Bv9ARM.ch04.html revision 8ec3c085233cedb22b05da36e2773c8f357a7e45
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - copyright notice and this permission notice appear in all copies.
5e047890ac9b745db060d95f7d1b4f876511240dTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
e20309353e6246485c521278131d3fced73d7957Tinderbox User<!-- $Id: Bv9ARM.ch04.html,v 1.101 2009/10/06 01:14:41 tbox Exp $ -->
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation header">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<div class="titlepage"><div><div><h2 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570508">Split DNS</a></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570526">Example split DNS setup</a></span></dt></dl></dd>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571028">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571101">Copying the Shared Secret to Both Machines</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571112">Informing the Servers of the Key's Existence</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571148">Instructing the Server to Use the Key</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571274">TSIG Key Based Access Control</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571323">Errors</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571474">TKEY</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571523">SIG(0)</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571659">Generating Keys</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571806">Signing the Zone</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571888">Configuring Servers</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572002">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572200">Address Lookups Using AAAA Records</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Address to Name Lookups Using Nibble Format</a></span></dt>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="notify"></a>Notify</h2></div></div></div>
e20309353e6246485c521278131d3fced73d7957Tinderbox User <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews servers to notify their slave servers of changes to a zone's data. In
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews slave will check to see that its version of the zone is the
ad411d8ccf8a27eb903b842ab507ba6729d0246bTinderbox User current version and, if not, initiate a zone transfer.
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User For more information about <acronym class="acronym">DNS</acronym>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">NOTIFY</strong></span>, see the description of the
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews the description of the zone option <span><strong class="command">also-notify</strong></span> in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews protocol is specified in RFC 1996.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zones that it loads.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Dynamic Update is a method for adding, replacing or deleting
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews records in a master server by sending it a special form of DNS
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews messages. The format and meaning of these messages is specified
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Dynamic update is enabled by including an
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews clause in the <span><strong class="command">zone</strong></span> statement.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User If the zone's <span><strong class="command">update-policy</strong></span> is set to
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <strong class="userinput"><code>local</code></strong>, updates to the zone
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <span><strong class="command">tkey-gssapi-credential</strong></span> and
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <span><strong class="command">tkey-domain</strong></span> clauses in the
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <span><strong class="command">options</strong></span> statement enable the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont server to negotiate keys that can be matched against those
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in <span><strong class="command">update-policy</strong></span> or
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User <span><strong class="command">allow-update</strong></span>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater automatically regenerated by the server using an online
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zone key. Update authorization is based on transaction
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews signatures and an explicit server policy.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<div class="titlepage"><div><div><h3 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="journal"></a>The journal file</h3></div></div></div>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews All changes made to a zone using dynamic update are stored
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in the zone's journal file. This file is automatically created
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews by the server when the first dynamic update takes place.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews The name of the journal file is formed by appending the extension
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews <code class="filename">.jnl</code> to the name of the
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews corresponding zone
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User file unless specifically overridden. The journal file is in a
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews binary format and should not be edited manually.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The server will also occasionally write ("dump")
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the complete contents of the updated zone to its zone file.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This is not done immediately after
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews each dynamic update, because that would be too slow when a large
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater zone is updated frequently. Instead, the dump is delayed by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews up to 15 minutes, allowing additional updates to take place.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When a server is restarted after a shutdown or crash, it will replay
e16b482740c5e7ad4c27e271fa829b957cdf67d4Mark Andrews the journal file to incorporate into the zone any updates that
e16b482740c5e7ad4c27e271fa829b957cdf67d4Mark Andrews place after the last zone dump.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Changes that result from incoming incremental zone transfers are
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater journalled in a similar way.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The zone files of dynamic zones cannot normally be edited by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews hand because they are not guaranteed to contain the most recent
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews dynamic changes — those are only in the journal file.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The only way to ensure that the zone file of a dynamic zone
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is up to date is to run <span><strong class="command">rndc stop</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If you have to make changes to a dynamic zone
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews manually, the following procedure will work: Disable dynamic updates
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater to the zone using
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This will also remove the zone's <code class="filename">.jnl</code> file
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and update the master file. Edit the zone file. Run
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to reload the changed zone and re-enable dynamic updates.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The incremental zone transfer (IXFR) protocol is a way for
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews slave servers to transfer only changed data, instead of having to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews transfer the entire zone. The IXFR protocol is specified in RFC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When acting as a master, <acronym class="acronym">BIND</acronym> 9
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews supports IXFR for those zones
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews where the necessary change history information is available. These
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews include master zones maintained by dynamic update and slave zones
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User whose data was obtained by IXFR. For manually maintained master
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews zones, and for slave zones obtained by performing a full zone
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User transfer (AXFR), IXFR is supported only if the option
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User <span><strong class="command">ixfr-from-differences</strong></span> is set
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User to <strong class="userinput"><code>yes</code></strong>.
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User attempt to use IXFR unless
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews it is explicitly disabled. For more information about disabling
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User of the <span><strong class="command">server</strong></span> statement.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<a name="id2570508"></a>Split DNS</h2></div></div></div>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater Setting up different views, or visibility, of the DNS space to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews internal and external resolvers is usually referred to as a
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User <span class="emphasis"><em>Split DNS</em></span> setup. There are several
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews reasons an organization would want to set up its DNS this way.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater One common reason for setting up a DNS system this way is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to hide "internal" DNS information from "external" clients on the
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Internet. There is some debate as to whether or not this is actually
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Internal DNS information leaks out in many ways (via email headers,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews for example) and most savvy "attackers" can find the information
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater they need using other means.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater However, since listing addresses of internal servers that
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews external clients cannot possibly reach can result in
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews connection delays and other annoyances, an organization may
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater choose to use a Split DNS to present a consistent view of itself
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater to the outside world.
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater Another common reason for setting up a Split DNS system is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to allow internal networks that are behind filters or in RFC 1918
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater space (reserved IP space, as documented in RFC 1918) to resolve DNS
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater on the Internet. Split DNS can also be used to allow mail from outside
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews back in to the internal network.
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User<div class="titlepage"><div><div><h3 class="title">
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<a name="id2570526"></a>Example split DNS setup</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater (<code class="literal">example.com</code>)
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User has several corporate sites that have an internal network with
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater Internet Protocol (IP) space and an external demilitarized zone (DMZ),
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews or "outside" section of a network, that is available to the public.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to be able to resolve external hostnames and to exchange mail with
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User people on the outside. The company also wants its internal resolvers
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews to have access to certain internal-only zones that are not available
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews at all outside of the internal network.
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User In order to accomplish this, the company will set up two sets
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews of name servers. One set will be on the inside network (in the
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User IP space) and the other set will be on bastion hosts, which are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater hosts that can talk to both sides of its network, in the DMZ.
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User The internal servers will be configured to forward all queries,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User and <code class="filename">site2.example.com</code>, to the servers
0ea1646bf1253f50946ed5e4d3c01c1d2767012bTinderbox User DMZ. These internal servers will have complete sets of information
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User and <code class="filename">site2.internal</code>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the internal name servers must be configured to disallow all queries
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to these domains from any external hosts, including the bastion
cd6e9010079a4e58f7e30063df3dec0ff154ad59Tinderbox User The external servers, which are on the bastion hosts, will
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User This could include things such as the host records for public servers
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User should have special MX records that contain wildcard (`*') records
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews pointing to the bastion hosts. This is needed because external mail
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews servers do not have any other way of looking up how to deliver mail
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to those internal hosts. With the wildcard records, the mail will
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews be delivered to the bastion host, which can then forward it on to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews internal hosts.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Here's an example of a wildcard MX record:
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews Now that they accept mail on behalf of anything in the internal
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User network, the bastion hosts will need to know how to deliver mail
7ac34650fa344f42211d6da744ae486b0145a083Tinderbox User to internal hosts. In order for this to work properly, the resolvers
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the bastion hosts will need to be configured to point to the internal
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater name servers for DNS resolution.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Queries for internal hostnames will be answered by the internal
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews servers, and queries for external hostnames will be forwarded back
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater out to the DNS servers on the bastion hosts.
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews In order for all this to work properly, internal clients will
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater need to be configured to query <span class="emphasis"><em>only</em></span> the internal
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews name servers for DNS queries. This could also be enforced via
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater filtering on the network.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews internal clients will now be able to:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Look up any hostnames in the <code class="literal">site1</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="literal">site2.example.com</code> zones.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Look up any hostnames in the <code class="literal">site1.internal</code> and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="literal">site2.internal</code> domains.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li>Exchange mail with both internal and external people.</li>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Hosts on the Internet will be able to:
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User Look up any hostnames in the <code class="literal">site1</code>
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User <code class="literal">site2.example.com</code> zones.
dc435f1033bcba88b748074987db6cfd34c057a4Tinderbox User Exchange mail with anyone in the <code class="literal">site1</code> and
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <code class="literal">site2.example.com</code> zones.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Here is an example configuration for the setup we just
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews described above. Note that this is only configuration information;
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Internal DNS server config:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateracl internals { 172.16.72.0/24; 192.168.1.0/24; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsacl externals { <code class="varname">bastion-ips-go-here</code>; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews forward only;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews // forward to external servers
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews forwarders {
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="varname">bastion-ips-go-here</code>;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews // sample allow-transfer (no one)
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User allow-transfer { none; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
e20309353e6246485c521278131d3fced73d7957Tinderbox User // restrict recursion
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews allow-recursion { internals; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews// sample master zone
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews type master;
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User // do normal iterative resolution (do not forward)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User forwarders { };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-query { internals; externals; };
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews allow-transfer { internals; };
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews// sample slave zone
d6317350b1180aa4517f2e8a92fa8fbcbf904ad8Automatic Updater masters { 172.16.72.3; };
bc0a4c01beede169df81a3ee5b614ed9e82339dbAutomatic Updater forwarders { };
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington External (bastion host) DNS server config:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { bastion-ips-go-here; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // sample allow-transfer (no one)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { none; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // default query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { any; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict cache access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query-cache { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict recursion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-recursion { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample slave zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews masters { another_bastion_host_maybe; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-transfer { internals; externals; }
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater In the <code class="filename">resolv.conf</code> (or equivalent) on
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater the bastion host(s):
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updaternameserver 172.16.72.2
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Usernameserver 172.16.72.3
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updaternameserver 172.16.72.4
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<a name="tsig"></a>TSIG</h2></div></div></div>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews This is a short guide to setting up Transaction SIGnatures
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User to the configuration file as well as what changes are required for
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User different features, including the process of creating transaction
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User to server communication.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User This includes zone transfer, notify, and recursive query messages.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews TSIG can also be useful for dynamic update. A primary
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User server for a dynamic zone should control access to the dynamic
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User update service, but IP-based access control is insufficient.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The cryptographic access control provided by TSIG
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User is far superior. The <span><strong class="command">nsupdate</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews program supports TSIG via the <code class="option">-k</code> and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">-y</code> command line options or inline by use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews of the <span><strong class="command">key</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id2571028"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater An arbitrary key name is chosen: "host1-host2.". The key name must
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User be the same on both hosts.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<div class="titlepage"><div><div><h4 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2571045"></a>Automatic Generation</h4></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The following command will generate a 128-bit (16 byte) HMAC-SHA256
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews key as described above. Longer keys are better, but shorter keys
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews are easier to read. Note that the maximum key length is the digest
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews length, here 256 bits.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Nothing directly uses this file, but the base-64 encoded string
3de6db3208d51de1e138b63b9670430c03f99694Automatic Updater following "<code class="literal">Key:</code>"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater can be extracted from the file and used as a shared secret:
e20309353e6246485c521278131d3fced73d7957Tinderbox User<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be used as the shared secret.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571083"></a>Manual Generation</h4></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The shared secret is simply a random sequence of bits, encoded
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in base-64. Most ASCII strings are valid base-64 strings (assuming
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the length is a multiple of 4 and only valid characters are used),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington so the shared secret can be manually generated.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a similar program to generate base-64 encoded data.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571101"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This is beyond the scope of DNS. A secure transport mechanism
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews should be used. This could be secure FTP, ssh, telephone, etc.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="id2571112"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews both servers. The following is added to each server's <code class="filename">named.conf</code> file:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewskey host1-host2. {
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews algorithm hmac-sha256;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The secret is the one generated above. Since this is a secret, it
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews is recommended that either <code class="filename">named.conf</code> be
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews non-world readable, or the key directive be added to a non-world
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington readable file that is included by <code class="filename">named.conf</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington At this point, the key is recognized. This means that if the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server receives a message signed by this key, it can verify the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signature. If the signature is successfully verified, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response is signed by the same key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571148"></a>Instructing the Server to Use the Key</h3></div></div></div>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Since keys are shared between two hosts only, the server must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver 10.1.2.3 {
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User keys { host1-host2. ;};
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Multiple keys may be present, but only the first is used.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This directive does not contain any secrets, so it may be in a
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews world-readable
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If <span class="emphasis"><em>host1</em></span> sends a message that is a request
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington expect any responses to signed messages to be signed with the same
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User sign request messages to <span class="emphasis"><em>host1</em></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2571274"></a>TSIG Key Based Access Control</h3></div></div></div>
42bee07ebb8152a6ec2f87f4790d87368c24704cAutomatic Updater <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to be specified in ACL
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater definitions and
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">allow-{ query | transfer | update }</strong></span>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews This has been extended to allow TSIG keys also. The above key would
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be denoted <span><strong class="command">key host1-host2.</strong></span>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews An example of an <span><strong class="command">allow-update</strong></span> directive would be:
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewsallow-update { key host1-host2. ;};
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows dynamic updates to succeed only if the request
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the more flexible <span><strong class="command">update-policy</strong></span> statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571323"></a>Errors</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The processing of TSIG signed messages can result in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews several errors. If a signed message is sent to a non-TSIG aware
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews server, a FORMERR (format error) will be returned, since the server will not
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews understand the record. This is a result of misconfiguration,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews since the server must be explicitly configured to send a TSIG
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews signed message to a specific server.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If a TSIG aware server receives a message signed by an
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User unknown key, the response will be unsigned with the TSIG
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User extended error code set to BADKEY. If a TSIG aware server
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User receives a message with a signature that does not validate, the
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews response will be unsigned with the TSIG extended error code set
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to BADSIG. If a TSIG aware server receives a message with a time
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews outside of the allowed range, the response will be signed with
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the TSIG extended error code set to BADTIME, and the time values
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews will be adjusted so that the response can be successfully
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews verified. In any of these cases, the message's rcode (response code) is set to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews NOTAUTH (not authenticated).
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2571474"></a>TKEY</h2></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p><span><strong class="command">TKEY</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is a mechanism for automatically generating a shared secret
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews between two hosts. There are several "modes" of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">TKEY</strong></span> that specify how the key is generated
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews these modes, the Diffie-Hellman key exchange. Both hosts are
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews required to have a Diffie-Hellman KEY record (although this
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews record is not required to be present in a zone). The
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">TKEY</strong></span> process must use signed messages,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User signed either by TSIG or SIG(0). The result of
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
cc5a9ce75af9870f2cb9e2bf00548c2f7e6398d6Automatic Updater used to delete shared secrets that it had previously
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews The <span><strong class="command">TKEY</strong></span> process is initiated by a
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater or server by sending a signed <span><strong class="command">TKEY</strong></span>
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater (including any appropriate KEYs) to a TKEY-aware server. The
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater server response, if it indicates success, will contain a
91faa748a27dee38f6caea461d3e87f15b93abeaTinderbox User <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
91faa748a27dee38f6caea461d3e87f15b93abeaTinderbox User this exchange, both participants have enough information to
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews determine the shared secret; the exact process depends on the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span><strong class="command">TKEY</strong></span> mode. When using the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews Diffie-Hellman
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews and the shared secret is derived by both participants.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id2571523"></a>SIG(0)</h2></div></div></div>
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User transaction signatures as specified in RFC 2535 and RFC 2931.
e8c17c74535be290abaaa160a434ed80bf0ad2feMark Andrews uses public/private keys to authenticate messages. Access control
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User is performed in the same manner as TSIG keys; privileges can be
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater granted or denied based on the key name.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater When a SIG(0) signed message is received, it will only be
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User verified if the key is known and trusted by the server; the server
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User will not attempt to locate and/or validate the key.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater SIG(0) signing of multiple-message TCP streams is not
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Cryptographic authentication of DNS information is possible
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater defined in RFC 4033, RFC 4034, and RFC 4035.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater This section describes the creation and use of DNSSEC signed zones.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater In order to set up a DNSSEC secure zone, there are a series
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater of steps which must be followed. <acronym class="acronym">BIND</acronym>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater with several tools
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater that are used in this process, which are explained in more detail
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater below. In all cases, the <code class="option">-h</code> option prints a
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater full list of parameters. Note that the DNSSEC tools require the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater keyset files to be in the working directory or the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater directory specified by the <code class="option">-d</code> option, and
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater that the tools shipped with BIND 9.2.x and earlier are not compatible
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater with the current ones.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater There must also be communication with the administrators of
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the parent and/or child zone to transmit keys. A zone's security
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater status must be indicated by the parent zone for a DNSSEC capable
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater resolver to trust its data. This is done through the presence
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater or absence of a <code class="literal">DS</code> record at the
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User For other servers to trust data in this zone, they must
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater either be statically configured with this zone's zone key or the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater zone key of another zone above this one in the DNS tree.
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User<div class="titlepage"><div><div><h3 class="title">
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater<a name="id2571659"></a>Generating Keys</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <span><strong class="command">dnssec-keygen</strong></span> program is used to
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User generate keys.
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews A secure zone must contain one or more zone keys. The
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews zone keys will sign all other records in the zone, as well as
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews the zone keys of any secure delegated zones. Zone keys must
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater have the same name as the zone, a name type of
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <span><strong class="command">ZONE</strong></span>, and must be usable for
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater authentication.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater It is recommended that zone keys use a cryptographic algorithm
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater designated as "mandatory to implement" by the IETF; currently
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the only one is RSASHA1.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The following command will generate a 768-bit RSASHA1 key for
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User the <code class="filename">child.example</code> zone:
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Two output files will be produced:
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater <code class="filename">Kchild.example.+005+12345.key</code> and
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <code class="filename">Kchild.example.+005+12345.private</code>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater 12345 is an example of a key tag). The key filenames contain
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the key name (<code class="filename">child.example.</code>),
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The private key (in the <code class="filename">.private</code>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater used to generate signatures, and the public key (in the
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <code class="filename">.key</code> file) is used for signature
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater To generate another key with the same properties (but with
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater a different key tag), repeat the above command.
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater to get a key pair from a crypto hardware and build the key
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The public keys should be inserted into the zone file by
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User including the <code class="filename">.key</code> files using
7dd02af3c9350553e1d52d980a7812425b3f1295Automatic Updater <span><strong class="command">$INCLUDE</strong></span> statements.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<div class="titlepage"><div><div><h3 class="title">
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews<a name="id2571806"></a>Signing the Zone</h3></div></div></div>
3e5b24a74c03d5b52f32d138e64e427bd2cbc8f3Automatic Updater The <span><strong class="command">dnssec-signzone</strong></span> program is used
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User to sign a zone.
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User Any <code class="filename">keyset</code> files corresponding to
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User secure subzones should be present. The zone signer will
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User and <code class="literal">RRSIG</code> records for the zone, as
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User well as <code class="literal">DS</code> for the child zones if
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
aa49af836ce7a7a2888f5cedf4cbb14ff4dc1d11Mark Andrews is not specified, then DS RRsets for the secure child
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews zones need to be added manually.
f6ba5791728d244650c1887d8dd8ed771fd50a1dMark Andrews The following command signs the zone, assuming it is in a
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User file called <code class="filename">zone.child.example</code>. By
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews default, all zone keys which have an available private key are
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews used to generate signatures.
08a1e53c738c425390557196a2ba5039e5afd364Mark Andrews <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews One output file is produced:
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <code class="filename">zone.child.example.signed</code>. This
f6ba5791728d244650c1887d8dd8ed771fd50a1dMark Andrews should be referenced by <code class="filename">named.conf</code>
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User input file for the zone.
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt will also produce a keyset and dsset files and optionally a
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt dlvset file. These are used to provide the parent zone
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt administrators with the <code class="literal">DNSKEYs</code> (or their
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt corresponding <code class="literal">DS</code> records) that are the
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt secure entry point to the zone.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="titlepage"><div><div><h3 class="title">
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<a name="id2571888"></a>Configuring Servers</h3></div></div></div>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt To enable <span><strong class="command">named</strong></span> to respond appropriately
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to DNS requests from DNSSEC aware clients,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (This is the default setting.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To enable <span><strong class="command">named</strong></span> to validate answers from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater other servers, the <span><strong class="command">dnssec-enable</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dnssec-validation</strong></span> options must both be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater set to yes (the default setting in <acronym class="acronym">BIND</acronym> 9.5
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater and later), and at least one trust anchor must be configured
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with a <span><strong class="command">trusted-keys</strong></span> or
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <span><strong class="command">managed-keys</strong></span> statement in
e20309353e6246485c521278131d3fced73d7957Tinderbox User <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
e20309353e6246485c521278131d3fced73d7957Tinderbox User for zones that are used to form the first link in the
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews cryptographic chain of trust. All keys listed in
ff62ab3c2e6274f19190ded15548c723d38bbbe3Automatic Updater <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User are deemed to exist and only the listed keys will be used
e20309353e6246485c521278131d3fced73d7957Tinderbox User to validated the DNSKEY RRset that they are from.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">managed-keys</strong></span> are trusted keys which are
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User automatically kept up to date via RFC 5011 trust anchor
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span><strong class="command">trusted-keys</strong></span> and
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span><strong class="command">managed-keys</strong></span> are described in more detail
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews later in this document.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews 9 does not verify signatures on load, so zone keys for
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews authoritative zones do not need to be specified in the
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews configuration file.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews After DNSSEC gets established, a typical DNSSEC configuration
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews will look something like the following. It has one or
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews more public keys for the root. This allows answers from
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews outside the organization to be validated. It will also
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews have several keys for parts of the namespace the organization
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews controls. These are here to ensure that <span><strong class="command">named</strong></span>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews is immune to compromises in the DNSSEC components of the security
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews of parent zones.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox Usermanaged-keys {
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User /* Root Key */
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User dgxbcDTClU0CRBdiieyLMNzXG3";
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Usertrusted-keys {
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater /* Key for our organization's forward zone */
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
88d58d79c5bc7ce3c20a42461a5070116c736836Automatic Updater 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User /* Key for our reverse zone. */
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater xOdNax071L18QqZnQQQAVVr+i
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater LhGTnNGp3HoWQLUIzKrJVZ3zg
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater gy3WwNT6kZo6c0tszYqbtvchm
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User siaOdS0yOI6BgPsw+YZdzlYMa
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater IJGf4M4dyoKIhzdZyQ2bYQrjy
9fa39c73fc1d8bc44fdbbb79a1d26b837e7dd555Mark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater IQXmdqgOJGq+vsevG06zW+1xg
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User 59VvjSPsZJHeDCUyWYrvPZesZ
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User DIRvhDD52SKvbheeTJUm6Ehkz
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User dnssec-enable yes;
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User dnssec-validation yes;
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews None of the keys listed in this example are valid. In particular,
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews the root key is not valid.
560d6da48f066000541dd43f5d407644dee12bebTinderbox User When DNSSEC validation is enabled and properly configured,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the resolver will reject any answers from signed, secure zones
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User which fail to validate, and will return SERVFAIL to the client.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater Responses may fail to validate for any of several reasons,
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User including missing, expired, or invalid signatures, a key which
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User does not match the DS RRset in the parent zone, or an insecure
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User response from a zone which, according to its parent, should have
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews When the validator receives a response from an unsigned zone
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews that has a signed parent, it must confirm with the parent
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews that the zone was intentionally left unsigned. It does
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews this by verifying, via signed and validated NSEC/NSEC3 records,
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews that the parent zone contains no DS records for the child.
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont If the validator <span class="emphasis"><em>can</em></span> prove that the zone
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont is insecure, then the response is accepted. However, if it
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont cannot, then it must assume an insecure response to be a
4dca64bb8991502db368028aeeba2f832d3b971dAutomatic Updater forgery; it rejects the response and logs an error.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The logged error reads "insecurity proof failed" and
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater "got insecure response; parent indicates it should be secure".
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater (Prior to BIND 9.7, the logged error was "not insecure".
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater This referred to the zone, not the response.)
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater<a name="id2572002"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater <acronym class="acronym">BIND</acronym> 9 fully supports all currently
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater defined forms of IPv6 name to address and address to name
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater lookups. It will also use IPv6 addresses to make queries when
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User running on an IPv6 capable system.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User only AAAA records. RFC 3363 deprecated the use of A6 records,
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User and client-side support for A6 records was accordingly removed
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User from <acronym class="acronym">BIND</acronym> 9.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater load zone files containing A6 records correctly, answer queries
e20309353e6246485c521278131d3fced73d7957Tinderbox User for A6 records, and accept zone transfer for a zone containing A6
e20309353e6246485c521278131d3fced73d7957Tinderbox User For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the traditional "nibble" format used in the
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span class="emphasis"><em>ip6.int</em></span> domain.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Older versions of <acronym class="acronym">BIND</acronym> 9
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater supported the "binary label" (also known as "bitstring") format,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater but support of binary labels has been completely removed per
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater the binary label format at all any more, and will return an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater error if given.
2da2220fe7af2c45724b50b0187523b1fab0cf08Rob Austein In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
af9cf290cea6ada6ce27b51c724ab77ad5d73fa0Tinderbox User name server will not load a zone file containing binary labels.
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater For an overview of the format and structure of IPv6 addresses,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
19ad308d84cbf446a144e5a91f2032389a9d65c1Tinderbox User<div class="titlepage"><div><div><h3 class="title">
b3386fba31414344f38f0c30849c056dceb22dceTinderbox User<a name="id2572200"></a>Address Lookups Using AAAA Records</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The IPv6 AAAA record is a parallel to the IPv4 A record,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater and, unlike the deprecated A6 record, specifies the entire
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater IPv6 address in a single record. For example,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updaterhost 3600 IN AAAA 2001:db8::1
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Use of IPv4-in-IPv6 mapped addresses is not recommended.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater If a host has an IPv4 address, use an A record, not
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User<a name="id2572221"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater When looking up an address in nibble format, the address
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater components are simply reversed, just as in IPv4, and
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User <code class="literal">ip6.arpa.</code> is appended to the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater resulting name.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater For example, the following would provide reverse name lookup for
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews a host with address
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<table width="100%" summary="Navigation footer">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
9d80d23172c30fd63e5046a7e69b8445e564ff31Automatic Updater<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>