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TD

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TR

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TABLE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><HR

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceWIDTH="100%"></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Chapter 4. Advanced Concepts</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DL

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Table of Contents</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.1. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic Update</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.2. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Incremental Zone Transfers (IXFR)</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.3. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Split DNS</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TSIG</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.5. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.6. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>SIG(0)</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>DNSSEC</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8. <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>IPv6 Support in <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DL

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.1. Dynamic Update</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic update is the term used for the ability under

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce certain specified conditions to add, modify or delete records or

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce RRsets in the master zone files. Dynamic update is fully described

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in RFC 2136.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic update is enabled on a zone-by-zone basis, by

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce including an <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-update</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> or

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> clause in the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>zone</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Updating of secure zones (zones using DNSSEC) follows

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce RFC 3007: SIG and NXT records affected by updates are automatically

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce regenerated by the server using an online zone key.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Update authorization is based

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce on transaction signatures and an explicit server policy.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.1.1. The journal file</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>All changes made to a zone using dynamic update are stored in the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone's journal file. This file is automatically created by the

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson server when when the first dynamic update takes place. The name of

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the journal file is formed by appending the

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson extension <TT

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>.jnl</TT

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson> to the

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson name of the corresponding zone file. The journal file is in a

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson binary format and should not be edited manually.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The server will also occasionally write ("dump")

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the complete contents of the updated zone to its zone file.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This is not done immediately after

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson each dynamic update, because that would be too slow when a large

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson zone is updated frequently. Instead, the dump is delayed by 15

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson minutes, allowing additional updates to take place.</P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson><P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>When a server is restarted after a shutdown or crash, it will replay

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson the journal file to incorporate into the zone any updates that took

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson place after the last zone dump.</P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson><P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>Changes that result from incoming incremental zone transfers are also

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson journalled in a similar way.</P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson><P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>The zone files of dynamic zones cannot normally be edited by

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson hand because they are not guaranteed to contain the most recent

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson dynamic changes - those are only in the journal file.

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson The only way to ensure that the zone file of a dynamic zone

21163ca842b7969eade26710b4eae72ab0a99c0cAndreas Gustafsson is up to date is to run <B

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>rndc stop</B

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>.</P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson><P

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>If you have to make changes to a dynamic zone

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson manually, the following procedure will work: Shut down

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson the server using <B

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson>rndc stop</B

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson> (sending a signal

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson or using <B

21163ca842b7969eade26710b4eae72ab0a99c0cAndreas Gustafsson>rndc halt</B

eadfcf9cf79376eaae5e3010882ba4f41a7c9b89Andreas Gustafsson> is <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>not</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sufficient). Wait for the server to exit,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>remove</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> the zone's

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.jnl</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file, edit the zone file,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and restart the server. Removing the <TT

fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce>.jnl</TT

fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce>

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson file is necessary because the manual edits will not be

fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce present in the journal, rendering it inconsistent with the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce contents of the zone file.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.2. Incremental Zone Transfers (IXFR)</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The incremental zone transfer (IXFR) protocol is a way for

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce slave servers to transfer only changed data, instead of having to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transfer the entire zone. The IXFR protocol is documented in RFC

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 1995. See <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Proposed Standards</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When acting as a master, <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 supports IXFR for those zones

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewhere the necessary change history information is available. These

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinclude master zones maintained by dynamic update and slave zones

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewhose data was obtained by IXFR, but not manually maintained master

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezones nor slave zones obtained by performing a full zone transfer

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce(AXFR).</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>When acting as a slave, <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 will attempt to use IXFR unless

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceit is explicitly disabled. For more information about disabling

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIXFR, see the description of the <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>request-ixfr</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> clause

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceof the <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>server</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.3. Split DNS</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Setting up different views, or visibility, of DNS space to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal and external resolvers is usually referred to as a <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Split

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceDNS</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> setup. There are several reasons an organization

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucewould want to set up its DNS this way.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One common reason for setting up a DNS system this way is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto hide "internal" DNS information from "external" clients on the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet. There is some debate as to whether or not this is actually useful.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternal DNS information leaks out in many ways (via email headers,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor example) and most savvy "attackers" can find the information

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethey need using other means.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Another common reason for setting up a Split DNS system is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto allow internal networks that are behind filters or in RFC 1918

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucespace (reserved IP space, as documented in RFC 1918) to resolve DNS

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceon the Internet. Split DNS can also be used to allow mail from outside

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceback in to the internal network.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example of a split DNS setup:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Let's say a company named <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> (example.com)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehas several corporate sites that have an internal network with reserved

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceInternet Protocol (IP) space and an external demilitarized zone (DMZ),

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceor "outside" section of a network, that is available to the public.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Example, Inc.</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> wants its internal clients

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto be able to resolve external hostnames and to exchange mail with

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepeople on the outside. The company also wants its internal resolvers

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto have access to certain internal-only zones that are not available

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceat all outside of the internal network.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to accomplish this, the company will set up two sets

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceof nameservers. One set will be on the inside network (in the reserved

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIP space) and the other set will be on bastion hosts, which are "proxy"

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehosts that can talk to both sides of its network, in the DMZ.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The internal servers will be configured to forward all queries,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexcept queries for <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, to the servers in the

56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael SawyerDMZ. These internal servers will have complete sets of information

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor <TT

56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer>site1.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>,<I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> </I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To protect the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> domains,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe internal nameservers must be configured to disallow all queries

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto these domains from any external hosts, including the bastion

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The external servers, which are on the bastion hosts, will

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe configured to serve the "public" version of the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis could include things such as the host records for public servers

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce(<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>www.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ftp.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>),

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand mail exchange (MX) records (<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>a.mx.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>b.mx.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>).</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In addition, the public <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould have special MX records that contain wildcard (`*') records

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucepointing to the bastion hosts. This is needed because external mail

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers do not have any other way of looking up how to deliver mail

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto those internal hosts. With the wildcard records, the mail will

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe delivered to the bastion host, which can then forward it on to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal hosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here's an example of a wildcard MX record:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>* IN MX 10 external1.example.com.</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Now that they accept mail on behalf of anything in the internal

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenetwork, the bastion hosts will need to know how to deliver mail

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto internal hosts. In order for this to work properly, the resolvers on

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion hosts will need to be configured to point to the internal

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameservers for DNS resolution.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Queries for internal hostnames will be answered by the internal

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceservers, and queries for external hostnames will be forwarded back

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceout to the DNS servers on the bastion hosts.</P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>In order for all this to work properly, internal clients will

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafssonneed to be configured to query <I

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>only</I

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson> the internal

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafssonnameservers for DNS queries. This could also be enforced via selective

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefiltering on the network.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If everything has been set properly, <I

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Example, Inc.</I

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>'s

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafssoninternal clients will now be able to:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><UL

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Look up any hostnames in the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Look up any hostnames in the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<TT

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>site2.internal</TT

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson> domains.</P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><LI

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Look up any hostnames on the Internet.</P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></LI

56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer><LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Exchange mail with internal AND external people.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></LI

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></UL

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>Hosts on the Internet will be able to:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><UL

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Look up any hostnames in the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><LI

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Exchange mail with anyone in the <TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>site1</TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> and

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></LI

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce></UL

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example configuration for the setup we just

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce described above. Note that this is only configuration information;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for information on how to configure your zone files, see <A

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>Section 3.1</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>Internal DNS server config:</P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce><PRE

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>&#13;

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luceacl internals { 172.16.72.0/24; 192.168.1.0/24; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { <TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>bastion-ips-go-here</TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoptions {

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce ...

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forward only;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { // forward to external servers

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>bastion-ips-go-here</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { none; }; // sample allow-transfer (no one)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; }; // restrict query access

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { internals; }; // restrict recursion

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site1.example.com" { // sample slave zone

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file "m/site1.example.com";

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { }; // do normal iterative

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce // resolution (do not forward)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce allow-transfer { internals; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.example.com" {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type slave;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file "s/site2.example.com";

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { 172.16.72.3; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site1.internal" {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce file "m/site1.internal";

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce forwarders { };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; };

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce allow-transfer { internals; }

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.internal" {

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce type slave;

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce file "s/site2.internal";

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce masters { 172.16.72.3; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce forwarders { };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; }

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce};

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>External (bastion host) DNS server config:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;acl internals { 172.16.72.0/24; 192.168.1.0/24; };

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl externals { bastion-ips-go-here; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoptions {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { none; }; // sample allow-transfer (no one)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; }; // restrict query access

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { internals; externals; }; // restrict recursion

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site1.example.com" { // sample slave zone

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file "m/site1.foo.com";

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "site2.example.com" {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type slave;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file "s/site2.foo.com";

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce masters { another_bastion_host_maybe; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { internals; externals; }

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>resolv.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> (or equivalent) on

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion host(s):</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;search ...

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucenameserver 172.16.72.4

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4. TSIG</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is a short guide to setting up Transaction SIGnatures

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce(TSIG) based transaction security in <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. It describes changes

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto the configuration file as well as what changes are required for

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedifferent features, including the process of creating transaction

fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Lucekeys and using transaction signatures with <SPAN

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>BIND</SPAN

fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> primarily supports TSIG for server to server communication.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis includes zone transfer, notify, and recursive query messages.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceResolvers based on newer versions of <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 8 have limited support

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor TSIG.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TSIG might be most useful for dynamic update. A primary

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server for a dynamic zone should use access control to control

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce updates, but IP-based access control is insufficient. Key-based

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce access control is far superior, see <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Proposed Standards</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>nsupdate</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce program supports TSIG via the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>-k</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>-y</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> command line options.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.1. Generate Shared Keys for Each Pair of Hosts</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A shared secret is generated to be shared between <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host2</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceAn arbitrary key name is chosen: "host1-host2.". The key name must

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe the same on both hosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.1.1. Automatic Generation</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command will generate a 128 bit (16 byte) HMAC-MD5

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekey as described above. Longer keys are better, but shorter keys

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceare easier to read. Note that the maximum key length is 512 bits;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekeys longer than that will be digested with MD5 to produce a 128

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebit key.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The key is in the file <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Khost1-host2.+157+00000.private</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNothing directly uses this file, but the base-64 encoded string

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefollowing "<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Key:</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>"

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecan be extracted from the file and used as a shared secret:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Key: La/E5CjG9O+os1jq0a2jdA==</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The string "<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>La/E5CjG9O+os1jq0a2jdA==</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>" can

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe used as the shared secret.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.1.2. Manual Generation</A

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson></H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The shared secret is simply a random sequence of bits, encoded

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucein base-64. Most ASCII strings are valid base-64 strings (assuming

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe length is a multiple of 4 and only valid characters are used),

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceso the shared secret can be manually generated.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Also, a known string can be run through <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>mmencode</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> or

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucea similar program to generate base-64 encoded data.</P

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.2. Copying the Shared Secret to Both Machines</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This is beyond the scope of DNS. A secure transport mechanism

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceshould be used. This could be secure FTP, ssh, telephone, etc.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.3. Informing the Servers of the Key's Existence</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Imagine <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host 2</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> are

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceboth servers. The following is added to each server's <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>named.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;key host1-host2. {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce algorithm hmac-md5;

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secret "La/E5CjG9O+os1jq0a2jdA==";

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The algorithm, hmac-md5, is the only one supported by <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThe secret is the one generated above. Since this is a secret, it

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceis recommended that either <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>named.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> be non-world

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucereadable, or the key directive be added to a non-world readable

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefile that is included by <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>named.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>At this point, the key is recognized. This means that if the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceserver receives a message signed by this key, it can verify the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucesignature. If the signature succeeds, the response is signed by

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe same key.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.4. Instructing the Server to Use the Key</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Since keys are shared between two hosts only, the server must

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe told when keys are to be used. The following is added to the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>named.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefor <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

78d65c654251b02c41628914986723cbec93a7a1Andreas Gustafsson>, if the IP address of <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host2</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce10.1.2.3:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;server 10.1.2.3 {

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys { host1-host2. ;};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Multiple keys may be present, but only the first is used.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis directive does not contain any secrets, so it may be in a world-readable

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucefile.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

78d65c654251b02c41628914986723cbec93a7a1Andreas Gustafsson> sends a message that is a request

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto that address, the message will be signed with the specified key. <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> will

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceexpect any responses to signed messages to be signed with the same

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucekey.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A similar statement must be present in <I

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>host2</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>'s

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceconfiguration file (with <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>'s address) for <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host2</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucesign request messages to <I

5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson>host1</I

5f09ce124cad9712a9675f17f83ddc915e734909Andreas Gustafsson>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.5. TSIG Key Based Access Control</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> allows IP addresses and ranges to be specified in ACL

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucedefinitions and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-{ query | transfer | update }</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> directives.

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric LuceThis has been extended to allow TSIG keys also. The above key would

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe denoted <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>key host1-host2.</B

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>An example of an allow-update directive would be:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;allow-update { key host1-host2. ;};

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This allows dynamic updates to succeed only if the request

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce was signed by a key named

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson "<B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host1-host2.</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>".</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>You may want to read about the more

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce powerful <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>update-policy</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statement in <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Section 6.2.22.4</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.4.6. Errors</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The processing of TSIG signed messages can result in

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce several errors. If a signed message is sent to a non-TSIG aware

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server, a FORMERR will be returned, since the server will not

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce understand the record. This is a result of misconfiguration,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce since the server must be explicitly configured to send a TSIG

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed message to a specific server.</P

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If a TSIG aware server receives a message signed by an

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce unknown key, the response will be unsigned with the TSIG

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce extended error code set to BADKEY. If a TSIG aware server

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce receives a message with a signature that does not validate, the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce response will be unsigned with the TSIG extended error code set

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to BADSIG. If a TSIG aware server receives a message with a time

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce outside of the allowed range, the response will be signed with

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the TSIG extended error code set to BADTIME, and the time values

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will be adjusted so that the response can be successfully

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified. In any of these cases, the message's rcode is set to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce NOTAUTH.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.5. TKEY</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a mechanism for automatically

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generating a shared secret between two hosts. There are several

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "modes" of <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> that specify how the key is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated or assigned. <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> implements only one of these modes,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the Diffie-Hellman key exchange. Both hosts are required to have

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a Diffie-Hellman KEY record (although this record is not required

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be present in a zone). The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> process

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce must use signed messages, signed either by TSIG or SIG(0). The

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce result of <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is a shared secret that can be

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to sign messages with TSIG. <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> can also

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used to delete shared secrets that it had previously

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generated.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> process is initiated by a client

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or server by sending a signed <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> query

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (including any appropriate KEYs) to a TKEY-aware server. The

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server response, if it indicates success, will contain a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> record and any appropriate keys. After

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this exchange, both participants have enough information to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce determine the shared secret; the exact process depends on the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode. When using the Diffie-Hellman

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>TKEY</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> mode, Diffie-Hellman keys are exchanged,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and the shared secret is derived by both participants.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.6. SIG(0)</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 partially supports DNSSEC SIG(0) transaction

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures as specified in RFC 2535. SIG(0) uses public/private

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys to authenticate messages. Access control is performed in the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce same manner as TSIG keys; privileges can be granted or denied

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce based on the key name.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When a SIG(0) signed message is received, it will only be

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verified if the key is known and trusted by the server; the server

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will not attempt to locate and/or validate the key.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>SIG(0) signing of multiple-message TCP streams is not

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce supported.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 does not ship with any tools that generate SIG(0)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed messages.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7. DNSSEC</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

027e89d47af308db4b41761ca9f847c026b63ec8Andreas Gustafsson>Cryptographic authentication of DNS information is possible

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson through the DNS Security (<I

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>DNSSEC</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>) extensions,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce defined in RFC 2535. This section describes the creation and use

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of DNSSEC signed zones.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order to set up a DNSSEC secure zone, there are a series

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of steps which must be followed. <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 ships

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with several tools

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that are used in this process, which are explained in more detail

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce below. In all cases, the "<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>-h</TT

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>" option prints a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce full list of parameters. Note that the DNSSEC tools require the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keyset and signedkey files to be in the working directory, and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that the tools shipped with BIND 9.0.x are not fully compatible

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce with the current ones.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>There must also be communication with the administrators of

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the parent and/or child zone to transmit keys and signatures. A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone's security status must be indicated by the parent zone for a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSSEC capable resolver to trust its data.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For other servers to trust data in this zone, they must

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce either be statically configured with this zone's zone key or the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone key of another zone above this one in the DNS tree.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7.1. Generating Keys</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce generate keys.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A secure zone must contain one or more zone keys. The

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys will sign all other records in the zone, as well as

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone keys of any secure delegated zones. Zone keys must

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce have the same name as the zone, a name type of

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ZONE</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, and must be usable for authentication.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce It is recommended that zone keys be mandatory to implement a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cryptographic algorithm; currently the only key mandatory to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce implement an algorithm is DSA.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command will generate a 768 bit DSA key for

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>child.example</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zone:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Two output files will be produced:

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Kchild.example.+003+12345.key</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Kchild.example.+003+12345.private</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> (where

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 12345 is an example of a key tag). The key file names contain

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the key name (<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>child.example.</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>), algorithm (3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The private key (in the <TT

56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer>.private</TT

56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer> file) is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures, and the public key (in the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.key</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file) is used for signature

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce verification.</P

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To generate another key with the same properties (but with

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a different key tag), repeat the above command.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The public keys should be inserted into the zone file with

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>$INCLUDE</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statements, including the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.key</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> files.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7.2. Creating a Keyset</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-makekeyset</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to create a key set from one or more keys.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Once the zone keys have been generated, a key set must be

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce built for transmission to the administrator of the parent zone,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce so that the parent zone can sign the keys with its own zone key

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and correctly indicate the security status of this zone. When

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce building a key set, the list of keys to be included and the TTL

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson of the set must be specified, and the desired signature validity

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce period of the parent's signature may also be specified.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The list of keys to be inserted into the key set may also

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce included non-zone keys present at the top of the zone.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <B

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson>dnssec-makekeyset</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> may also be used at other

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce names in the zone.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command generates a key set containing the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce above key and another key similarly generated, with a TTL of

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 3600 and a signature validity period of 10 days starting from

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce now.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>keyset-child.example.</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. This file should be

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transmitted to the parent to be signed. It includes the keys,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce as well as signatures over the key set generated by the zone

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keys themselves, which are used to prove ownership of the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce private keys and encode the desired validity period.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7.3. Signing the Child's Keyset</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signkey</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign one child's keyset.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If the <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>child.example</TT

dcebbac4f62ffa1a8c907095c85c4bea110216ffAndreas Gustafsson> zone has any

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce delegations which are secure, for example,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>grand.child.example</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>child.example</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> administrator should receive

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce keyset files for each secure subzone. These keys must be signed

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce by this zone's zone keys.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command signs the child's key set with the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone keys:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>signedkey-grand.child.example.</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. This file

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be both transmitted back to the child and retained. It

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce includes all keys (the child's keys) from the keyset file and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures generated by this zone's zone keys.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7.4. Signing the Zone</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signzone</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> program is used to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce sign a zone.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Any <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>signedkey</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> files corresponding to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce secure subzones should be present, as well as a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>signedkey</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> file for this zone generated by

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the parent (if there is one). The zone signer will generate

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>NXT</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>SIG</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> records for

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the zone, as well as incorporate the zone key signature from the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce parent and indicate the security status at all delegation

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce points.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The following command signs the zone, assuming it is in a

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file called <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>zone.child.example</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. By

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default, all zone keys which have an available private key are

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to generate signatures.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>dnssec-signzone -o child.example zone.child.example</B

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson></TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>One output file is produced:

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>zone.child.example.signed</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>. This file

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce should be referenced by <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>named.conf</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> as the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input file for the zone.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.7.5. Configuring Servers</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Unlike in <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 8, data is not verified on load in <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce so zone keys for authoritative zones do not need to be specified

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in the configuration file.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The public key for any security root must be present in

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the configuration file's <B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>trusted-keys</B

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce statement, as described later in this document. </P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8. IPv6 Support in <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 fully supports all currently defined forms of IPv6

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name to address and address to name lookups. It will also use

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce IPv6 addresses to make queries when running on an IPv6 capable

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce system.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For forward lookups, <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 supports both A6 and AAAA

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce records. The use of AAAA records is deprecated, but it is still

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce useful for hosts to have both AAAA and A6 records to maintain

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce backward compatibility with installations where AAAA records are

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce still used. In fact, the stub resolvers currently shipped with

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce most operating system support only AAAA lookups, because following

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A6 chains is much harder than doing A or AAAA lookups.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>For IPv6 reverse lookups, <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 supports the new

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "bitstring" format used in the <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ip6.arpa</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce domain, as well as the older, deprecated "nibble" format used in

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson the <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ip6.int</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> domain.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND</SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 includes a new lightweight resolver library and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce resolver daemon which new applications may choose to use to avoid

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce the complexities of A6 chain following and bitstring labels, see <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Chapter 5</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For an overview of the format and structure of IPv6 addresses,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce see <A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Section A.3.1</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.1. Address Lookups Using AAAA Records</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The AAAA record is a parallel to the IPv4 A record. It

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifies the entire address in a single record. For

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example,</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example.com.

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Lucehost 3600 IN AAAA 3ffe:8050:201:1860:42::1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>While their use is deprecated, they are useful to support

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce older IPv6 applications. They should not be added where they

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are not absolutely necessary.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.2. Address Lookups Using A6 Records</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The A6 record is more flexible than the AAAA record, and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is therefore more complicated. The A6 record can be used to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce form a chain of A6 records, each specifying part of the IPv6

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce address. It can also be used to specify the entire record as

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce well. For example, this record supplies the same data as the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce AAAA record in the previous example:</P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example.com.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehost 3600 IN A6 0 3ffe:8050:201:1860:42::1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.2.1. A6 Chains</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>A6 records are designed to allow network

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce renumbering. This works when an A6 record only specifies the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce part of the address space the domain owner controls. For

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce example, a host may be at a company named "company." It has

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson two ISPs which provide IPv6 address space for it. These two

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson ISPs fully specify the IPv6 prefix they supply.</P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In the company's address space:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example.com.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehost 3600 IN A6 64 0:0:0:0:42::1 company.example1.net.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehost 3600 IN A6 64 0:0:0:0:42::1 company.example2.net.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ISP1 will use:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example1.net.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecompany 3600 IN A6 0 3ffe:8050:201:1860::

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ISP2 will use:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example2.net.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecompany 3600 IN A6 0 1234:5678:90ab:fffa::

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce</PRE

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce><P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>When <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>host.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is looked up,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the resolver (in the resolver daemon or caching name server)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will find two partial A6 records, and will use the additional

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce name to find the remainder of the data.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.2.2. A6 Records for DNS Servers</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H3

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When an A6 record specifies the address of a name

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson server, it should use the full address rather than specifying

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a partial address. For example:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN example.com.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce@ 14400 IN NS ns0

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 14400 IN NS ns1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucens0 14400 IN A6 0 3ffe:8050:201:1860:42::1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucens1 14400 IN A 192.168.42.1

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>It is recommended that IPv4-in-IPv6 mapped addresses not

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used. If a host has an IPv4 address, use an A record, not

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce an A6, with <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>::ffff:192.168.42.1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> as the

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce address.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.3. Address to Name Lookups Using Nibble Format</A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>While the use of nibble format to look up names is

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce deprecated, it is supported for backwards compatiblity with

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson existing IPv6 applications.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>When looking up an address in nibble format, the address

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce components are simply reversed, just as in IPv4, and

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ip6.int.</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> is appended to the resulting name.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce For example, the following would provide reverse name lookup for

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a host with address

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>3ffe:8050:201:1860:42::1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&#13;$ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.int.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</PRE

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce></DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><DIV

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><A

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>4.8.4. Address to Name Lookups Using Bitstring Format</A

fcc9f7f86c2fa2ceb8a5c16dc934fea7fa6887f2Andreas Gustafsson></H2

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Bitstring labels can start and end on any bit boundary,

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rather than on a multiple of 4 bits as in the nibble

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce format. They also use <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ip6.arpa</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> rather than

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ip6.int</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To replicate the previous example using bitstrings:</P

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><PRE

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson>&#13;$ORIGIN \[x3ffe805002011860/64].ip6.arpa.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce\[x0042000000000001/64] 14400 IN PTR host.example.com.

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson</PRE

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson></DIV

b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson><DIV