Bv9ARM.ch04.html revision d6fa26d0adaec6c910115be34fe7a5a5f402c14f
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h1 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h1></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="notify"></a>Notify</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews servers to notify their slave servers of changes to a zone's data. In
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slave will check to see that its version of the zone is the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews current version and, if not, initiate a zone transfer.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For more information about <acronym class="acronym">DNS</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>NOTIFY</strong></span>, see the description of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the description of the zone option <span class="command"><strong>also-notify</strong></span> in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews protocol is specified in RFC 1996.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones that it loads.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Dynamic Update is a method for adding, replacing or deleting
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews records in a master server by sending it a special form of DNS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews messages. The format and meaning of these messages is specified
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in RFC 2136.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Dynamic update is enabled by including an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews clause in the <span class="command"><strong>zone</strong></span> statement.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If the zone's <span class="command"><strong>update-policy</strong></span> is set to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which will be generated by <span class="command"><strong>named</strong></span> at startup.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Dynamic updates using Kerberos signed requests can be made
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using the TKEY/GSS protocol by setting either the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Kerberos signed requests will be matched against the update
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews policies for the zone, using the Kerberos principal as the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signer for the request.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews automatically regenerated by the server using an online
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone key. Update authorization is based on transaction
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures and an explicit server policy.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="journal"></a>The journal file</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews All changes made to a zone using dynamic update are stored
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the zone's journal file. This file is automatically created
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by the server when the first dynamic update takes place.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The name of the journal file is formed by appending the extension
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">.jnl</code> to the name of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews corresponding zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file unless specifically overridden. The journal file is in a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews binary format and should not be edited manually.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The server will also occasionally write ("dump")
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the complete contents of the updated zone to its zone file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is not done immediately after
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews each dynamic update, because that would be too slow when a large
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone is updated frequently. Instead, the dump is delayed by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews up to 15 minutes, allowing additional updates to take place.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews During the dump process, transient files will be created
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the extensions <code class="filename">.jnw</code> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">.jbk</code>; under ordinary circumstances, these
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be removed when the dump is complete, and can be safely
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a server is restarted after a shutdown or crash, it will replay
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the journal file to incorporate into the zone any updates that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews place after the last zone dump.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Changes that result from incoming incremental zone transfers are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews journalled in a similar way.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The zone files of dynamic zones cannot normally be edited by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews hand because they are not guaranteed to contain the most recent
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dynamic changes — those are only in the journal file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The only way to ensure that the zone file of a dynamic zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you have to make changes to a dynamic zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews manually, the following procedure will work:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Disable dynamic updates to the zone using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This will update the zone's master file with the changes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews stored in its <code class="filename">.jnl</code> file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Edit the zone file. Run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to reload the changed zone and re-enable dynamic updates.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will update the zone file with changes from the journal file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews without stopping dynamic updates; this may be useful for viewing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the current zone state. To remove the <code class="filename">.jnl</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file after updating the zone file, use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc sync -clean</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The incremental zone transfer (IXFR) protocol is a way for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slave servers to transfer only changed data, instead of having to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews transfer the entire zone. The IXFR protocol is specified in RFC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When acting as a master, <acronym class="acronym">BIND</acronym> 9
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews supports IXFR for those zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews where the necessary change history information is available. These
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews include master zones maintained by dynamic update and slave zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews whose data was obtained by IXFR. For manually maintained master
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones, and for slave zones obtained by performing a full zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews transfer (AXFR), IXFR is supported only if the option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>ixfr-from-differences</strong></span> is set
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to <strong class="userinput"><code>yes</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews attempt to use IXFR unless
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it is explicitly disabled. For more information about disabling
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the <span class="command"><strong>server</strong></span> statement.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="split_dns"></a>Split DNS</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Setting up different views, or visibility, of the DNS space to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews internal and external resolvers is usually referred to as a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>Split DNS</em></span> setup. There are several
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews reasons an organization would want to set up its DNS this way.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One common reason for setting up a DNS system this way is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to hide "internal" DNS information from "external" clients on the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Internet. There is some debate as to whether or not this is actually
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Internal DNS information leaks out in many ways (via email headers,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for example) and most savvy "attackers" can find the information
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews they need using other means.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews However, since listing addresses of internal servers that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews external clients cannot possibly reach can result in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews connection delays and other annoyances, an organization may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews choose to use a Split DNS to present a consistent view of itself
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the outside world.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Another common reason for setting up a Split DNS system is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to allow internal networks that are behind filters or in RFC 1918
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews space (reserved IP space, as documented in RFC 1918) to resolve DNS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews on the Internet. Split DNS can also be used to allow mail from outside
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews back in to the internal network.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews has several corporate sites that have an internal network with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Internet Protocol (IP) space and an external demilitarized zone (DMZ),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or "outside" section of a network, that is available to the public.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to be able to resolve external hostnames and to exchange mail with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews people on the outside. The company also wants its internal resolvers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to have access to certain internal-only zones that are not available
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews at all outside of the internal network.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In order to accomplish this, the company will set up two sets
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of name servers. One set will be on the inside network (in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IP space) and the other set will be on bastion hosts, which are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews hosts that can talk to both sides of its network, in the DMZ.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The internal servers will be configured to forward all queries,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <code class="filename">site2.example.com</code>, to the servers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DMZ. These internal servers will have complete sets of information
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <code class="filename">site2.internal</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the internal name servers must be configured to disallow all queries
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to these domains from any external hosts, including the bastion
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The external servers, which are on the bastion hosts, will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This could include things such as the host records for public servers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should have special MX records that contain wildcard (`*') records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews pointing to the bastion hosts. This is needed because external mail
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews servers do not have any other way of looking up how to deliver mail
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to those internal hosts. With the wildcard records, the mail will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be delivered to the bastion host, which can then forward it on to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews internal hosts.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Here's an example of a wildcard MX record:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Now that they accept mail on behalf of anything in the internal
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews network, the bastion hosts will need to know how to deliver mail
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to internal hosts. In order for this to work properly, the resolvers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the bastion hosts will need to be configured to point to the internal
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews name servers for DNS resolution.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Queries for internal hostnames will be answered by the internal
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews servers, and queries for external hostnames will be forwarded back
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews out to the DNS servers on the bastion hosts.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In order for all this to work properly, internal clients will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews need to be configured to query <span class="emphasis"><em>only</em></span> the internal
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews name servers for DNS queries. This could also be enforced via
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews filtering on the network.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews internal clients will now be able to:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Look up any hostnames in the <code class="literal">site1</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">site2.example.com</code> zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Look up any hostnames in the <code class="literal">site1.internal</code> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">site2.internal</code> domains.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<li class="listitem">Look up any hostnames on the Internet.</li>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<li class="listitem">Exchange mail with both internal and external people.</li>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Hosts on the Internet will be able to:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Look up any hostnames in the <code class="literal">site1</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">site2.example.com</code> zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Exchange mail with anyone in the <code class="literal">site1</code> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">site2.example.com</code> zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Here is an example configuration for the setup we just
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews described above. Note that this is only configuration information;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Internal DNS server config:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl externals { <code class="varname">bastion-ips-go-here</code>; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forward only;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // forward to external servers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">bastion-ips-go-here</code>;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // sample allow-transfer (no one)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { none; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // restrict query access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // restrict recursion
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-recursion { internals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// sample master zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // do normal iterative resolution (do not forward)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders { };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// sample slave zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews masters { 172.16.72.3; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders { };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders { };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { internals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; }
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews masters { 172.16.72.3; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders { };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { internals };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; }
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews External (bastion host) DNS server config:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl externals { bastion-ips-go-here; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // sample allow-transfer (no one)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { none; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // default query access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { any; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // restrict cache access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query-cache { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // restrict recursion
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-recursion { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// sample slave zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; externals; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews masters { another_bastion_host_maybe; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer { internals; externals; }
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In the <code class="filename">resolv.conf</code> (or equivalent) on
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the bastion host(s):
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsnameserver 172.16.72.2
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsnameserver 172.16.72.3
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsnameserver 172.16.72.4
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews messages, originally specified in RFC 2845. It allows DNS messages
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to be cryptographically signed using a shared secret. TSIG can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be used in any DNS transaction, as a way to restrict access to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews certain server functions (e.g., recursive queries) to authorized
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews clients when IP-based access control is insufficient or needs to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be overridden, or as a way to ensure message authenticity when it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is critical to the integrity of the server, such as with dynamic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews UPDATE messages or zone transfers from a master to a slave server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It describes the configuration syntax and the process of creating
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews communication, and some of the tools included with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> support it for sending messages to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span>:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-k</code>, <code class="option">-l</code> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-y</code> command line options, or via
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span class="command"><strong>key</strong></span> command when running
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interactively.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-k</code> and <code class="option">-y</code> command
f03747965c663e5d21af52dd111460efea9e8dd7Francis Dupont line options.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews command; the output of the command is a <span class="command"><strong>key</strong></span> directive
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews suitable for inclusion in <code class="filename">named.conf</code>. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key name, algorithm and size can be specified by command line parameters;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Any string which is a valid DNS name can be used as a key name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, a key to be shared between servers called
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be called "host1-host2.", and this key could be generated using:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews $ tsig-keygen host1-host2. > host1-host2.key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This key may then be copied to both hosts. The key name and secret
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must be identical on both hosts.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note: copying a shared secret from one server to another is beyond
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the scope of the DNS. A secure transport mechanism should be used:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secure FTP, SSL, ssh, telephone, encrypted email, etc.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>tsig-keygen</strong></span> can also be run as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews additional configuration text for setting up dynamic DNS in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span>. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for details.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For a key shared between servers called
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the following could be added to each server's
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewskey "host1-host2." {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews algorithm hmac-sha256;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (This is the same key generated above using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>tsig-keygen</strong></span>.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Since this text contains a secret, it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is recommended that either <code class="filename">named.conf</code> not be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews world-readable, or that the <span class="command"><strong>key</strong></span> directive
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be stored in a file which is not world-readable, and which is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews included in <code class="filename">named.conf</code> via the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>include</strong></span> directive.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Once a key has been added to <code class="filename">named.conf</code> and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server has been restarted or reconfigured, the server can recognize
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the key. If the server receives a message signed by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key, it will be able to verify the signature. If the signature
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is valid, the response will be signed using the same key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TSIG keys that are known to a server can be listed using the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews command <span class="command"><strong>rndc tsig-list</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A server sending a request to another server must be told whether
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to use a key, and if so, which key to use.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, a key may be specified for each server in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>masters</strong></span> statement in the definition of a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slave zone; in this case, all SOA QUERY messages, NOTIFY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews messages, and zone transfer requests (AXFR or IXFR) will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signed using the specified key. Keys may also be specified
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the <span class="command"><strong>also-notify</strong></span> statement of a master
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or slave zone, causing NOTIFY messages to be signed using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the specified key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Keys can also be specified in a <span class="command"><strong>server</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signed using the <span class="command"><strong>host1-host2.</strong></span> key:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsserver 10.1.2.3 {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys { host1-host2. ;};
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement, but only the first one is used. As this directive does
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews not contain secrets, it can be used in a world-readable file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews would <span class="emphasis"><em>not</em></span> be signed, unless a similar
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Whenever any server sends a TSIG-signed DNS request, it will expect
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the response to be signed with the same key. If a response is not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signed, or if the signature is not valid, the response will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TSIG keys may be specified in ACL definitions and ACL directives
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <span class="command"><strong>allow-update</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The above key would be denoted in an ACL element as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>key host1-host2.</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An example of an <span class="command"><strong>allow-update</strong></span> directive using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsallow-update { !{ !localnets; any; }; key host1-host2. ;};
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This allows dynamic updates to succeed only if the UPDATE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews request comes from an address in <span class="command"><strong>localnets</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>and</em></span> if it is signed using the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>host1-host2.</strong></span> key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the more flexible <span class="command"><strong>update-policy</strong></span> statement.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Processing of TSIG-signed messages can result in several errors:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a TSIG-aware server receives a message signed by an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unknown key, the response will be unsigned, with the TSIG
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews extended error code set to BADKEY.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a TSIG-aware server receives a message from a known key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but with an invalid signature, the response will be unsigned,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the TSIG extended error code set to BADSIG.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a TSIG-aware server receives a message with a time
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews outside of the allowed range, the response will be signed, with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the TSIG extended error code set to BADTIME, and the time values
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be adjusted so that the response can be successfully
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In all of the above cases, the server will return a response code
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of NOTAUTH (not authenticated).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TKEY (Transaction KEY) is a mechanism for automatically negotiating
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a shared secret between two hosts, originally specified in RFC 2930.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There are several TKEY "modes" that specify how a key is to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews one of these modes: Diffie-Hellman key exchange. Both hosts are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews required to have a KEY record with algorithm DH (though this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record is not required to be present in a zone).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The TKEY process is initiated by a client or server by sending
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a query of type TKEY to a TKEY-aware server. The query must include
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews an appropriate KEY record in the additional section, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must be signed using either TSIG or SIG(0) with a previously
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews established key. The server's response, if successful, will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contain a TKEY record in its answer section. After this transaction,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews both participants will have enough information to calculate a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews shared secret using Diffie-Hellman key exchange. The shared secret
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can then be used by to sign subsequent transactions between the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews two servers.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TSIG keys known by the server, including TKEY-negotiated keys, can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TKEY-negotiated keys can be deleted from a server using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the TKEY protocol itself, by sending an authenticated TKEY query
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specifying the "key deletion" mode.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="sig0"></a>SIG(0)</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews transaction signatures as specified in RFC 2535 and RFC 2931.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SIG(0) uses public/private keys to authenticate messages. Access control
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is performed in the same manner as TSIG keys; privileges can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews granted or denied in ACL directives based on the key name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a SIG(0) signed message is received, it will only be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews verified if the key is known and trusted by the server. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server will not attempt to recursively fetch or validate the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SIG(0) signing of multiple-message TCP streams is not supported.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Cryptographic authentication of DNS information is possible
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defined in RFC 4033, RFC 4034, and RFC 4035.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This section describes the creation and use of DNSSEC signed zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In order to set up a DNSSEC secure zone, there are a series
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of steps which must be followed. <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with several tools
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that are used in this process, which are explained in more detail
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews below. In all cases, the <code class="option">-h</code> option prints a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews full list of parameters. Note that the DNSSEC tools require the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keyset files to be in the working directory or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews directory specified by the <code class="option">-d</code> option, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that the tools shipped with BIND 9.2.x and earlier are not compatible
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the current ones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There must also be communication with the administrators of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the parent and/or child zone to transmit keys. A zone's security
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews status must be indicated by the parent zone for a DNSSEC capable
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resolver to trust its data. This is done through the presence
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or absence of a <code class="literal">DS</code> record at the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For other servers to trust data in this zone, they must
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews either be statically configured with this zone's zone key or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone key of another zone above this one in the DNS tree.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generate keys.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A secure zone must contain one or more zone keys. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone keys will sign all other records in the zone, as well as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone keys of any secure delegated zones. Zone keys must
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews have the same name as the zone, a name type of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>ZONE</strong></span>, and must be usable for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authentication.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It is recommended that zone keys use a cryptographic algorithm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews designated as "mandatory to implement" by the IETF; currently
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the only one is RSASHA1.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The following command will generate a 768-bit RSASHA1 key for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <code class="filename">child.example</code> zone:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Two output files will be produced:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">Kchild.example.+005+12345.key</code> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">Kchild.example.+005+12345.private</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 12345 is an example of a key tag). The key filenames contain
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the key name (<code class="filename">child.example.</code>),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews algorithm (3
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The private key (in the <code class="filename">.private</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used to generate signatures, and the public key (in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">.key</code> file) is used for signature
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews verification.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To generate another key with the same properties (but with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a different key tag), repeat the above command.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to get a key pair from a crypto hardware and build the key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The public keys should be inserted into the zone file by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews including the <code class="filename">.key</code> files using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>$INCLUDE</strong></span> statements.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span class="command"><strong>dnssec-signzone</strong></span> program is used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to sign a zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Any <code class="filename">keyset</code> files corresponding to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secure subzones should be present. The zone signer will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <code class="literal">RRSIG</code> records for the zone, as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews well as <code class="literal">DS</code> for the child zones if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is not specified, then DS RRsets for the secure child
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones need to be added manually.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The following command signs the zone, assuming it is in a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file called <code class="filename">zone.child.example</code>. By
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default, all zone keys which have an available private key are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used to generate signatures.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One output file is produced:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">zone.child.example.signed</code>. This
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should be referenced by <code class="filename">named.conf</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews input file for the zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span class="command"><strong>dnssec-signzone</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will also produce a keyset and dsset files and optionally a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dlvset file. These are used to provide the parent zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews administrators with the <code class="literal">DNSKEYs</code> (or their
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews corresponding <code class="literal">DS</code> records) that are the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secure entry point to the zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To enable <span class="command"><strong>named</strong></span> to respond appropriately
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to DNS requests from DNSSEC aware clients,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (This is the default setting.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To enable <span class="command"><strong>named</strong></span> to validate answers from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must be set to <strong class="userinput"><code>yes</code></strong>, and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-validation</strong></span> options must be set to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If <span class="command"><strong>dnssec-validation</strong></span> is set to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>auto</code></strong>, then a default
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews trust anchor for the DNS root zone will be used.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If it is set to <strong class="userinput"><code>yes</code></strong>, however,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then at least one trust anchor must be configured
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with a <span class="command"><strong>trusted-keys</strong></span> or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>managed-keys</strong></span> statement in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">named.conf</code>, or DNSSEC validation
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will not occur. The default setting is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>yes</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for zones that are used to form the first link in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic chain of trust. All keys listed in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are deemed to exist and only the listed keys will be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to validated the DNSKEY RRset that they are from.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews automatically kept up to date via RFC 5011 trust anchor
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews maintenance.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>trusted-keys</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>managed-keys</strong></span> are described in more detail
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews later in this document.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 9 does not verify signatures on load, so zone keys for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authoritative zones do not need to be specified in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews After DNSSEC gets established, a typical DNSSEC configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will look something like the following. It has one or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews more public keys for the root. This allows answers from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews outside the organization to be validated. It will also
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews have several keys for parts of the namespace the organization
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews controls. These are here to ensure that <span class="command"><strong>named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is immune to compromises in the DNSSEC components of the security
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of parent zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsmanaged-keys {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews /* Root Key */
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dgxbcDTClU0CRBdiieyLMNzXG3";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewstrusted-keys {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews /* Key for our organization's forward zone */
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews /* Key for our reverse zone. */
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews xOdNax071L18QqZnQQQAVVr+i
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews LhGTnNGp3HoWQLUIzKrJVZ3zg
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews gy3WwNT6kZo6c0tszYqbtvchm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews siaOdS0yOI6BgPsw+YZdzlYMa
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IJGf4M4dyoKIhzdZyQ2bYQrjy
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IQXmdqgOJGq+vsevG06zW+1xg
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 59VvjSPsZJHeDCUyWYrvPZesZ
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DIRvhDD52SKvbheeTJUm6Ehkz
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dnssec-enable yes;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dnssec-validation yes;
1bb2f53b9f74a8ca9812cbe9243ef41190b4da14Evan Hunt<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews None of the keys listed in this example are valid. In particular,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the root key is not valid.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When DNSSEC validation is enabled and properly configured,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the resolver will reject any answers from signed, secure zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which fail to validate, and will return SERVFAIL to the client.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Responses may fail to validate for any of several reasons,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews including missing, expired, or invalid signatures, a key which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews does not match the DS RRset in the parent zone, or an insecure
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews response from a zone which, according to its parent, should have
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews been secure.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When the validator receives a response from an unsigned zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that has a signed parent, it must confirm with the parent
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that the zone was intentionally left unsigned. It does
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this by verifying, via signed and validated NSEC/NSEC3 records,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that the parent zone contains no DS records for the child.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If the validator <span class="emphasis"><em>can</em></span> prove that the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is insecure, then the response is accepted. However, if it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cannot, then it must assume an insecure response to be a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forgery; it rejects the response and logs an error.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The logged error reads "insecurity proof failed" and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "got insecure response; parent indicates it should be secure".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Prior to BIND 9.7, the logged error was "not insecure".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This referred to the zone, not the response.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>As of BIND 9.7.0 it is possible to change a dynamic zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from insecure to signed and back again. A secure zone can use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews either NSEC or NSEC3 chains.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Changing a zone from insecure to secure can be done in two
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ways: using a dynamic DNS update, or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>For either method, you need to configure
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> so that it can see the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">K*</code> files which contain the public and private
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews parts of the keys that will be used to sign the zone. These files
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will have been generated by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the key-directory, as specified in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews update-policy local;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>If one KSK and one ZSK DNSKEY key have been generated, this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration will cause all records in the zone to be signed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the ZSK, and the DNSKEY RRset to be signed with the KSK as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews well. An NSEC chain will be generated as part of the initial
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signing process.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > ttl 3600
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>While the update request will complete almost immediately,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone will not be completely signed until
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> has had time to walk the zone and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generate the NSEC and RRSIG records. The NSEC record at the apex
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be added last, to signal that there is a complete NSEC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>If you wish to sign using NSEC3 instead of NSEC, you should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews add an NSEC3PARAM record to the initial update request. If you
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews wish the NSEC3 chain to have the OPTOUT bit set, set it in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews flags field of the NSEC3PARAM record.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > ttl 3600
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews > update add example.net NSEC3PARAM 1 1 100 1234567890
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Again, this update request will complete almost
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews immediately; however, the record won't show up until
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> has had a chance to build/remove the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews relevant chain. A private type record will be created to record
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the state of the operation (see below for more details), and will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be removed once the operation completes.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>While the initial signing and NSEC/NSEC3 chain generation
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is happening, other updates are possible as well.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To enable automatic signing, add the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec allow</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> can search the key directory for keys
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews matching the zone, insert them into the zone, and use them to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews sign the zone. It will do so only when it receives an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews functionality, but will also automatically adjust the zone's
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNSKEY records on schedule according to the keys' timing metadata.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> will periodically search the key directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for keys matching the zone, and if the keys' metadata indicates
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that any change should be made the zone, such as adding, removing,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or revoking a key, then that action will be carried out. By default,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the key directory is checked for changes every 60 minutes; this period
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> to check for key updates immediately.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If keys are present in the key directory the first time the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is loaded, the zone will be signed immediately, without waiting for an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews command. (Those commands can still be used when there are unscheduled
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key changes, however.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When new keys are added to a zone, the TTL is set to match that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then the TTL will be set to the TTL specified when the key was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews any, or to the SOA TTL.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you wish the zone to be signed using NSEC3 instead of NSEC,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews submit an NSEC3PARAM record via dynamic update prior to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews scheduled publication and activation of the keys. If you wish the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews NSEC3 chain to have the OPTOUT bit set, set it in the flags field
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone immediately, but it will be stored for later reference. When
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record will appear in the zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configured to allow dynamic updates, by adding an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>allow-update</strong></span> or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>update-policy</strong></span> statement to the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration. If this has not been done, the configuration will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>The state of the signing process is signaled by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews private-type records (with a default type value of 65534). When
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signing is complete, these records will have a nonzero value for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the final octet (for those records which have a nonzero initial
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>The private type record format: If the first octet is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews non-zero then the record indicates that the zone needs to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signed with the key matching the record, or that all signatures
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that match the record should be removed.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��algorithm�(octet�1)<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��key�id�in�network�order�(octet�2�and�3)<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��removal�flag�(octet�4)<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��complete�flag�(octet�5)<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Only records flagged as "complete" can be removed via
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dynamic update. Attempts to remove other private type records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be silently ignored.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>If the first octet is zero (this is a reserved algorithm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews number that should never appear in a DNSKEY record) then the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record indicates changes to the NSEC3 chains are in progress. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews rest of the record contains an NSEC3PARAM record. The flag field
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews tells what operation to perform based on the flag bits.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��0x01�OPTOUT<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��0x80�CREATE<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��0x40�REMOVE<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews��0x20�NONSEC<br>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>As with insecure-to-secure conversions, rolling DNSSEC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys can be done in two ways: using a dynamic DNS update, or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p> To perform key rollovers via dynamic update, you need to add
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <code class="filename">K*</code> files for the new keys so that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> can find them. You can then add the new
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNSKEY RRs via dynamic update.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> will then cause the zone to be signed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the new keys. When the signing is complete the private type
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews records will be updated so that the last octet is non
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>If this is for a KSK you need to inform the parent and any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews trust anchor repositories of the new KSK.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>You should then wait for the maximum TTL in the zone before
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews removing the old DNSKEY. If it is a KSK that is being updated,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you also need to wait for the DS RRset in the parent to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews updated and its TTL to expire. This ensures that all clients will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be able to verify at least one signature when you remove the old
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>The old DNSKEY can be removed via UPDATE. Take care to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specify the correct key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> will clean out any signatures generated
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by the old key after the update completes.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>When a new key reaches its activation date (as set by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews automatically carry out the key rollover. If the key's algorithm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews has not previously been used to sign the zone, then the zone will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be fully signed as quickly as possible. However, if the new key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is replacing an existing key of the same algorithm, then the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone will be re-signed incrementally, with signatures from the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews old key being replaced with signatures from the new key as their
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signature validity periods expire. By default, this rollover
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews completes in 30 days, after which it will be safe to remove the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews old key from the DNSKEY RRset.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Add the new NSEC3PARAM record via dynamic update. When the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews new NSEC3 chain has been generated, the NSEC3PARAM flag field
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be zero. At this point you can remove the old NSEC3PARAM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record. The old chain will be removed after the update request
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews completes.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To do this, you just need to add an NSEC3PARAM record. When
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the conversion is complete, the NSEC chain will have been removed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and the NSEC3PARAM record will have a zero flag field. The NSEC3
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews chain will be generated before the NSEC chain is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews destroyed.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews remove all NSEC3PARAM records with a zero flag
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews field. The NSEC chain will be generated before the NSEC3 chain is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews removed.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To convert a signed zone to unsigned using dynamic DNS,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delete all the DNSKEY records from the zone apex using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and associated NSEC3PARAM records will be removed automatically.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This will take place after the update request completes.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p> This requires the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>yes</code></strong> in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone statement is used, it should be removed or changed to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will periodically re-sign RRsets which have not been re-signed as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a result of some update action. The signature lifetimes will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews adjusted so as to spread the re-sign load over time rather than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all at once.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews where all the NSEC3 records in the zone have the same OPTOUT
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews records in the chain have mixed OPTOUT state.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews state of an individual NSEC3 record, the entire chain needs to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews changed if the OPTOUT state of an individual NSEC3 needs to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews changed.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews anchor management. Using this feature allows
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span> to keep track of changes to critical
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNSSEC keys without any need for the operator to make changes to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration files.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To configure a validating resolver to use RFC 5011 to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews maintain a trust anchor, configure the trust anchor using a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>managed-keys</strong></span> statement. Information about
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this can be found in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To set up an authoritative zone for RFC 5011 trust anchor
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews maintenance, generate two (or more) key signing keys (KSKs) for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone. Sign the zone with one of them; this is the "active"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews KSK. All KSKs which do not sign the zone are "stand-by"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Any validating resolver which is configured to use the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews active KSK as an RFC 5011-managed trust anchor will take note
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the stand-by KSKs in the zone's DNSKEY RRset, and store them
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for future reference. The resolver will recheck the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews periodically, and after 30 days, if the new key is still there,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then the key will be accepted by the resolver as a valid trust
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews anchor for the zone. Any time after this 30-day acceptance
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews timer has completed, the active KSK can be revoked, and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone can be "rolled over" to the newly accepted key.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>The easiest way to place a stand-by key in a zone is to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use the "smart signing" features of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keygen</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews date in the past, but an activation date which is unset or in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the future, "
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record in the zone, but will not sign with it:</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>To revoke a key, the new command
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews REVOKED bit to the key flags and re-generates the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">K*.private</code> files.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>After revoking the active key, the zone must be signed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with both the revoked KSK and the new active KSK. (Smart
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signing takes care of this automatically.)</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Once a key has been revoked and used to sign the DNSKEY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews RRset in which it appears, that key will never again be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accepted as a valid trust anchor by the resolver. However,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews validation can proceed using the new active key (which had been
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accepted by the resolver when it was a stand-by key).</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>See RFC 5011 for more details on key rollover
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews scenarios.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>When a key has been revoked, its key ID changes,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews increasing by 128, and wrapping around at 65535. So, for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<code class="filename">Kexample.com.+005+10128</code>".</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>If two keys have IDs exactly 128 apart, and one is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews revoked, then the two key IDs will collide, causing several
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews problems. To prevent this,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews another key is present which may collide. This checking will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only occur if the new keys are written to the same directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which holds all other keys in use for that zone.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>Older versions of BIND 9 did not have this precaution.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Exercise caution if using key revocation on keys that were
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generated by previous releases, or if using keys stored in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews multiple directories or on multiple machines.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>It is expected that a future release of BIND 9 will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address this problem in a different way, by storing revoked
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys with their original unrevoked key IDs.</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PKCS#11 (Public Key Cryptography Standard #11) defines a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews platform-independent API for the control of hardware security
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews modules (HSMs) and other cryptographic support devices.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews BIND 9 is known to work with three HSMs: The AEP Keyper, which has
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews been tested with Debian Linux, Solaris x86 and Windows Server 2003;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic acceleration board, tested with Solaris x86. In
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews addition, BIND can be used with all current versions of SoftHSM,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a software-based HSM simulator library produced by the OpenDNSSEC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PKCS#11 makes use of a "provider library": a dynamically loadable
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews library which provides a low-level PKCS#11 interface to drive the HSM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews hardware. The PKCS#11 provider library comes from the HSM vendor, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it is specific to the HSM to be controlled.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There are two available mechanisms for PKCS#11 support in BIND 9:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL-based PKCS#11 and native PKCS#11. When using the first
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews mechanism, BIND uses a modified version of OpenSSL, which loads
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the provider library and operates the HSM indirectly; any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic operations not supported by the HSM can be carried
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews out by OpenSSL instead. The second mechanism enables BIND to bypass
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL completely; BIND loads the provider library itself, and uses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the PKCS#11 API to drive the HSM directly.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.6"></a>Prerequisites</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews See the documentation provided by your HSM vendor for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information about installing, initializing, testing and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews troubleshooting the HSM.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.7"></a>Native PKCS#11</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Native PKCS#11 mode will only work with an HSM capable of carrying
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews need. The HSM's provider library must have a complete implementation
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the PKCS#11 API, so that all these functions are accessible. As of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this writing, only the Thales nShield HSM and SoftHSMv2 can be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note: Eventually, when more HSMs become capable of supporting
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be deprecated.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To build BIND with native PKCS#11, configure as follows:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd bind9</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/configure --enable-native-pkcs11 \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This will cause all BIND tools, including <span class="command"><strong>named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews tools, to use the PKCS#11 provider library specified in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>provider-library-path</code></em> for cryptography.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (The provider library path can be overridden using the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-E</code> in <span class="command"><strong>named</strong></span> and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span class="command"><strong>pkcs11-*</strong></span> tools.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.7.6"></a>Building SoftHSMv2</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SoftHSMv2, the latest development version of SoftHSM, is available
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="link" href="https://github.com/opendnssec/SoftHSMv2" target="_top">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It is a software library developed by the OpenDNSSEC project
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (<a class="link" href="http://www.opendnssec.org" target="_top">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which provides a PKCS#11 interface to a virtual HSM, implemented in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the form of a SQLite3 database on the local filesystem. It provides
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews less security than a true HSM, but it allows you to experiment with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews native PKCS#11 when an HSM is not available. SoftHSMv2 can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configured to use either OpenSSL or the Botan library to perform
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic functions, but when using it for native PKCS#11 in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews BIND, OpenSSL is required.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews By default, the SoftHSMv2 configuration file is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>prefix</code></em> is configured at compile time).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This location can be overridden by the SOFTHSM2_CONF environment
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews variable. The SoftHSMv2 cryptographic store must be installed and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews initialized before using it with BIND.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> make </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> make install </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8"></a>OpenSSL-based PKCS#11</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL-based PKCS#11 mode uses a modified version of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL library; stock OpenSSL does not fully support PKCS#11.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ISC provides a patch to OpenSSL to correct this. This patch is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews based on work originally done by the OpenSolaris project; it has been
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews modified by ISC to provide new features such as PIN management and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key-by-reference.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There are two "flavors" of PKCS#11 support provided by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the patched OpenSSL, one of which must be chosen at
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration time. The correct choice depends on the HSM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Use 'crypto-accelerator' with HSMs that have hardware
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic acceleration features, such as the SCA 6000
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews board. This causes OpenSSL to run all supported
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic operations in the HSM.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Use 'sign-only' with HSMs that are designed to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews function primarily as secure key storage devices, but lack
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews hardware acceleration. These devices are highly secure, but
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are not necessarily any faster at cryptography than the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews system CPU — often, they are slower. It is therefore
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews most efficient to use them only for those cryptographic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews functions that require access to the secured private key,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews such as zone signing, and to use the system CPU for all
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews other computationally-intensive operations. The AEP Keyper
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is an example of such a device.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The modified OpenSSL code is included in the BIND 9 release,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the form of a context diff against the latest versions of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews there are separate diffs for each version. In the examples to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews follow, we use OpenSSL 0.9.8, but the same methods work with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL 1.0.0 through 1.0.2.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The OpenSSL patches as of this writing (January 2016)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ISC will provide updated patches as new versions of OpenSSL
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are released. The version number in the following examples
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is expected to change.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Before building BIND 9 with PKCS#11 support, it will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews necessary to build OpenSSL with the patch in place, and configure
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it with the path to your HSM's PKCS#11 provider library.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.8"></a>Patching OpenSSL</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews < bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The patch file may not be compatible with the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "patch" utility on all operating systems. You may need to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews install GNU patch.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When building OpenSSL, place it in a non-standard
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews location so that it does not interfere with OpenSSL libraries
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews elsewhere on the system. In the following examples, we choose
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to install into "/opt/pkcs11/usr". We will use this location
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when we configure BIND 9.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Later, when building BIND 9, the location of the custom-built
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL library will need to be specified via configure.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.9"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The AEP Keyper is a highly secure key storage device,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but does not provide hardware cryptographic acceleration. It
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can carry out cryptographic operations, but it is probably
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slower than your system's CPU. Therefore, we choose the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'sign-only' flavor when building OpenSSL.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The Keyper-specific PKCS#11 provider library is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delivered with the Keyper software. In this example, we place
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The Keyper library requires threads, so we
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must specify -pthread.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --pk11-flavor=sign-only \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews After configuring, run "<span class="command"><strong>make</strong></span>"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews test</strong></span>" fails with "pthread_atfork() not found", you forgot to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews add the -pthread above.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.10"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The SCA-6000 PKCS#11 provider is installed as a system
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews library, libpkcs11. It is a true crypto accelerator, up to 4
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews times faster than any CPU, so the flavor shall be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'crypto-accelerator'.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In this example, we are building on Solaris x86 on an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews AMD64 system.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --pk11-flavor=crypto-accelerator \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews After configuring, run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>make</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>make test</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.11"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SoftHSM (version 1) is a software library developed by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenDNSSEC project
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (<a class="link" href="http://www.opendnssec.org" target="_top">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which provides a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PKCS#11 interface to a virtual HSM, implemented in the form of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a SQLite3 database on the local filesystem. SoftHSM uses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the Botan library to perform cryptographic functions. Though
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews less secure than a true HSM, it can allow you to experiment
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with PKCS#11 when an HSM is not available.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The SoftHSM cryptographic store must be installed and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews initialized before using it with OpenSSL, and the SOFTHSM_CONF
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews environment variable must always point to the SoftHSM configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> make </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> make install </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SoftHSM can perform all cryptographic operations, but
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews since it only uses your system CPU, there is no advantage to using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it for anything but signing. Therefore, we choose the 'sign-only'
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews flavor when building OpenSSL.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --pk11-flavor=sign-only \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews After configuring, run "<span class="command"><strong>make</strong></span>"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and "<span class="command"><strong>make test</strong></span>".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Once you have built OpenSSL, run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that PKCS#11 support was compiled in correctly. The output
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should be one of the following lines, depending on the flavor
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (pkcs11) PKCS #11 engine support (sign only)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (pkcs11) PKCS #11 engine support (crypto accelerator)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews attempt to initialize the PKCS#11 engine. If it is able to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews do so successfully, it will report
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If the output is correct, run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>make install</strong></span>" which will install the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To link with the PKCS#11 provider, threads must be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews enabled in the BIND 9 build.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/configure --enable-threads \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To link with the PKCS#11 provider, threads must be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews enabled in the BIND 9 build.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If configure complains about OpenSSL not working, you
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may have a 32/64-bit architecture mismatch. Or, you may have
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews incorrectly specified the path to OpenSSL (it should be the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews same as the --prefix argument to the OpenSSL
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.8.20"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>/configure --enable-threads \
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews After configuring, run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>make</strong></span>",
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>make test</strong></span>" and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<span class="command"><strong>make install</strong></span>".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note: If "make test" fails in the "pkcs11" system test, you may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews have forgotten to set the SOFTHSM_CONF environment variable.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews BIND 9 includes a minimal set of tools to operate the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews HSM, including
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews within the HSM,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-list</strong></span> to list objects currently
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-tokens</strong></span> to list available tokens.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In UNIX/Linux builds, these tools are built only if BIND
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 9 is configured with the --with-pkcs11 option. (Note: If
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews --with-pkcs11 is set to "yes", rather than to the path of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PKCS#11 provider, then the tools will be built but the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews provider will be left undefined. Use the -m option or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PKCS11_PROVIDER environment variable to specify the path to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.10"></a>Using the HSM</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For OpenSSL-based PKCS#11, we must first set up the runtime
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews environment so the OpenSSL and PKCS#11 libraries can be loaded:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This causes <span class="command"><strong>named</strong></span> and other binaries to load
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews rather than from the default location. This step is not necessary
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when using native PKCS#11.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Some HSMs require other environment variables to be set.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, when operating an AEP Keyper, it is necessary to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specify the location of the "machine" file, which stores
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information about the Keyper for use by the provider
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews library. If the machine file is in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Such environment variables must be set whenever running
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews any tool that uses the HSM, including
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-keygen</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-list</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>pkcs11-destroy</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keyfromlabel</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-signzone</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-keygen</strong></span>, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews We can now create and use keys in the HSM. In this case,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews we will create a 2048 bit key and give it the label
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "sample-ksk":
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>pkcs11-list</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsobject[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsobject[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Before using this key to sign a zone, we must create a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews does this. In this case, we will be using the HSM key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "sample-ksk" as the key-signing key for "example.net":
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The resulting K*.key and K*.private files can now be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to sign the zone. Unlike normal K* files, which contain both
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews public and private key data, these files will contain only the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews public key data, plus an identifier for the private key which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews remains stored within the HSM. Signing with the private key takes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews place inside the HSM.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you wish to generate a second key in the HSM for use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as a zone-signing key, follow the same procedure above, using a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews different keylabel, a smaller key size, and omitting "-f KSK"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from the dnssec-keyfromlabel arguments:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews string which identifies the key. With native PKCS#11, the label is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a PKCS#11 URI string which may include other details about the key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and the HSM, including its PIN. See
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Alternatively, you may prefer to generate a conventional
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews on-disk key, using dnssec-keygen:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This provides less security than an HSM key, but since
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews HSMs can be slow or cumbersome to use for security reasons, it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may be more efficient to reserve HSM keys for use in the less
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews frequent key-signing operation. The zone-signing key can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews rolled more frequently, if you wish, to compensate for a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews reduction in key security. (Note: When using native PKCS#11,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews there is no speed advantage to using on-disk keys, as cryptographic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews operations will be done by the HSM regardless.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Now you can sign the zone. (Note: If not using the -S
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option to <span class="command"><strong>dnssec-signzone</strong></span>, it will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews necessary to add the contents of both <code class="filename">K*.key</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews files to the zone master file before signing it.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark AndrewsVerifying the zone using the following algorithms:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark AndrewsNSEC3RSASHA1.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark AndrewsZone signing complete:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark AndrewsAlgorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.11"></a>Specifying the engine on the command line</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When using OpenSSL-based PKCS#11, the "engine" to be used by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews OpenSSL can be specified in <span class="command"><strong>named</strong></span> and all of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the BIND <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <engine>" command line option. If BIND 9 is built with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the --with-pkcs11 option, this option defaults to "pkcs11".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specifying the engine will generally not be necessary unless
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for some reason you wish to use a different OpenSSL
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you wish to disable use of the "pkcs11" engine —
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for troubleshooting purposes, or because the HSM is unavailable
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews — set the engine to the empty string. For example:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews without the --with-pkcs11 option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When built with native PKCS#11 mode, the "engine" option has a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews different meaning: it specifies the path to the PKCS#11 provider
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews library. This may be useful when testing a new provider library.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.12.12"></a>Running named with automatic zone re-signing</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you want <span class="command"><strong>named</strong></span> to dynamically re-sign zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using HSM keys, and/or to to sign new records inserted via nsupdate,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this is accomplished by placing the PIN into the openssl.cnf file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (in the above examples,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The location of the openssl.cnf file can be overridden by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews setting the OPENSSL_CONF environment variable before running
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>named</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews openssl_conf = openssl_def
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ openssl_def ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews engines = engine_section
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ engine_section ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews pkcs11 = pkcs11_section
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ pkcs11_section ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This will also allow the dnssec-* tools to access the HSM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews without PIN entry. (The pkcs11-* tools access the HSM directly,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews not via OpenSSL, so a PIN will still be required to use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In native PKCS#11 mode, the PIN can be provided in a file specified
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as an attribute of the key's label. For example, if a key had the label
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then the PIN would be read from the file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Placing the HSM's PIN in a text file in this manner may reduce the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews security advantage of using an HSM. Be sure this is what you want to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews do before configuring the system in this way.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone data to be retrieved directly from an external database. There is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews no required format or schema. DLZ drivers exist for several different
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews database backends including PostgreSQL, MySQL, and LDAP and can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews written for any other.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews binary and were turned on via a configure option at compile time (for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Currently, the drivers provided in the BIND 9 tarball in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">contrib/dlz/drivers</code> are still linked this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In BIND 9.8 and higher, it is possible to link some DLZ modules
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generic wrapper around a shared object implementing the DLZ API. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are no longer necessary when using these dynamically linkable drivers,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but are still needed for the older drivers in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">contrib/dlz/drivers</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews conversion, and the lack of any internal caching, places significant
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews limits on the query performance of DLZ modules. Consequently, DLZ is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews not recommended for use on high-volume servers. However, it can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used in a hidden master configuration, with slaves retrieving zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews updates via AXFR. (Note, however, that DLZ has no built-in support for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNS notify; slaves are not automatically informed of changes to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones in the database.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.13.6"></a>Configuring DLZ</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A DLZ database is configured with a <span class="command"><strong>dlz</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in <code class="filename">named.conf</code>:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dlz example {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews database "dlopen driver.so <code class="option">args</code>";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This specifies a DLZ module to search when answering queries; the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews module is implemented in <code class="filename">driver.so</code> and is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews loaded at runtime by the dlopen DLZ driver. Multiple
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dlz</strong></span> statements can be specified; when
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews answering a query, all DLZ modules with <code class="option">search</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews set to <code class="literal">yes</code> will be queried to find out if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews they contain an answer for the query name; the best available
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews answer will be returned to the client.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="option">search</code> option in the above example can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews omitted, because <code class="literal">yes</code> is the default value.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If <code class="option">search</code> is set to <code class="literal">no</code>, then
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews match when a query is received. Instead, zones in this DLZ must be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews separately specified in a zone statement. This allows you to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configure a zone normally using standard zone option semantics,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but specify a different database back-end for storage of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone's data. For example, to implement NXDOMAIN redirection using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a DLZ module for back-end storage of redirection rules:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews database "dlopen driver.so <code class="option">args</code>";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type redirect;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.13.7"></a>Sample DLZ Driver</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For guidance in implementation of DLZ modules, the directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">contrib/dlz/example</code> contains a basic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dynamically-linkable DLZ module--i.e., one which can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews loaded at runtime by the "dlopen" DLZ driver.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The example sets up a single zone, whose name is passed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the module as an argument in the <span class="command"><strong>dlz</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In the above example, the module is configured to create a zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "example.nil", which can answer queries and AXFR requests, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accept DDNS updates. At runtime, prior to any updates, the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contains an SOA, NS, and a single A record at the apex:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 123 900 600 86400 3600
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example.nil. 1800 IN A 10.53.0.1
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The sample driver is capable of retrieving information about the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews querying client, and altering its response on the basis of this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information. To demonstrate this feature, the example driver
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews responds to queries for "source-addr.<code class="option">zonename</code>>/TXT"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the source address of the query. Note, however, that this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record will *not* be included in AXFR or ANY responses. Normally,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this feature would be used to alter responses in some other fashion,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews e.g., by providing different address records for a particular name
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews depending on the network from which the query arrived.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Documentation of the DLZ module API can be found in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">contrib/dlz/example/README</code>. This directory also
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contains the header file <code class="filename">dlz_minimal.h</code>, which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines the API and should be included by any dynamically-linkable
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dyndb-info"></a>DynDB (Dynamic Database)</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DynDB is an extension to BIND 9 which, like DLZ
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews retrieved from an external database. Unlike DLZ, a DynDB module
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews provides a full-featured BIND zone database interface. Where
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DLZ translates DNS queries into real-time database lookups,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resulting in relatively poor query performance, and is unable
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to handle DNSSEC-signed data due to its limited API, a DynDB
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews module can pre-load an in-memory database from the external
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews data source, providing the same performance and functionality
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as zones served natively by BIND.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A DynDB module supporting LDAP has been created by Red Hat
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and is available from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A sample DynDB module for testing and developer guidance
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is included with the BIND source code, in the directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">bin/tests/system/dyndb/driver</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.14.5"></a>Configuring DynDB</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A DynDB database is configured with a <span class="command"><strong>dyndb</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in <code class="filename">named.conf</code>:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dyndb example "driver.so" {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>parameters</code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The file <code class="filename">driver.so</code> is a DynDB module which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews implements the full DNS database API. Multiple
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>dyndb</strong></span> statements can be specified, to load
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews different drivers or multiple instances of the same driver.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Zones provided by a DynDB module are added to the view's zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews table, and are treated as normal authoritative zones when BIND
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is responding to queries. Zone configuration is handled internally
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by the DynDB module.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <em class="replaceable"><code>parameters</code></em> are passed as an opaque
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews string to the DynDB module's initialization routine. Configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews syntax will differ depending on the driver.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.14.6"></a>Sample DynDB Module</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For guidance in implementation of DynDB modules, the directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">bin/tests/system/dyndb/driver</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contains a basic DynDB module.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The example sets up two zones, whose names are passed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the module as arguments in the <span class="command"><strong>dyndb</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews dyndb sample "sample.so" { example.nil. arpa. };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In the above example, the module is configured to create a zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "example.nil", which can answer queries and AXFR requests, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accept DDNS updates. At runtime, prior to any updates, the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contains an SOA, NS, and a single A record at the apex:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example.nil. 86400 IN SOA example.nil. example.nil. (
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 0 28800 7200 604800 86400
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example.nil. 86400 IN A 127.0.0.1
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When the zone is updated dynamically, the DynDB module will determine
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews whether the updated RR is an address (i.e., type A or AAAA) and if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews so, it will automatically update the corresponding PTR record in a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews reverse zone. (Updates are not stored permanently; all updates are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lost when the server is restarted.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="catz-info"></a>Catalog Zones</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A "catalog zone" is a special DNS zone that contains a list of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews other zones to be served, along with their configuration parameters.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Zones listed in a catalog zone are called "member zones".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a catalog zone is loaded or transferred to a slave server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which supports this functionality, the slave server will create
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the member zones automatically. When the catalog zone is updated
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (for example, to add or delete member zones, or change
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews their configuration parameters) those changes are immediately put
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews into effect. Because the catalog zone is a normal DNS zone, these
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration changes can be propagated using the standard AXFR/IXFR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone transfer mechanism.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Catalog zones' format and behavior are specified as an internet draft
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for interoperability among DNS implementations. As of this release, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews latest revision of the DNS catalog zones draft can be found here:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.15.4"></a>Principle of Operation</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Normally, if a zone is to be served by a slave server, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">named.conf</code> file on the server must list the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone, or the zone must be added using <span class="command"><strong>rndc addzone</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In environments with a large number of slave servers and/or where
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zones being served are changing frequently, the overhead involved
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in maintaining consistent zone configuration on all the slave
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews servers can be significant.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A catalog zone is a way to ease this administrative burden. It is a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNS zone that lists member zones that should be served by slave servers.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a slave server receives an update to the catalog zone, it adds,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews removes, or reconfigures member zones based on the data received.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To use a catalog zone, it must first be set up as a normal zone on
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the master and the on slave servers that will be configured to use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it. It must also be added to a <code class="option">catalog-zones</code> list
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the <code class="option">options</code> or <code class="option">view</code> statement
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in <code class="filename">named.conf</code>. (This is comparable to the way
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a policy zone is configured as a normal zone and also listed in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a <code class="option">response-policy</code> statement.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To use the catalog zone feature to serve a new member zone:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Set up the the member zone to be served on the master as normal.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This could be done by editing <code class="filename">named.conf</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or by running <span class="command"><strong>rndc addzone</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Add an entry to the catalog zone for the new member zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This could be done by editing the catalog zone's master file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and running <span class="command"><strong>rndc reload</strong></span>, or by updating
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the zone using <span class="command"><strong>nsupdate</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The change to the catalog zone will be propagated from the master to all
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slaves using the normal AXFR/IXFR mechanism. When the slave receives the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews update to the catalog zone, it will detect the entry for the new member
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone, create an instance of of that zone on the slave server, and point
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that instance to the <code class="option">masters</code> specified in the catalog
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone data. The newly created member zone is a normal slave zone, so
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews BIND will immediately initiate a transfer of zone contents from the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews master. Once complete, the slave will start serving the member zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Removing a member zone from a slave server requires nothing more than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews deleting the member zone's entry in the catalog zone. The change to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews catalog cone is propagated to the slave server using the normal AXFR/IXFR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews transfer mechanism. The slave server, on processing the update, will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews notice that the member zone has been removed. It will stop serving the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone and remove it from its list of configured zones. (Removing the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews member zone from the master server has to be done in the normal way,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by editing the configuration file or running
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="command"><strong>rndc delzone</strong></span>.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.15.5"></a>Configuring Catalog Zones</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Catalog zones are configured with a <span class="command"><strong>catalog-zones</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in the <code class="literal">options</code> or <code class="literal">view</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews section of <code class="filename">named.conf</code>. For example,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewscatalog-zones {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default-masters { 10.53.0.1; }
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in-memory no
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone-directory "catzones"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews min-update-interval 10;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This statement specifies that the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">catalog.example</code> is a catalog zone. This zone must be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews properly configured in the same view. In most configurations, it would
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be a slave zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The options following the zone name are not required, and may be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specified in any order:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="option">default-masters</code> option defines the default masters
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for member zones listed in a catalog zone. This can be overridden by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews options within a catalog zone. If no such options are included, then
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews member zones will transfer their contents from the servers listed in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="option">in-memory</code> option, if set to <code class="literal">yes</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews causes member zones to be stored only in memory. This is functionally
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews equivalent to configuring a slave zone without a <code class="option">file</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option. The default is <code class="literal">no</code>; member zones' content
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be stored locally in a file whose name is automatically generated
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from the view name, catalog zone name, and member zone name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="option">zone-directory</code> option causes local copies of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews member zones' master files (if <code class="option">in-memory</code> is not set
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to <code class="literal">yes</code>) to be stored in the specified directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The default is to store zone files in the server's working directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A non-absolute pathname in <code class="option">zone-directory</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews assumed to be relative to the working directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="option">min-update-interval</code> option sets the minimum
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interval between processing of updates to catalog zones, in seconds.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If an update to a catalog zone (for example, via IXFR) happens less
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews than <code class="option">min-update-interval</code> seconds after the most
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews recent update, then the changes will not be carried out until this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interval has elapsed. The default is <code class="literal">5</code> seconds.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Catalog zones are defined on a per-view basis. Configuring a non-empty
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">catalog-zones</code> statement in a view will automatically
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews turn on <code class="option">allow-new-zones</code> for that view. (Note: this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews means <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will also work in any view that supports catalog zones.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id-1.5.15.6"></a>Catalog Zone format</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A catalog zone is a regular DNS zone; therefore, it has to have a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews single <code class="literal">SOA</code> and at least one <code class="literal">NS</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A record stating the version of the catalog zone format is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews also required. If the version number listed is not supported by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the server, then a catalog zone may not be used by that server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewscatalog.example. IN SOA . . 2016022901 900 600 86400 1
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewscatalog.example. IN NS nsexample.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that this record must have the domain name
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews version.<em class="replaceable"><code>catalog-zone-name</code></em>. This illustrates
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews how the meaning of data stored in a catalog zone is indicated by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the domain name label immediately before the catalog zone domain.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Catalog zone options can be set either globally for the whole catalog
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone or for a single member zone. Global options override the settings
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the configuration file and member zone options override global
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Global options are set at the apex of the catalog zone, e.g.:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews masters.catalog.example. IN AAAA 2001:db8::1
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>BIND currently supports the following options:</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>A simple <code class="option">masters</code> definition:</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option defines a master server for the member zones - it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be either an A or AAAA record. If multiple masters are set the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews order in which they are used is random.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>A <code class="option">masters</code> with a TSIG key defined:</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews label.masters.catalog.example. IN TXT "tsig_key_name"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option defines a master server for the member zone with a TSIG
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key set. The TSIG key must be configured in the configuration file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">label</code> can be any valid DNS label.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">allow-transfer</code> ACLs:</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query.catalog.example. IN APL 1:10.0.0.1/24
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-transfer.catalog.example. IN APL !1:10.0.0.1/32 1:10.0.0.0/24
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews These options are the equivalents of <code class="option">allow-query</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <code class="option">allow-transfer</code> in a zone declaration in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">named.conf</code> configuration file. The ACL is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews processed in order - if there's no match to any rule the default
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews policy is to deny access. For the syntax of the APL RR see RFC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A member zone is added by including a <code class="literal">PTR</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resource record in the <code class="literal">zones</code> sub-domain of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews catalog zone. The record label is a <code class="literal">SHA-1</code> hash
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the member zone name in wire format. The target of the PTR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews record is the member zone name. For example, to add the member
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone <code class="literal">domain.example</code>:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN PTR domain.example.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The hash is necessary to identify options for a specific member
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone. The member zone-specific options are defined the same way as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews global options, but in the member zone subdomain:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsmasters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A 192.0.2.2
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewslabel.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewslabel.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT "tsig_key"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsallow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews As would be expected, options defined for a specific zone override
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the global options defined in the catalog zone. These in turn override
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the global options defined in the <code class="literal">catalog-zones</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in the configuration file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note that none of the global records an option will be inherited if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews any records are defined for that option for the specific zone. For
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews example, if the zone had a <code class="literal">masters</code> record of type
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A but not AAAA, then it would <span class="emphasis"><em>not</em></span> inherit the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type AAAA record from the global option.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> 9 fully supports all currently
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defined forms of IPv6 name to address and address to name
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lookups. It will also use IPv6 addresses to make queries when
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews running on an IPv6 capable system.
see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.