Bv9ARM.ch04.html revision b05bdb520d83f7ecaad708fe305268c3420be01d
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - Copyright (C) 2000-2003 Internet Software Consortium.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - Permission to use, copy, modify, and distribute this software for any
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - purpose with or without fee is hereby granted, provided that the above
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - copyright notice and this permission notice appear in all copies.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan - PERFORMANCE OF THIS SOFTWARE.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<!-- $Id: Bv9ARM.ch04.html,v 1.68 2006/06/08 02:44:04 marka Exp $ -->
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<div class="titlepage"><div><div><h2 class="title">
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2551297">Split DNS</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551816">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551890">Copying the Shared Secret to Both Machines</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551900">Informing the Servers of the Key's Existence</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551940">Instructing the Server to Use the Key</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551997">TSIG Key Based Access Control</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552042">Errors</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552056">TKEY</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552173">SIG(0)</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552310">Generating Keys</a></span></dt>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552448">Signing the Zone</a></span></dt>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552595">Configuring Servers</a></span></dt>
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552669">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt>
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552800">Address Lookups Using AAAA Records</a></span></dt>
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552821">Address to Name Lookups Using Nibble Format</a></span></dt>
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<a name="notify"></a>Notify</h2></div></div></div>
e440587b940248554524993d31d3e3f22997e62bBrian Bailey <span class="acronym">DNS</span> NOTIFY is a mechanism that allows master
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan servers to notify their slave servers of changes to a zone's data. In
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington slave will check to see that its version of the zone is the
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington current version and, if not, initiate a zone transfer.
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan For more information about <span class="acronym">DNS</span>
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan <span><strong class="command">NOTIFY</strong></span>, see the description of the
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan the description of the zone option <span><strong class="command">also-notify</strong></span> in
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan protocol is specified in RFC 1996.
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan As a slave zone can also be a master to other slaves, named,
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan zones that it loads.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington Dynamic Update is a method for adding, replacing or deleting
e440587b940248554524993d31d3e3f22997e62bBrian Bailey records in a master server by sending it a special form of DNS
e440587b940248554524993d31d3e3f22997e62bBrian Bailey messages. The format and meaning of these messages is specified
e440587b940248554524993d31d3e3f22997e62bBrian Bailey in RFC 2136.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Dynamic update is enabled by
e440587b940248554524993d31d3e3f22997e62bBrian Bailey including an <span><strong class="command">allow-update</strong></span> or
e440587b940248554524993d31d3e3f22997e62bBrian Bailey <span><strong class="command">update-policy</strong></span> clause in the
e440587b940248554524993d31d3e3f22997e62bBrian Bailey <span><strong class="command">zone</strong></span> statement.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Updating of secure zones (zones using DNSSEC) follows
e440587b940248554524993d31d3e3f22997e62bBrian Bailey RFC 3007: RRSIG and NSEC records affected by updates are automatically
e440587b940248554524993d31d3e3f22997e62bBrian Bailey regenerated by the server using an online zone key.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Update authorization is based
e440587b940248554524993d31d3e3f22997e62bBrian Bailey on transaction signatures and an explicit server policy.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<div class="titlepage"><div><div><h3 class="title">
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan<a name="journal"></a>The journal file</h3></div></div></div>
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan All changes made to a zone using dynamic update are stored
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan in the zone's journal file. This file is automatically created
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan by the server when the first dynamic update takes place.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan The name of the journal file is formed by appending the extension
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan <code class="filename">.jnl</code> to the name of the
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan corresponding zone
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington file unless specifically overridden. The journal file is in a
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington binary format and should not be edited manually.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan The server will also occasionally write ("dump")
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan the complete contents of the updated zone to its zone file.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan This is not done immediately after
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan each dynamic update, because that would be too slow when a large
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington zone is updated frequently. Instead, the dump is delayed by
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington up to 15 minutes, allowing additional updates to take place.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan When a server is restarted after a shutdown or crash, it will replay
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan the journal file to incorporate into the zone any updates that
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan place after the last zone dump.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan Changes that result from incoming incremental zone transfers are
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan journalled in a similar way.
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan The zone files of dynamic zones cannot normally be edited by
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan hand because they are not guaranteed to contain the most recent
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan dynamic changes — those are only in the journal file.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan The only way to ensure that the zone file of a dynamic zone
5aa7af82b6c32d23d734451732f2c783ae670bc5Dirk Hogan is up to date is to run <span><strong class="command">rndc stop</strong></span>.
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington If you have to make changes to a dynamic zone
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan manually, the following procedure will work: Disable dynamic updates
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan to the zone using
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan This will also remove the zone's <code class="filename">.jnl</code> file
e440587b940248554524993d31d3e3f22997e62bBrian Bailey and update the master file. Edit the zone file. Run
5cc6034ee1b5655af6bbf55572ae268678504633James Phillpotts <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington to reload the changed zone and re-enable dynamic updates.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington The incremental zone transfer (IXFR) protocol is a way for
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington slave servers to transfer only changed data, instead of having to
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan transfer the entire zone. The IXFR protocol is specified in RFC
e440587b940248554524993d31d3e3f22997e62bBrian Bailey 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan When acting as a master, <span class="acronym">BIND</span> 9
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan supports IXFR for those zones
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan where the necessary change history information is available. These
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan include master zones maintained by dynamic update and slave zones
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan whose data was obtained by IXFR. For manually maintained master
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan zones, and for slave zones obtained by performing a full zone
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan transfer (AXFR), IXFR is supported only if the option
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan <span><strong class="command">ixfr-from-differences</strong></span> is set
7eb5b7b1ae76fe978a513824e62ee82c6eb9ad9eDirk Hogan to <strong class="userinput"><code>yes</code></strong>.
f0a2ef8d131738c34c9e72ad7182d5bb47b4ff4eDirk Hogan When acting as a slave, <span class="acronym">BIND</span> 9 will
e440587b940248554524993d31d3e3f22997e62bBrian Bailey attempt to use IXFR unless
e440587b940248554524993d31d3e3f22997e62bBrian Bailey it is explicitly disabled. For more information about disabling
e440587b940248554524993d31d3e3f22997e62bBrian Bailey IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
e440587b940248554524993d31d3e3f22997e62bBrian Bailey of the <span><strong class="command">server</strong></span> statement.
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e440587b940248554524993d31d3e3f22997e62bBrian Bailey<a name="id2551297"></a>Split DNS</h2></div></div></div>
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Setting up different views, or visibility, of the DNS space to
e440587b940248554524993d31d3e3f22997e62bBrian Bailey internal and external resolvers is usually referred to as a
e440587b940248554524993d31d3e3f22997e62bBrian Bailey <span class="emphasis"><em>Split DNS</em></span> setup. There are several
e440587b940248554524993d31d3e3f22997e62bBrian Bailey reasons an organization would want to set up its DNS this way.
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington One common reason for setting up a DNS system this way is
b22c2a29f35c5c8bf679b6904dca1d502328d86aPhill Cunnington to hide "internal" DNS information from "external" clients on the
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Internet. There is some debate as to whether or not this is actually
e440587b940248554524993d31d3e3f22997e62bBrian Bailey Internal DNS information leaks out in many ways (via email headers,
e440587b940248554524993d31d3e3f22997e62bBrian Bailey for example) and most savvy "attackers" can find the information
e440587b940248554524993d31d3e3f22997e62bBrian Bailey they need using other means.
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan However, since listing addresses of internal servers that
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan external clients cannot possibly reach can result in
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan connection delays and other annoyances, an organization may
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan choose to use a Split DNS to present a consistant view of itself
883337f300b7ec221922c406e0c4dcee08a89e51Dirk Hogan to the outside world.
except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
zone "site1.example.com" { // sample master zone
zone "site2.example.com" { // sample slave zone
zone "site1.internal" {
zone "site2.internal" {
zone "site1.example.com" { // sample slave zone
zone "site2.example.com" {
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
<strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
both servers. The following is added to each server's <code class="filename">named.conf</code> file:
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.