Bv9ARM.ch04.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - copyright notice and this permission notice appear in all copies.
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<table width="100%" summary="Navigation header">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<div class="titlepage"><div><div><h1 class="title">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h1></div></div></div>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.5">Split DNS</a></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.5.5">Example split DNS setup</a></span></dt></dl></dd>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Copying the Shared Secret to Both Machines</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Informing the Servers of the Key's Existence</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">Instructing the Server to Use the Key</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">TSIG Key Based Access Control</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.10">Errors</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7">TKEY</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.8">SIG(0)</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.6">Generating Keys</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.7">Signing the Zone</a></span></dt>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9.8">Configuring Servers</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
95637507c3d47481fbf0a8a8c750a57f944f677fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Address Lookups Using AAAA Records</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.7">Address to Name Lookups Using Nibble Format</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a name="notify"></a>Notify</h2></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson servers to notify their slave servers of changes to a zone's data. In
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews slave will check to see that its version of the zone is the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User current version and, if not, initiate a zone transfer.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews For more information about <acronym class="acronym">DNS</acronym>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <span class="command"><strong>NOTIFY</strong></span>, see the description of the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User the description of the zone option <span class="command"><strong>also-notify</strong></span> in
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User protocol is specified in RFC 1996.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zones that it loads.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Dynamic Update is a method for adding, replacing or deleting
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews records in a master server by sending it a special form of DNS
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews messages. The format and meaning of these messages is specified
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews in RFC 2136.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User Dynamic update is enabled by including an
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews clause in the <span class="command"><strong>zone</strong></span> statement.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews If the zone's <span class="command"><strong>update-policy</strong></span> is set to
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User will be permitted for the key <code class="varname">local-ddns</code>,
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User which will be generated by <span class="command"><strong>named</strong></span> at startup.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Dynamic updates using Kerberos signed requests can be made
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews using the TKEY/GSS protocol by setting either the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Kerberos signed requests will be matched against the update
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User policies for the zone, using the Kerberos principal as the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews signer for the request.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Updating of secure zones (zones using DNSSEC) follows RFC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User automatically regenerated by the server using an online
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zone key. Update authorization is based on transaction
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User signatures and an explicit server policy.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a name="journal"></a>The journal file</h3></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User All changes made to a zone using dynamic update are stored
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson in the zone's journal file. This file is automatically created
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User by the server when the first dynamic update takes place.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The name of the journal file is formed by appending the extension
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="filename">.jnl</code> to the name of the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews corresponding zone
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User file unless specifically overridden. The journal file is in a
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater binary format and should not be edited manually.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The server will also occasionally write ("dump")
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the complete contents of the updated zone to its zone file.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User This is not done immediately after
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater each dynamic update, because that would be too slow when a large
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User zone is updated frequently. Instead, the dump is delayed by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews up to 15 minutes, allowing additional updates to take place.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User During the dump process, transient files will be created
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews with the extensions <code class="filename">.jnw</code> and
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="filename">.jbk</code>; under ordinary circumstances, these
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson will be removed when the dump is complete, and can be safely
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When a server is restarted after a shutdown or crash, it will replay
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User the journal file to incorporate into the zone any updates that
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User place after the last zone dump.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Changes that result from incoming incremental zone transfers are
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews journalled in a similar way.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The zone files of dynamic zones cannot normally be edited by
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User hand because they are not guaranteed to contain the most recent
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User dynamic changes — those are only in the journal file.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User The only way to ensure that the zone file of a dynamic zone
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User If you have to make changes to a dynamic zone
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater manually, the following procedure will work:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Disable dynamic updates to the zone using
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews This will update the zone's master file with the changes
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User stored in its <code class="filename">.jnl</code> file.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews Edit the zone file. Run
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews to reload the changed zone and re-enable dynamic updates.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will update the zone file with changes from the journal file
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater without stopping dynamic updates; this may be useful for viewing
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User the current zone state. To remove the <code class="filename">.jnl</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file after updating the zone file, use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>rndc sync -clean</strong></span>.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The incremental zone transfer (IXFR) protocol is a way for
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater slave servers to transfer only changed data, instead of having to
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater transfer the entire zone. The IXFR protocol is specified in RFC
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User When acting as a master, <acronym class="acronym">BIND</acronym> 9
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews supports IXFR for those zones
c2abd6efeb9affa70aabb63da2acb23e135cf7f2Mark Andrews where the necessary change history information is available. These
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User include master zones maintained by dynamic update and slave zones
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User whose data was obtained by IXFR. For manually maintained master
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews zones, and for slave zones obtained by performing a full zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater transfer (AXFR), IXFR is supported only if the option
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span class="command"><strong>ixfr-from-differences</strong></span> is set
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User to <strong class="userinput"><code>yes</code></strong>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User attempt to use IXFR unless
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User it is explicitly disabled. For more information about disabling
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of the <span class="command"><strong>server</strong></span> statement.
bf5e2127e92e52cbf661e77dd6a76e5aef43542fTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="id-1.5.5"></a>Split DNS</h2></div></div></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Setting up different views, or visibility, of the DNS space to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater internal and external resolvers is usually referred to as a
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <span class="emphasis"><em>Split DNS</em></span> setup. There are several
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User reasons an organization would want to set up its DNS this way.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews One common reason for setting up a DNS system this way is
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User to hide "internal" DNS information from "external" clients on the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Internet. There is some debate as to whether or not this is actually
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater Internal DNS information leaks out in many ways (via email headers,
6025cbbe8408f4b09d53d5ec1e95cb6da97e0a8dTinderbox User for example) and most savvy "attackers" can find the information
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews they need using other means.
757ff043760e4743dda1a10e7d58349275934902Tinderbox User However, since listing addresses of internal servers that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater external clients cannot possibly reach can result in
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater connection delays and other annoyances, an organization may
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews choose to use a Split DNS to present a consistent view of itself
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to the outside world.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Another common reason for setting up a Split DNS system is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to allow internal networks that are behind filters or in RFC 1918
757ff043760e4743dda1a10e7d58349275934902Tinderbox User space (reserved IP space, as documented in RFC 1918) to resolve DNS
757ff043760e4743dda1a10e7d58349275934902Tinderbox User on the Internet. Split DNS can also be used to allow mail from outside
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User back in to the internal network.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="titlepage"><div><div><h3 class="title">
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews<a name="id-1.5.5.5"></a>Example split DNS setup</h3></div></div></div>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User has several corporate sites that have an internal network with
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Internet Protocol (IP) space and an external demilitarized zone (DMZ),
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews or "outside" section of a network, that is available to the public.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to be able to resolve external hostnames and to exchange mail with
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews people on the outside. The company also wants its internal resolvers
39cad8fb7d7ff3436bb24ce761354afcb80d295aMark Andrews to have access to certain internal-only zones that are not available
39cad8fb7d7ff3436bb24ce761354afcb80d295aMark Andrews at all outside of the internal network.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews In order to accomplish this, the company will set up two sets
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews of name servers. One set will be on the inside network (in the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews IP space) and the other set will be on bastion hosts, which are
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews hosts that can talk to both sides of its network, in the DMZ.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The internal servers will be configured to forward all queries,
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews and <code class="filename">site2.example.com</code>, to the servers
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews DMZ. These internal servers will have complete sets of information
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews and <code class="filename">site2.internal</code>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the internal name servers must be configured to disallow all queries
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to these domains from any external hosts, including the bastion
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The external servers, which are on the bastion hosts, will
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews This could include things such as the host records for public servers
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews should have special MX records that contain wildcard (`*') records
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews pointing to the bastion hosts. This is needed because external mail
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews servers do not have any other way of looking up how to deliver mail
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to those internal hosts. With the wildcard records, the mail will
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews be delivered to the bastion host, which can then forward it on to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews internal hosts.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews Here's an example of a wildcard MX record:
c5a97a549c89d562e999d4f906b882c5a2a474e1Tinderbox User<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Now that they accept mail on behalf of anything in the internal
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews network, the bastion hosts will need to know how to deliver mail
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User to internal hosts. In order for this to work properly, the resolvers
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User the bastion hosts will need to be configured to point to the internal
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User name servers for DNS resolution.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Queries for internal hostnames will be answered by the internal
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews servers, and queries for external hostnames will be forwarded back
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User out to the DNS servers on the bastion hosts.
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User In order for all this to work properly, internal clients will
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews need to be configured to query <span class="emphasis"><em>only</em></span> the internal
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User name servers for DNS queries. This could also be enforced via
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater filtering on the network.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews internal clients will now be able to:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Look up any hostnames in the <code class="literal">site1</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="literal">site2.example.com</code> zones.
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User Look up any hostnames in the <code class="literal">site1.internal</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.internal</code> domains.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem">Look up any hostnames on the Internet.</li>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<li class="listitem">Exchange mail with both internal and external people.</li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Hosts on the Internet will be able to:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Look up any hostnames in the <code class="literal">site1</code>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="literal">site2.example.com</code> zones.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews Exchange mail with anyone in the <code class="literal">site1</code> and
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <code class="literal">site2.example.com</code> zones.
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User Here is an example configuration for the setup we just
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User described above. Note that this is only configuration information;
d6317350b1180aa4517f2e8a92fa8fbcbf904ad8Automatic Updater for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internal DNS server config:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { <code class="varname">bastion-ips-go-here</code>; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forward only;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // forward to external servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">bastion-ips-go-here</code>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // sample allow-transfer (no one)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { none; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict recursion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-recursion { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample master zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // do normal iterative resolution (do not forward)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample slave zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-query { internals; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-transfer { internals; }
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User masters { 172.16.72.3; };
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater forwarders { };
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater allow-query { internals };
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater allow-transfer { internals; }
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User External (bastion host) DNS server config:
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updateracl internals { 172.16.72.0/24; 192.168.1.0/24; };
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updateracl externals { bastion-ips-go-here; };
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User // sample allow-transfer (no one)
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User allow-transfer { none; };
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User // default query access
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User allow-query { any; };
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User // restrict cache access
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User allow-query-cache { internals; externals; };
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User // restrict recursion
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User allow-recursion { internals; externals; };
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews// sample slave zone
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User allow-transfer { internals; externals; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews masters { another_bastion_host_maybe; };
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow-transfer { internals; externals; }
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In the <code class="filename">resolv.conf</code> (or equivalent) on
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User the bastion host(s):
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsnameserver 172.16.72.2
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsnameserver 172.16.72.3
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsnameserver 172.16.72.4
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="tsig"></a>TSIG</h2></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is a short guide to setting up Transaction SIGnatures
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the configuration file as well as what changes are required for
e8c42d50cdaf3a3b841074d8bf72b40ffbae2a4bTinderbox User different features, including the process of creating transaction
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to server communication.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This includes zone transfer, notify, and recursive query messages.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington TSIG can also be useful for dynamic update. A primary
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server for a dynamic zone should control access to the dynamic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington update service, but IP-based access control is insufficient.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The cryptographic access control provided by TSIG
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is far superior. The <span class="command"><strong>nsupdate</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington program supports TSIG via the <code class="option">-k</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">-y</code> command line options or inline by use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the <span class="command"><strong>key</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id-1.5.6.5"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An arbitrary key name is chosen: "host1-host2.". The key name must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be the same on both hosts.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h4 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id-1.5.6.5.3"></a>Automatic Generation</h4></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The following command will generate a 128-bit (16 byte) HMAC-SHA256
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews key as described above. Longer keys are better, but shorter keys
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater are easier to read. Note that the maximum key length is the digest
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews length, here 256 bits.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Nothing directly uses this file, but the base-64 encoded string
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater following "<code class="literal">Key:</code>"
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater can be extracted from the file and used as a shared secret:
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews be used as the shared secret.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id-1.5.6.5.4"></a>Manual Generation</h4></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The shared secret is simply a random sequence of bits, encoded
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in base-64. Most ASCII strings are valid base-64 strings (assuming
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews the length is a multiple of 4 and only valid characters are used),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington so the shared secret can be manually generated.
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User Also, a known string can be run through <span class="command"><strong>mmencode</strong></span> or
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews a similar program to generate base-64 encoded data.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id-1.5.6.6"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This is beyond the scope of DNS. A secure transport mechanism
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews should be used. This could be secure FTP, ssh, telephone, etc.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id-1.5.6.7"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington both servers. The following is added to each server's <code class="filename">named.conf</code> file:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonkey host1-host2. {
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington algorithm hmac-sha256;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The secret is the one generated above. Since this is a secret, it
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is recommended that either <code class="filename">named.conf</code> be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater non-world readable, or the key directive be added to a non-world
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater readable file that is included by <code class="filename">named.conf</code>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews At this point, the key is recognized. This means that if the
0e91f17da8a29086876a88962e0a3482094b6057Evan Hunt server receives a message signed by this key, it can verify the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews signature. If the signature is successfully verified, the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews response is signed by the same key.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="titlepage"><div><div><h3 class="title">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<a name="id-1.5.6.8"></a>Instructing the Server to Use the Key</h3></div></div></div>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Since keys are shared between two hosts only, the server must
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
42bee07ebb8152a6ec2f87f4790d87368c24704cAutomatic Updaterserver 10.1.2.3 {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys { host1-host2. ;};
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Multiple keys may be present, but only the first is used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This directive does not contain any secrets, so it may be in a
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews world-readable
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews If <span class="emphasis"><em>host1</em></span> sends a message that is a request
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews expect any responses to signed messages to be signed with the same
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sign request messages to <span class="emphasis"><em>host1</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id-1.5.6.9"></a>TSIG Key Based Access Control</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to be specified in ACL
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews definitions and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>allow-{ query | transfer | update }</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This has been extended to allow TSIG keys also. The above key would
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews be denoted <span class="command"><strong>key host1-host2.</strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User An example of an <span class="command"><strong>allow-update</strong></span> directive would be:
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsallow-update { key host1-host2. ;};
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This allows dynamic updates to succeed only if the request
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews was signed by a key named "<span class="command"><strong>host1-host2.</strong></span>".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the more flexible <span class="command"><strong>update-policy</strong></span> statement.
859148b72a22e4221c3e918d15c7fdd5e78b6d8dTinderbox User<div class="titlepage"><div><div><h3 class="title">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<a name="id-1.5.6.10"></a>Errors</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The processing of TSIG signed messages can result in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews several errors. If a signed message is sent to a non-TSIG aware
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews server, a FORMERR (format error) will be returned, since the server will not
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews understand the record. This is a result of misconfiguration,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews since the server must be explicitly configured to send a TSIG
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews signed message to a specific server.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If a TSIG aware server receives a message signed by an
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User unknown key, the response will be unsigned with the TSIG
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User extended error code set to BADKEY. If a TSIG aware server
cc5a9ce75af9870f2cb9e2bf00548c2f7e6398d6Automatic Updater receives a message with a signature that does not validate, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater response will be unsigned with the TSIG extended error code set
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User to BADSIG. If a TSIG aware server receives a message with a time
3040b455151b1e1173193933664b2891b6159f24Mark Andrews outside of the allowed range, the response will be signed with
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews the TSIG extended error code set to BADTIME, and the time values
f33f2b8afe60de897c53cdcb17911f10b552699fTinderbox User will be adjusted so that the response can be successfully
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater verified. In any of these cases, the message's rcode (response code) is set to
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater NOTAUTH (not authenticated).
f33f2b8afe60de897c53cdcb17911f10b552699fTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id-1.5.7"></a>TKEY</h2></div></div></div>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<p><span class="command"><strong>TKEY</strong></span>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews is a mechanism for automatically generating a shared secret
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews between two hosts. There are several "modes" of
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span class="command"><strong>TKEY</strong></span> that specify how the key is generated
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews these modes, the Diffie-Hellman key exchange. Both hosts are
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews required to have a Diffie-Hellman KEY record (although this
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews record is not required to be present in a zone). The
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span class="command"><strong>TKEY</strong></span> process must use signed messages,
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews signed either by TSIG or SIG(0). The result of
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <span class="command"><strong>TKEY</strong></span> is a shared secret that can be used to
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User sign messages with TSIG. <span class="command"><strong>TKEY</strong></span> can also be
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User used to delete shared secrets that it had previously
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater The <span class="command"><strong>TKEY</strong></span> process is initiated by a
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater or server by sending a signed <span class="command"><strong>TKEY</strong></span>
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User (including any appropriate KEYs) to a TKEY-aware server. The
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User server response, if it indicates success, will contain a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>TKEY</strong></span> record and any appropriate keys.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater this exchange, both participants have enough information to
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater determine the shared secret; the exact process depends on the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="command"><strong>TKEY</strong></span> mode. When using the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Diffie-Hellman
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="command"><strong>TKEY</strong></span> mode, Diffie-Hellman keys are
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater and the shared secret is derived by both participants.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id-1.5.8"></a>SIG(0)</h2></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater transaction signatures as specified in RFC 2535 and RFC 2931.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater uses public/private keys to authenticate messages. Access control
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater is performed in the same manner as TSIG keys; privileges can be
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater granted or denied based on the key name.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater When a SIG(0) signed message is received, it will only be
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater verified if the key is known and trusted by the server; the server
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater will not attempt to locate and/or validate the key.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater SIG(0) signing of multiple-message TCP streams is not
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Cryptographic authentication of DNS information is possible
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User defined in RFC 4033, RFC 4034, and RFC 4035.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater This section describes the creation and use of DNSSEC signed zones.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User In order to set up a DNSSEC secure zone, there are a series
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User of steps which must be followed. <acronym class="acronym">BIND</acronym>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews with several tools
3040b455151b1e1173193933664b2891b6159f24Mark Andrews that are used in this process, which are explained in more detail
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User below. In all cases, the <code class="option">-h</code> option prints a
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater full list of parameters. Note that the DNSSEC tools require the
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews keyset files to be in the working directory or the
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews directory specified by the <code class="option">-d</code> option, and
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews that the tools shipped with BIND 9.2.x and earlier are not compatible
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews with the current ones.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater There must also be communication with the administrators of
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the parent and/or child zone to transmit keys. A zone's security
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater status must be indicated by the parent zone for a DNSSEC capable
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater resolver to trust its data. This is done through the presence
3040b455151b1e1173193933664b2891b6159f24Mark Andrews or absence of a <code class="literal">DS</code> record at the
40072ce70bc4125329addb4aaa56d18a1230bc17Automatic Updater For other servers to trust data in this zone, they must
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater either be statically configured with this zone's zone key or the
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater zone key of another zone above this one in the DNS tree.
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<a name="id-1.5.9.6"></a>Generating Keys</h3></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater generate keys.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater A secure zone must contain one or more zone keys. The
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater zone keys will sign all other records in the zone, as well as
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the zone keys of any secure delegated zones. Zone keys must
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater have the same name as the zone, a name type of
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <span class="command"><strong>ZONE</strong></span>, and must be usable for
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater authentication.
19dbf2e20df03f2b81ed1f347e27718084374059Automatic Updater It is recommended that zone keys use a cryptographic algorithm
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater designated as "mandatory to implement" by the IETF; currently
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the only one is RSASHA1.
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater The following command will generate a 768-bit RSASHA1 key for
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater the <code class="filename">child.example</code> zone:
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Two output files will be produced:
7dd02af3c9350553e1d52d980a7812425b3f1295Automatic Updater <code class="filename">Kchild.example.+005+12345.key</code> and
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="filename">Kchild.example.+005+12345.private</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington 12345 is an example of a key tag). The key filenames contain
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the key name (<code class="filename">child.example.</code>),
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews algorithm (3
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User The private key (in the <code class="filename">.private</code>
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User used to generate signatures, and the public key (in the
bec9d04b657e1582d2531bdc02503bebde2aa978Tinderbox User <code class="filename">.key</code> file) is used for signature
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User verification.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User To generate another key with the same properties (but with
f45f40ec2814a5ff1ed443c968772a1b2e25c462Mark Andrews a different key tag), repeat the above command.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
2bd56b2684882faf74a2b29cb0914e6671d8005bTinderbox User to get a key pair from a crypto hardware and build the key
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews The public keys should be inserted into the zone file by
a8677ecad546c955406b341eb8344ed06768b11eTinderbox User including the <code class="filename">.key</code> files using
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews <span class="command"><strong>$INCLUDE</strong></span> statements.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="titlepage"><div><div><h3 class="title">
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews<a name="id-1.5.9.7"></a>Signing the Zone</h3></div></div></div>
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews The <span class="command"><strong>dnssec-signzone</strong></span> program is used
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews to sign a zone.
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews Any <code class="filename">keyset</code> files corresponding to
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews secure subzones should be present. The zone signer will
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews and <code class="literal">RRSIG</code> records for the zone, as
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews well as <code class="literal">DS</code> for the child zones if
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews is not specified, then DS RRsets for the secure child
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews zones need to be added manually.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User The following command signs the zone, assuming it is in a
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews file called <code class="filename">zone.child.example</code>. By
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User default, all zone keys which have an available private key are
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt used to generate signatures.
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt One output file is produced:
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt <code class="filename">zone.child.example.signed</code>. This
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User should be referenced by <code class="filename">named.conf</code>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt input file for the zone.
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<p><span class="command"><strong>dnssec-signzone</strong></span>
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews will also produce a keyset and dsset files and optionally a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater dlvset file. These are used to provide the parent zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater administrators with the <code class="literal">DNSKEYs</code> (or their
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater corresponding <code class="literal">DS</code> records) that are the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater secure entry point to the zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<a name="id-1.5.9.8"></a>Configuring Servers</h3></div></div></div>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater To enable <span class="command"><strong>named</strong></span> to respond appropriately
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to DNS requests from DNSSEC aware clients,
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews (This is the default setting.)
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews To enable <span class="command"><strong>named</strong></span> to validate answers from
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews must be set to <strong class="userinput"><code>yes</code></strong>, and the
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <span class="command"><strong>dnssec-validation</strong></span> options must be set to
be0d1ec971748020cb0382e02b4642b493ea1e7bTinderbox User <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
5b56652059e2c22185a0b2bb1f5e58eb89a44426Tinderbox User If <span class="command"><strong>dnssec-validation</strong></span> is set to
be0d1ec971748020cb0382e02b4642b493ea1e7bTinderbox User <strong class="userinput"><code>auto</code></strong>, then a default
ff62ab3c2e6274f19190ded15548c723d38bbbe3Automatic Updater trust anchor for the DNS root zone will be used.
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User If it is set to <strong class="userinput"><code>yes</code></strong>, however,
e20309353e6246485c521278131d3fced73d7957Tinderbox User then at least one trust anchor must be configured
e20309353e6246485c521278131d3fced73d7957Tinderbox User with a <span class="command"><strong>trusted-keys</strong></span> or
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User <span class="command"><strong>managed-keys</strong></span> statement in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="filename">named.conf</code>, or DNSSEC validation
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User will not occur. The default setting is
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <strong class="userinput"><code>yes</code></strong>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews for zones that are used to form the first link in the
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews cryptographic chain of trust. All keys listed in
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews are deemed to exist and only the listed keys will be used
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews to validated the DNSKEY RRset that they are from.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews automatically kept up to date via RFC 5011 trust anchor
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews maintenance.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span class="command"><strong>trusted-keys</strong></span> and
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span class="command"><strong>managed-keys</strong></span> are described in more detail
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews later in this document.
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews 9 does not verify signatures on load, so zone keys for
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews authoritative zones do not need to be specified in the
95c3a5e116c1da135f669c3f15398172fac6279dMark Andrews configuration file.
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt After DNSSEC gets established, a typical DNSSEC configuration
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User will look something like the following. It has one or
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User more public keys for the root. This allows answers from
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User outside the organization to be validated. It will also
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User have several keys for parts of the namespace the organization
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User controls. These are here to ensure that <span class="command"><strong>named</strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User is immune to compromises in the DNSSEC components of the security
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User of parent zones.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater /* Root Key */
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater dgxbcDTClU0CRBdiieyLMNzXG3";
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater /* Key for our organization's forward zone */
3040b455151b1e1173193933664b2891b6159f24Mark Andrews example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
3040b455151b1e1173193933664b2891b6159f24Mark Andrews TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User /* Key for our reverse zone. */
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
9fa39c73fc1d8bc44fdbbb79a1d26b837e7dd555Mark Andrews xOdNax071L18QqZnQQQAVVr+i
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater LhGTnNGp3HoWQLUIzKrJVZ3zg
3040b455151b1e1173193933664b2891b6159f24Mark Andrews gy3WwNT6kZo6c0tszYqbtvchm
3040b455151b1e1173193933664b2891b6159f24Mark Andrews siaOdS0yOI6BgPsw+YZdzlYMa
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User IJGf4M4dyoKIhzdZyQ2bYQrjy
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater IQXmdqgOJGq+vsevG06zW+1xg
3040b455151b1e1173193933664b2891b6159f24Mark Andrews 59VvjSPsZJHeDCUyWYrvPZesZ
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User DIRvhDD52SKvbheeTJUm6Ehkz
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews dnssec-enable yes;
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews dnssec-validation yes;
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
560d6da48f066000541dd43f5d407644dee12bebTinderbox User None of the keys listed in this example are valid. In particular,
7addb3e8b5cf6e0c4df0e3cb8135aa71269f0261Tinderbox User the root key is not valid.
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User When DNSSEC validation is enabled and properly configured,
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater the resolver will reject any answers from signed, secure zones
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User which fail to validate, and will return SERVFAIL to the client.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Responses may fail to validate for any of several reasons,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews including missing, expired, or invalid signatures, a key which
90b25b84f037ec923efaee84d2c0dc599293d04eTinderbox User does not match the DS RRset in the parent zone, or an insecure
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User response from a zone which, according to its parent, should have
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User When the validator receives a response from an unsigned zone
3040b455151b1e1173193933664b2891b6159f24Mark Andrews that has a signed parent, it must confirm with the parent
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater that the zone was intentionally left unsigned. It does
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater this by verifying, via signed and validated NSEC/NSEC3 records,
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater that the parent zone contains no DS records for the child.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater If the validator <span class="emphasis"><em>can</em></span> prove that the zone
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User is insecure, then the response is accepted. However, if it
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User cannot, then it must assume an insecure response to be a
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User forgery; it rejects the response and logs an error.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater The logged error reads "insecurity proof failed" and
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater "got insecure response; parent indicates it should be secure".
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater (Prior to BIND 9.7, the logged error was "not insecure".
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User This referred to the zone, not the response.)
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
536da846f6cc03ad8abbb8bb9d5d8a6f607b8c33Mark Andrews<p>As of BIND 9.7.0 it is possible to change a dynamic zone
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater from insecure to signed and back again. A secure zone can use
3040b455151b1e1173193933664b2891b6159f24Mark Andrews either NSEC or NSEC3 chains.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="section"><div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<p>Changing a zone from insecure to secure can be done in two
3040b455151b1e1173193933664b2891b6159f24Mark Andrews ways: using a dynamic DNS update, or the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater<p>For either method, you need to configure
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span class="command"><strong>named</strong></span> so that it can see the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <code class="filename">K*</code> files which contain the public and private
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater parts of the keys that will be used to sign the zone. These files
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will have been generated by
7fdbd6fc9df8728852ccaecb2d66241ab96a4084Tinderbox User <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User in the key-directory, as specified in
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater <code class="filename">named.conf</code>:</p>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews type master;
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater update-policy local;
19ad308d84cbf446a144e5a91f2032389a9d65c1Tinderbox User<p>If one KSK and one ZSK DNSKEY key have been generated, this
19ad308d84cbf446a144e5a91f2032389a9d65c1Tinderbox User configuration will cause all records in the zone to be signed
b3386fba31414344f38f0c30849c056dceb22dceTinderbox User with the ZSK, and the DNSKEY RRset to be signed with the KSK as
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater well. An NSEC chain will be generated as part of the initial
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signing process.</p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<div class="section"><div class="titlepage"><div><div><h3 class="title">
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>To insert the keys via dynamic update:</p>
7fdbd6fc9df8728852ccaecb2d66241ab96a4084Tinderbox User > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
6671e343b8c7e44ac10a7900fde59555fbc71571Automatic Updater > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<p>While the update request will complete almost immediately,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the zone will not be completely signed until
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span class="command"><strong>named</strong></span> has had time to walk the zone and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater generate the NSEC and RRSIG records. The NSEC record at the apex
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater will be added last, to signal that there is a complete NSEC
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User<p>If you wish to sign using NSEC3 instead of NSEC, you should
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater add an NSEC3PARAM record to the initial update request. If you
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater wish the NSEC3 chain to have the OPTOUT bit set, set it in the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater flags field of the NSEC3PARAM record.</p>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews > update add example.net NSEC3PARAM 1 1 100 1234567890
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater<p>Again, this update request will complete almost
664917bedafa65dee4349c84324a31731aa1e228Francis Dupont immediately; however, the record won't show up until
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater <span class="command"><strong>named</strong></span> has had a chance to build/remove the
af9cf290cea6ada6ce27b51c724ab77ad5d73fa0Tinderbox User relevant chain. A private type record will be created to record
7fdbd6fc9df8728852ccaecb2d66241ab96a4084Tinderbox User the state of the operation (see below for more details), and will
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User be removed once the operation completes.</p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<p>While the initial signing and NSEC/NSEC3 chain generation
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User is happening, other updates are possible as well.</p>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<div class="section"><div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<p>To enable automatic signing, add the
e20309353e6246485c521278131d3fced73d7957Tinderbox User <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
39cad8fb7d7ff3436bb24ce761354afcb80d295aMark Andrews <span class="command"><strong>auto-dnssec allow</strong></span>,
39cad8fb7d7ff3436bb24ce761354afcb80d295aMark Andrews <span class="command"><strong>named</strong></span> can search the key directory for keys
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews matching the zone, insert them into the zone, and use them to
3040b455151b1e1173193933664b2891b6159f24Mark Andrews sign the zone. It will do so only when it receives an
9d80d23172c30fd63e5046a7e69b8445e564ff31Automatic Updater <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews functionality, but will also automatically adjust the zone's
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews DNSKEY records on schedule according to the keys' timing metadata.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span class="command"><strong>named</strong></span> will periodically search the key directory
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews for keys matching the zone, and if the keys' metadata indicates
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews that any change should be made the zone, such as adding, removing,
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews or revoking a key, then that action will be carried out. By default,
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews the key directory is checked for changes every 60 minutes; this period
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span class="command"><strong>named</strong></span> to check for key updates immediately.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews If keys are present in the key directory the first time the zone
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews is loaded, the zone will be signed immediately, without waiting for an
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User command. (Those commands can still be used when there are unscheduled
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User key changes, however.)
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User When new keys are added to a zone, the TTL is set to match that
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews then the TTL will be set to the TTL specified when the key was
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User any, or to the SOA TTL.
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User If you wish the zone to be signed using NSEC3 instead of NSEC,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews submit an NSEC3PARAM record via dynamic update prior to the
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User scheduled publication and activation of the keys. If you wish the
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User NSEC3 chain to have the OPTOUT bit set, set it in the flags field
3040b455151b1e1173193933664b2891b6159f24Mark Andrews of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User the zone immediately, but it will be stored for later reference. When
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
3040b455151b1e1173193933664b2891b6159f24Mark Andrews record will appear in the zone.
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews configured to allow dynamic updates, by adding an
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews <span class="command"><strong>allow-update</strong></span> or
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews <span class="command"><strong>update-policy</strong></span> statement to the zone
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews configuration. If this has not been done, the configuration will
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>The state of the signing process is signaled by
3040b455151b1e1173193933664b2891b6159f24Mark Andrews private-type records (with a default type value of 65534). When
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews signing is complete, these records will have a nonzero value for
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews the final octet (for those records which have a nonzero initial
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews<p>The private type record format: If the first octet is
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews non-zero then the record indicates that the zone needs to be
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews signed with the key matching the record, or that all signatures
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews that match the record should be removed.</p>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews��algorithm�(octet�1)<br>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews��key�id�in�network�order�(octet�2�and�3)<br>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews��removal�flag�(octet�4)<br>
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User��complete�flag�(octet�5)<br>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<p>Only records flagged as "complete" can be removed via
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater dynamic update. Attempts to remove other private type records
f09f1bf18e3ad40a0e8a6cc3dabf1c11f04992cbMark Andrews will be silently ignored.</p>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<p>If the first octet is zero (this is a reserved algorithm
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews number that should never appear in a DNSKEY record) then the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User record indicates changes to the NSEC3 chains are in progress. The
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User rest of the record contains an NSEC3PARAM record. The flag field
8c9c79e5fea0cb698026a74821695907c8312a46Mark Andrews tells what operation to perform based on the flag bits.</p>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater��0x01�OPTOUT<br>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews��0x80�CREATE<br>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater��0x40�REMOVE<br>
f09f1bf18e3ad40a0e8a6cc3dabf1c11f04992cbMark Andrews��0x20�NONSEC<br>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<div class="section"><div class="titlepage"><div><div><h3 class="title">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
6025cbbe8408f4b09d53d5ec1e95cb6da97e0a8dTinderbox User<p>As with insecure-to-secure conversions, rolling DNSSEC
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews keys can be done in two ways: using a dynamic DNS update, or the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<p> To perform key rollovers via dynamic update, you need to add
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews the <code class="filename">K*</code> files for the new keys so that
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>named</strong></span> can find them. You can then add the new
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNSKEY RRs via dynamic update.
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User <span class="command"><strong>named</strong></span> will then cause the zone to be signed
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with the new keys. When the signing is complete the private type
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington records will be updated so that the last octet is non
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>If this is for a KSK you need to inform the parent and any
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater trust anchor repositories of the new KSK.</p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>You should then wait for the maximum TTL in the zone before
166c467a9414778bdd0f2a1e4a32220843c0fde3Tinderbox User removing the old DNSKEY. If it is a KSK that is being updated,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater you also need to wait for the DS RRset in the parent to be
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater updated and its TTL to expire. This ensures that all clients will
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater be able to verify at least one signature when you remove the old
7fdbd6fc9df8728852ccaecb2d66241ab96a4084Tinderbox User<p>The old DNSKEY can be removed via UPDATE. Take care to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews specify the correct key.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span class="command"><strong>named</strong></span> will clean out any signatures generated
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User by the old key after the update completes.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>When a new key reaches its activation date (as set by
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews automatically carry out the key rollover. If the key's algorithm
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews has not previously been used to sign the zone, then the zone will
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews be fully signed as quickly as possible. However, if the new key
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews is replacing an existing key of the same algorithm, then the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews zone will be re-signed incrementally, with signatures from the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews old key being replaced with signatures from the new key as their
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews signature validity periods expire. By default, this rollover
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews completes in 30 days, after which it will be safe to remove the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews old key from the DNSKEY RRset.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>Add the new NSEC3PARAM record via dynamic update. When the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews new NSEC3 chain has been generated, the NSEC3PARAM flag field
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews will be zero. At this point you can remove the old NSEC3PARAM
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews record. The old chain will be removed after the update request
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews completes.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>To do this, you just need to add an NSEC3PARAM record. When
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews the conversion is complete, the NSEC chain will have been removed
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews and the NSEC3PARAM record will have a zero flag field. The NSEC3
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews chain will be generated before the NSEC chain is
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User destroyed.</p>
7019b0441a234153dde155622c405960b0d35946Tinderbox User<div class="section"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews remove all NSEC3PARAM records with a zero flag
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews field. The NSEC chain will be generated before the NSEC3 chain is
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews removed.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>To convert a signed zone to unsigned using dynamic DNS,
95de440e8d2b07bb130505b4146059e5734e2eeaTinderbox User delete all the DNSKEY records from the zone apex using
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User and associated NSEC3PARAM records will be removed automatically.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This will take place after the update request completes.</p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p> This requires the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>yes</code></strong> in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">named.conf</code>.</p>
bbf7c3fd96ae5e02cb84743c581862e35327032aAutomatic Updater<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone statement is used, it should be removed or changed to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="section"><div class="titlepage"><div><div><h3 class="title">
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User<a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews will periodically re-sign RRsets which have not been re-signed as
3040b455151b1e1173193933664b2891b6159f24Mark Andrews a result of some update action. The signature lifetimes will be
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater adjusted so as to spread the re-sign load over time rather than
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater all at once.</p>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<div class="section"><div class="titlepage"><div><div><h3 class="title">
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater<a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
e80c7005e3d59dfeb04dad186d36f3c15622954cTinderbox User where all the NSEC3 records in the zone have the same OPTOUT
bec9d04b657e1582d2531bdc02503bebde2aa978Tinderbox User <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
0e91f17da8a29086876a88962e0a3482094b6057Evan Hunt records in the chain have mixed OPTOUT state.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater state of an individual NSEC3 record, the entire chain needs to be
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User changed if the OPTOUT state of an individual NSEC3 needs to be
3040b455151b1e1173193933664b2891b6159f24Mark Andrews changed.</p>
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User anchor management. Using this feature allows
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User <span class="command"><strong>named</strong></span> to keep track of changes to critical
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews DNSSEC keys without any need for the operator to make changes to
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater configuration files.</p>
07d9d0dbcc0c79deb3c34f4a8af05ac68a6800e4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
07d9d0dbcc0c79deb3c34f4a8af05ac68a6800e4Mark Andrews<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
a66012b52c20200f118781463db4e4ee44454298Automatic Updater<p>To configure a validating resolver to use RFC 5011 to
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt maintain a trust anchor, configure the trust anchor using a
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span class="command"><strong>managed-keys</strong></span> statement. Information about
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews this can be found in
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater<a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater<p>To set up an authoritative zone for RFC 5011 trust anchor
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User maintenance, generate two (or more) key signing keys (KSKs) for
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater the zone. Sign the zone with one of them; this is the "active"
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater KSK. All KSKs which do not sign the zone are "stand-by"
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<p>Any validating resolver which is configured to use the
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User active KSK as an RFC 5011-managed trust anchor will take note
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User of the stand-by KSKs in the zone's DNSKEY RRset, and store them
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User for future reference. The resolver will recheck the zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington periodically, and after 30 days, if the new key is still there,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington then the key will be accepted by the resolver as a valid trust
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington anchor for the zone. Any time after this 30-day acceptance
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington timer has completed, the active KSK can be revoked, and the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone can be "rolled over" to the newly accepted key.</p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>The easiest way to place a stand-by key in a zone is to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater use the "smart signing" features of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>dnssec-keygen</strong></span> and
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
c2abd6efeb9affa70aabb63da2acb23e135cf7f2Mark Andrews date in the past, but an activation date which is unset or in
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User the future, "
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User record in the zone, but will not sign with it:</p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User<p>To revoke a key, the new command
c2abd6efeb9affa70aabb63da2acb23e135cf7f2Mark Andrews <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews REVOKED bit to the key flags and re-generates the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">K*.private</code> files.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>After revoking the active key, the zone must be signed
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews with both the revoked KSK and the new active KSK. (Smart
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signing takes care of this automatically.)</p>
e062b72f783cdb436a1a57a630bdff471dbb3038Mark Andrews<p>Once a key has been revoked and used to sign the DNSKEY
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater RRset in which it appears, that key will never again be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater accepted as a valid trust anchor by the resolver. However,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater validation can proceed using the new active key (which had been
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater accepted by the resolver when it was a stand-by key).</p>
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater<p>See RFC 5011 for more details on key rollover
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater scenarios.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>When a key has been revoked, its key ID changes,
85b52a5959291f5014442814488ccb267cdea369Tinderbox User increasing by 128, and wrapping around at 65535. So, for
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews "<code class="filename">Kexample.com.+005+10128</code>".</p>
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews<p>If two keys have IDs exactly 128 apart, and one is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater revoked, then the two key IDs will collide, causing several
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater problems. To prevent this,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater another key is present which may collide. This checking will
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater only occur if the new keys are written to the same directory
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater which holds all other keys in use for that zone.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>Older versions of BIND 9 did not have this precaution.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Exercise caution if using key revocation on keys that were
3040b455151b1e1173193933664b2891b6159f24Mark Andrews generated by previous releases, or if using keys stored in
7fdbd6fc9df8728852ccaecb2d66241ab96a4084Tinderbox User multiple directories or on multiple machines.</p>
52cfbde0bd391cfb37e3c1a1b460c16ba6bf1a73Automatic Updater<p>It is expected that a future release of BIND 9 will
4fda24d843edac463c98785ec0c850d912592dc1Tinderbox User address this problem in a different way, by storing revoked
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User keys with their original unrevoked key IDs.</p>
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater PKCS#11 (Public Key Cryptography Standard #11) defines a
3040b455151b1e1173193933664b2891b6159f24Mark Andrews platform-independent API for the control of hardware security
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater modules (HSMs) and other cryptographic support devices.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews BIND 9 is known to work with three HSMs: The AEP Keyper, which has
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User been tested with Debian Linux, Solaris x86 and Windows Server 2003;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater cryptographic acceleration board, tested with Solaris x86. In
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater addition, BIND can be used with all current versions of SoftHSM,
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater a software-based HSM simulator library produced by the OpenDNSSEC
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater PKCS#11 makes use of a "provider library": a dynamically loadable
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User library which provides a low-level PKCS#11 interface to drive the HSM
dcff0bfce2963a14e5af5774fd8901a42f18c720Tinderbox User hardware. The PKCS#11 provider library comes from the HSM vendor, and
3040b455151b1e1173193933664b2891b6159f24Mark Andrews it is specific to the HSM to be controlled.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews There are two available mechanisms for PKCS#11 support in BIND 9:
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater OpenSSL-based PKCS#11 and native PKCS#11. When using the first
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater mechanism, BIND uses a modified version of OpenSSL, which loads
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews the provider library and operates the HSM indirectly; any
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews cryptographic operations not supported by the HSM can be carried
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews out by OpenSSL instead. The second mechanism enables BIND to bypass
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater OpenSSL completely; BIND loads the provider library itself, and uses
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater the PKCS#11 API to drive the HSM directly.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<div class="titlepage"><div><div><h3 class="title">
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt<a name="id-1.5.12.6"></a>Prerequisites</h3></div></div></div>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews See the documentation provided by your HSM vendor for
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User information about installing, initializing, testing and
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews troubleshooting the HSM.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<div class="titlepage"><div><div><h3 class="title">
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater<a name="id-1.5.12.7"></a>Native PKCS#11</h3></div></div></div>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Native PKCS#11 mode will only work with an HSM capable of carrying
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater need. The HSM's provider library must have a complete implementation
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater of the PKCS#11 API, so that all these functions are accessible. As of
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater this writing, only the Thales nShield HSM and SoftHSMv2 can be used
3040b455151b1e1173193933664b2891b6159f24Mark Andrews in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater (Note: Eventually, when more HSMs become capable of supporting
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater be deprecated.)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User To build BIND with native PKCS#11, configure as follows:
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater$ <strong class="userinput"><code>cd bind9</code></strong>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews$ <strong class="userinput"><code>/configure --enable-native-pkcs11 \
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews This will cause all BIND tools, including <span class="command"><strong>named</strong></span>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews tools, to use the PKCS#11 provider library specified in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <em class="replaceable"><code>provider-library-path</code></em> for cryptography.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews (The provider library path can be overridden using the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="option">-E</code> in <span class="command"><strong>named</strong></span> and the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the <span class="command"><strong>pkcs11-*</strong></span> tools.)
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<div class="titlepage"><div><div><h4 class="title">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<a name="id-1.5.12.7.6"></a>Building SoftHSMv2</h4></div></div></div>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater SoftHSMv2, the latest development version of SoftHSM, is available
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <a class="link" href="https://github.com/opendnssec/SoftHSMv2" target="_top">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater It is a software library developed by the OpenDNSSEC project
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater (<a class="link" href="http://www.opendnssec.org" target="_top">
560d6da48f066000541dd43f5d407644dee12bebTinderbox User which provides a PKCS#11 interface to a virtual HSM, implemented in
560d6da48f066000541dd43f5d407644dee12bebTinderbox User the form of a SQLite3 database on the local filesystem. It provides
9bc394fffdd50f6e47614b2d317da7274122366fTinderbox User less security than a true HSM, but it allows you to experiment with
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt native PKCS#11 when an HSM is not available. SoftHSMv2 can be
3040b455151b1e1173193933664b2891b6159f24Mark Andrews configured to use either OpenSSL or the Botan library to perform
560d6da48f066000541dd43f5d407644dee12bebTinderbox User cryptographic functions, but when using it for native PKCS#11 in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews BIND, OpenSSL is required.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater By default, the SoftHSMv2 configuration file is
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <em class="replaceable"><code>prefix</code></em> is configured at compile time).
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater This location can be overridden by the SOFTHSM2_CONF environment
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater variable. The SoftHSMv2 cryptographic store must be installed and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater initialized before using it with BIND.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> make </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> make install </code></strong>
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<div class="titlepage"><div><div><h3 class="title">
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<a name="id-1.5.12.8"></a>OpenSSL-based PKCS#11</h3></div></div></div>
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater OpenSSL-based PKCS#11 mode uses a modified version of the
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User OpenSSL library; stock OpenSSL does not fully support PKCS#11.
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User ISC provides a patch to OpenSSL to correct this. This patch is
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater based on work originally done by the OpenSolaris project; it has been
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater modified by ISC to provide new features such as PIN management and
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User key-by-reference.
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User There are two "flavors" of PKCS#11 support provided by
3040b455151b1e1173193933664b2891b6159f24Mark Andrews the patched OpenSSL, one of which must be chosen at
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater configuration time. The correct choice depends on the HSM
4d813066e967a36c407ee641155ada0c614d4dc6Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User Use 'crypto-accelerator' with HSMs that have hardware
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User cryptographic acceleration features, such as the SCA 6000
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater board. This causes OpenSSL to run all supported
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater cryptographic operations in the HSM.
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User Use 'sign-only' with HSMs that are designed to
3040b455151b1e1173193933664b2891b6159f24Mark Andrews function primarily as secure key storage devices, but lack
d98b4b724343547314bde32a54966c8f124a5f03Mark Andrews hardware acceleration. These devices are highly secure, but
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User are not necessarily any faster at cryptography than the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User system CPU — often, they are slower. It is therefore
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User most efficient to use them only for those cryptographic
6ce070d74c160218ee6c864e75235a4f535320c3Tinderbox User functions that require access to the secured private key,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews such as zone signing, and to use the system CPU for all
6ce070d74c160218ee6c864e75235a4f535320c3Tinderbox User other computationally-intensive operations. The AEP Keyper
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User is an example of such a device.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews The modified OpenSSL code is included in the BIND 9 release,
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews in the form of a context diff against the latest versions of
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User separate diffs for each version. In the examples to follow,
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User we use OpenSSL 0.9.8, but the same methods work with OpenSSL
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews 1.0.0 and 1.0.1.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews The latest OpenSSL versions as of this writing (January 2015)
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews are 0.9.8zc, 1.0.0o, and 1.0.1j.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews ISC will provide updated patches as new versions of OpenSSL
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews are released. The version number in the following examples
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews is expected to change.
eac5382be368b43df62e4ac32075131fb4997f03Tinderbox User Before building BIND 9 with PKCS#11 support, it will be
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews necessary to build OpenSSL with the patch in place, and configure
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews it with the path to your HSM's PKCS#11 provider library.
536da846f6cc03ad8abbb8bb9d5d8a6f607b8c33Mark Andrews<div class="titlepage"><div><div><h4 class="title">
536da846f6cc03ad8abbb8bb9d5d8a6f607b8c33Mark Andrews<a name="id-1.5.12.8.8"></a>Patching OpenSSL</h4></div></div></div>
ac5ed748602c890d596bed07b0b23b8b5f42b2f6Mark Andrews$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews < bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
d98b4b724343547314bde32a54966c8f124a5f03Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
015f044f7f916eb18d053f2e5dcbee481425bc66Mark Andrews Note that the patch file may not be compatible with the
e7d35dad55e8deae14f29aabfb20d540b4b6ab3dMark Andrews "patch" utility on all operating systems. You may need to
015f044f7f916eb18d053f2e5dcbee481425bc66Mark Andrews install GNU patch.
bec9d04b657e1582d2531bdc02503bebde2aa978Tinderbox User When building OpenSSL, place it in a non-standard
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews location so that it does not interfere with OpenSSL libraries
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews elsewhere on the system. In the following examples, we choose
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews to install into "/opt/pkcs11/usr". We will use this location
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews when we configure BIND 9.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews Later, when building BIND 9, the location of the custom-built
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews OpenSSL library will need to be specified via configure.
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User<div class="titlepage"><div><div><h4 class="title">
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<a name="id-1.5.12.8.9"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The AEP Keyper is a highly secure key storage device,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews but does not provide hardware cryptographic acceleration. It
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews can carry out cryptographic operations, but it is probably
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews slower than your system's CPU. Therefore, we choose the
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews 'sign-only' flavor when building OpenSSL.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The Keyper-specific PKCS#11 provider library is
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews delivered with the Keyper software. In this example, we place
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews This library is only available for Linux as a 32-bit
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews binary. If we are compiling on a 64-bit Linux system, it is
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews necessary to force a 32-bit build, by specifying -m32 in the
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews build options.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Finally, the Keyper library requires threads, so we
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews must specify -pthread.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater$ <strong class="userinput"><code>/Configure linux-generic32 -m32 -pthread \
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User --pk11-flavor=sign-only \
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews After configuring, run "<span class="command"><strong>make</strong></span>"
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews test</strong></span>" fails with "pthread_atfork() not found", you forgot to
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews add the -pthread above.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews<div class="titlepage"><div><div><h4 class="title">
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<a name="id-1.5.12.8.10"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews The SCA-6000 PKCS#11 provider is installed as a system
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews library, libpkcs11. It is a true crypto accelerator, up to 4
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews times faster than any CPU, so the flavor shall be
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews 'crypto-accelerator'.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews In this example, we are building on Solaris x86 on an
3040b455151b1e1173193933664b2891b6159f24Mark Andrews AMD64 system.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \
d46a3a2f7c1032c947b7bfde6e08010442645139Tinderbox User --pk11-flavor=crypto-accelerator \
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews After configuring, run
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <span class="command"><strong>make</strong></span> and
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <span class="command"><strong>make test</strong></span>.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<div class="titlepage"><div><div><h4 class="title">
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<a name="id-1.5.12.8.11"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews SoftHSM (version 1) is a software library developed by the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews OpenDNSSEC project
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User (<a class="link" href="http://www.opendnssec.org" target="_top">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater which provides a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User PKCS#11 interface to a virtual HSM, implemented in the form of
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User a SQLite3 database on the local filesystem. SoftHSM uses
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User the Botan library to perform cryptographic functions. Though
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User less secure than a true HSM, it can allow you to experiment
9c2cf9e2017e6dd196e3b866808f32c6206eeedcMark Andrews with PKCS#11 when an HSM is not available.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews The SoftHSM cryptographic store must be installed and
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater initialized before using it with OpenSSL, and the SOFTHSM_CONF
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater environment variable must always point to the SoftHSM configuration
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> make </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> make install </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater SoftHSM can perform all cryptographic operations, but
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater since it only uses your system CPU, there is no advantage to using
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews it for anything but signing. Therefore, we choose the 'sign-only'
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater flavor when building OpenSSL.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
3040b455151b1e1173193933664b2891b6159f24Mark Andrews --pk11-flavor=sign-only \
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater After configuring, run "<span class="command"><strong>make</strong></span>"
3040b455151b1e1173193933664b2891b6159f24Mark Andrews and "<span class="command"><strong>make test</strong></span>".
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews Once you have built OpenSSL, run
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User that PKCS#11 support was compiled in correctly. The output
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User should be one of the following lines, depending on the flavor
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User (pkcs11) PKCS #11 engine support (sign only)
3040b455151b1e1173193933664b2891b6159f24Mark Andrews (pkcs11) PKCS #11 engine support (crypto accelerator)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater attempt to initialize the PKCS#11 engine. If it is able to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater do so successfully, it will report
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If the output is correct, run
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User "<span class="command"><strong>make install</strong></span>" which will install the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To link with the PKCS#11 provider, threads must be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater enabled in the BIND 9 build.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews The PKCS#11 library for the AEP Keyper is currently
3040b455151b1e1173193933664b2891b6159f24Mark Andrews only available as a 32-bit binary. If we are building on a
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews 64-bit host, we must force a 32-bit build by adding "-m32" to
95de440e8d2b07bb130505b4146059e5734e2eeaTinderbox User the CC options on the "configure" command line.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews$ <strong class="userinput"><code>/configure CC="gcc -m32" --enable-threads \
3040b455151b1e1173193933664b2891b6159f24Mark Andrews --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<div class="titlepage"><div><div><h4 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To link with the PKCS#11 provider, threads must be
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User enabled in the BIND 9 build.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
879391501ee0ffba072433120bf1baa4087f8899Automatic Updater$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt If configure complains about OpenSSL not working, you
3040b455151b1e1173193933664b2891b6159f24Mark Andrews may have a 32/64-bit architecture mismatch. Or, you may have
3040b455151b1e1173193933664b2891b6159f24Mark Andrews incorrectly specified the path to OpenSSL (it should be the
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews same as the --prefix argument to the OpenSSL
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.12.8.20"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>cd /bind9</code></strong>
3f68e9c0e5a6ce475d15eef04bfed9b08a22afa9Tinderbox User$ <strong class="userinput"><code>/configure --enable-threads \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews After configuring, run
3040b455151b1e1173193933664b2891b6159f24Mark Andrews "<span class="command"><strong>make</strong></span>",
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews "<span class="command"><strong>make test</strong></span>" and
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews "<span class="command"><strong>make install</strong></span>".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (Note: If "make test" fails in the "pkcs11" system test, you may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington have forgotten to set the SOFTHSM_CONF environment variable.)
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
63654fea53d6a58a65112234bc8d0c322e0c81b5Automatic Updater BIND 9 includes a minimal set of tools to operate the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews HSM, including
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
64d59a0480180940d855a3431ac5ff617b53e997Tinderbox User within the HSM,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>pkcs11-list</strong></span> to list objects currently
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>pkcs11-tokens</strong></span> to list available tokens.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater In UNIX/Linux builds, these tools are built only if BIND
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater 9 is configured with the --with-pkcs11 option. (Note: If
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User --with-pkcs11 is set to "yes", rather than to the path of the
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews PKCS#11 provider, then the tools will be built but the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews provider will be left undefined. Use the -m option or the
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt PKCS11_PROVIDER environment variable to specify the path to the
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.12.10"></a>Using the HSM</h3></div></div></div>
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User For OpenSSL-based PKCS#11, we must first set up the runtime
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews environment so the OpenSSL and PKCS#11 libraries can be loaded:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User This causes <span class="command"><strong>named</strong></span> and other binaries to load
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rather than from the default location. This step is not necessary
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User when using native PKCS#11.
80f05de86cd3cd8e4a4215c4501643891b942dafTinderbox User Some HSMs require other environment variables to be set.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User For example, when operating an AEP Keyper, it is necessary to
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews specify the location of the "machine" file, which stores
3040b455151b1e1173193933664b2891b6159f24Mark Andrews information about the Keyper for use by the provider
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews library. If the machine file is in
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews Such environment variables must be set whenever running
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews any tool that uses the HSM, including
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews <span class="command"><strong>pkcs11-keygen</strong></span>,
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews <span class="command"><strong>pkcs11-list</strong></span>,
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews <span class="command"><strong>pkcs11-destroy</strong></span>,
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews <span class="command"><strong>dnssec-keyfromlabel</strong></span>,
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews <span class="command"><strong>dnssec-signzone</strong></span>,
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt <span class="command"><strong>dnssec-keygen</strong></span>, and
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span class="command"><strong>named</strong></span>.
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater We can now create and use keys in the HSM. In this case,
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater we will create a 2048 bit key and give it the label
9563f388c8ca1bb9ebb04db54e122815b0008c8aTinderbox User$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>pkcs11-list</code></strong>
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox Userobject[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox Userobject[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
9563f388c8ca1bb9ebb04db54e122815b0008c8aTinderbox User Before using this key to sign a zone, we must create a
9563f388c8ca1bb9ebb04db54e122815b0008c8aTinderbox User pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews does this. In this case, we will be using the HSM key
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User "sample-ksk" as the key-signing key for "example.net":
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The resulting K*.key and K*.private files can now be used
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater to sign the zone. Unlike normal K* files, which contain both
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater public and private key data, these files will contain only the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User public key data, plus an identifier for the private key which
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User remains stored within the HSM. Signing with the private key takes
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User place inside the HSM.
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User If you wish to generate a second key in the HSM for use
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User as a zone-signing key, follow the same procedure above, using a
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User different keylabel, a smaller key size, and omitting "-f KSK"
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User from the dnssec-keyfromlabel arguments:
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater string which identifies the key. With native PKCS#11, the label is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a PKCS#11 URI string which may include other details about the key
3040b455151b1e1173193933664b2891b6159f24Mark Andrews and the HSM, including its PIN. See
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
64f2afc2c63a59461d11b581a208efdbeec124adTinderbox User$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Alternatively, you may prefer to generate a conventional
64f2afc2c63a59461d11b581a208efdbeec124adTinderbox User on-disk key, using dnssec-keygen:
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This provides less security than an HSM key, but since
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews HSMs can be slow or cumbersome to use for security reasons, it
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews may be more efficient to reserve HSM keys for use in the less
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews frequent key-signing operation. The zone-signing key can be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews rolled more frequently, if you wish, to compensate for a
859148b72a22e4221c3e918d15c7fdd5e78b6d8dTinderbox User reduction in key security. (Note: When using native PKCS#11,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews there is no speed advantage to using on-disk keys, as cryptographic
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews operations will be done by the HSM regardless.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Now you can sign the zone. (Note: If not using the -S
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews option to <span class="command"><strong>dnssec-signzone</strong></span>, it will be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews necessary to add the contents of both <code class="filename">K*.key</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews files to the zone master file before signing it.)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic UpdaterVerifying the zone using the following algorithms:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserZone signing complete:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserAlgorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater<a name="id-1.5.12.11"></a>Specifying the engine on the command line</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User When using OpenSSL-based PKCS#11, the "engine" to be used by
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User OpenSSL can be specified in <span class="command"><strong>named</strong></span> and all of
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the BIND <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <engine>" command line option. If BIND 9 is built with
de73ef7ecdb9e009155993a6fa8dee5cd1bde319Mark Andrews the --with-pkcs11 option, this option defaults to "pkcs11".
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater Specifying the engine will generally not be necessary unless
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater for some reason you wish to use a different OpenSSL
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If you wish to disable use of the "pkcs11" engine —
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User for troubleshooting purposes, or because the HSM is unavailable
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater — set the engine to the empty string. For example:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User without the --with-pkcs11 option.
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater When built with native PKCS#11 mode, the "engine" option has a
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews different meaning: it specifies the path to the PKCS#11 provider
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews library. This may be useful when testing a new provider library.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id-1.5.12.12"></a>Running named with automatic zone re-signing</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If you want <span class="command"><strong>named</strong></span> to dynamically re-sign zones
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews using HSM keys, and/or to to sign new records inserted via nsupdate,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews this is accomplished by placing the PIN into the openssl.cnf file
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (in the above examples,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The location of the openssl.cnf file can be overridden by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews setting the OPENSSL_CONF environment variable before running
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>named</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews openssl_conf = openssl_def
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews [ openssl_def ]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews engines = engine_section
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews [ engine_section ]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews pkcs11 = pkcs11_section
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews [ pkcs11_section ]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This will also allow the dnssec-* tools to access the HSM
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews without PIN entry. (The pkcs11-* tools access the HSM directly,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews not via OpenSSL, so a PIN will still be required to use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews In native PKCS#11 mode, the PIN can be provided in a file specified
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews as an attribute of the key's label. For example, if a key had the label
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews then the PIN would be read from the file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Placing the HSM's PIN in a text file in this manner may reduce the
757ff043760e4743dda1a10e7d58349275934902Tinderbox User security advantage of using an HSM. Be sure this is what you want to
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User do before configuring the system in this way.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0accdb26ead1fe520a9820b52efbea64bdf564e3Tinderbox User<a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zone data to be retrieved directly from an external database. There is
e213b38b48486b3a6349329655d9169085001fa0Tinderbox User no required format or schema. DLZ drivers exist for several different
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User database backends including PostgreSQL, MySQL, and LDAP and can be
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews written for any other.
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews binary and were turned on via a configure option at compile time (for
c5a97a549c89d562e999d4f906b882c5a2a474e1Tinderbox User example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
e7d35dad55e8deae14f29aabfb20d540b4b6ab3dMark Andrews Currently, the drivers provided in the BIND 9 tarball in
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User <code class="filename">contrib/dlz/drivers</code> are still linked this
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User In BIND 9.8 and higher, it is possible to link some DLZ modules
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews generic wrapper around a shared object implementing the DLZ API. The
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater "dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews are no longer necessary when using these dynamically linkable drivers,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews but are still needed for the older drivers in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="filename">contrib/dlz/drivers</code>.
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews conversion, and the lack of any internal caching, places significant
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews limits on the query performance of DLZ modules. Consequently, DLZ is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews not recommended for use on high-volume servers. However, it can be
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User used in a hidden master configuration, with slaves retrieving zone
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt updates via AXFR. (Note, however, that DLZ has no built-in support for
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User DNS notify; slaves are not automatically informed of changes to the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zones in the database.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater<a name="id-1.5.13.6"></a>Configuring DLZ</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A DLZ database is configured with a <span class="command"><strong>dlz</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews statement in <code class="filename">named.conf</code>:
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User database "dlopen driver.so <code class="option">args</code>";
51901858be9d4632c1d0bed28cfa8f29932c1967Tinderbox User This specifies a DLZ module to search when answering queries; the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews module is implemented in <code class="filename">driver.so</code> and is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews loaded at runtime by the dlopen DLZ driver. Multiple
347333bc39e9e2df63cc4e7309cef5354d52b1fbTinderbox User <span class="command"><strong>dlz</strong></span> statements can be specified; when
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews answering a query, all DLZ modules with <code class="option">search</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews set to <code class="literal">yes</code> will be queried to find out if
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater they contain an answer for the query name; the best available
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater answer will be returned to the client.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <code class="option">search</code> option in the above example can be
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews omitted, because <code class="literal">yes</code> is the default value.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews If <code class="option">search</code> is set to <code class="literal">no</code>, then
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews match when a query is received. Instead, zones in this DLZ must be
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater separately specified in a zone statement. This allows you to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configure a zone normally using standard zone option semantics,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater but specify a different database back-end for storage of the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zone's data. For example, to implement NXDOMAIN redirection using
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews a DLZ module for back-end storage of redirection rules:
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson database "dlopen driver.so <code class="option">args</code>";
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews type redirect;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id-1.5.13.7"></a>Sample DLZ Driver</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater For guidance in implementation of DLZ modules, the directory
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="filename">contrib/dlz/example</code> contains a basic
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User dynamically-linkable DLZ module--i.e., one which can be
467a823e57af687ebd486dfd73ea32f9d2a145beTinderbox User loaded at runtime by the "dlopen" DLZ driver.
467a823e57af687ebd486dfd73ea32f9d2a145beTinderbox User The example sets up a single zone, whose name is passed
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User to the module as an argument in the <span class="command"><strong>dlz</strong></span>
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater In the above example, the module is configured to create a zone
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User "example.nil", which can answer queries and AXFR requests, and
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User accept DDNS updates. At runtime, prior to any updates, the zone
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User contains an SOA, NS, and a single A record at the apex:
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews 123 900 600 86400 3600
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews example.nil. 1800 IN A 10.53.0.1
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews The sample driver is capable of retrieving information about the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews querying client, and altering its response on the basis of this
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews information. To demonstrate this feature, the example driver
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews responds to queries for "source-addr.<code class="option">zonename</code>>/TXT"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews with the source address of the query. Note, however, that this
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater record will *not* be included in AXFR or ANY responses. Normally,
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User this feature would be used to alter responses in some other fashion,
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User e.g., by providing different address records for a particular name
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User depending on the network from which the query arrived.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater Documentation of the DLZ module API can be found in
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater <code class="filename">contrib/dlz/example/README</code>. This directory also
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater contains the header file <code class="filename">dlz_minimal.h</code>, which
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User defines the API and should be included by any dynamically-linkable
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User<a name="dyndb-info"></a>DynDB (Dynamic Database)</h2></div></div></div>
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User DynDB is an extension to BIND 9 which, like DLZ
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User (see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User retrieved from an external database. Unlike DLZ, a DynDB module
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User provides a full-featured BIND zone database interface. Where
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User DLZ translates DNS queries into real-time database lookups,
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User resulting in relatively poor query performance, and is unable
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User to handle DNSSEC-signed data due to its limited API, a DynDB
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User module can pre-load an in-memory database from the external
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User data source, providing the same performance and functionality
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User as zones served natively by BIND.
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User A DynDB module supporting LDAP has been created by Red Hat
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User and is available from
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User <a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User A sample DynDB module for testing and developer guidance
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User is included with the BIND source code, in the directory
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User <code class="filename">bin/tests/system/dyndb/driver</code>.
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User<div class="titlepage"><div><div><h3 class="title">
955ee8b865d70d02ad1fdc959382e6f8a07c1d14Tinderbox User<a name="id-1.5.14.5"></a>Configuring DynDB</h3></div></div></div>
b8cc0c5d896c361525708a2be2e5af7df76c96d7Tinderbox User A DynDB database is configured with a <span class="command"><strong>dyndb</strong></span>
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User statement in <code class="filename">named.conf</code>:
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User dyndb example "driver.so" {
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User <em class="replaceable"><code>parameters</code></em>
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User The file <code class="filename">driver.so</code> is a DynDB module which
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User implements the full DNS database API. Multiple
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User <span class="command"><strong>dyndb</strong></span> statements can be specified, to load
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User different drivers or multiple instances of the same driver.
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User Zones provided by a DynDB module are added to the view's zone
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User table, and are treated as normal authoritative zones when BIND
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User is responding to queries. Zone configuration is handled internally
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User by the DynDB module.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User The <em class="replaceable"><code>parameters</code></em> are passed as an opaque
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews string to the DynDB module's initialization routine. Configuration
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews syntax will differ depending on the driver.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id-1.5.14.6"></a>Sample DynDB Module</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews For guidance in implementation of DynDB modules, the directory
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">bin/tests/system/dyndb/driver</code>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews contains a basic DynDB module.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The example sets up two zones, whose names are passed
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to the module as arguments in the <span class="command"><strong>dyndb</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dyndb sample "sample.so" { example.nil. arpa. };
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In the above example, the module is configured to create a zone
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews "example.nil", which can answer queries and AXFR requests, and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews accept DDNS updates. At runtime, prior to any updates, the zone
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews contains an SOA, NS, and a single A record at the apex:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews example.nil. 86400 IN SOA example.nil. example.nil. (
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 0 28800 7200 604800 86400
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews example.nil. 86400 IN A 127.0.0.1
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When the zone is updated dynamically, the DynDB module will determine
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews whether the updated RR is an address (i.e., type A or AAAA) and if
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews so, it will automatically update the corresponding PTR record in a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews reverse zone. (Updates are not stored permanently; all updates are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews lost when the server is restarted.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id-1.5.15"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <acronym class="acronym">BIND</acronym> 9 fully supports all currently
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews defined forms of IPv6 name to address and address to name
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews lookups. It will also use IPv6 addresses to make queries when
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews running on an IPv6 capable system.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews only AAAA records. RFC 3363 deprecated the use of A6 records,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and client-side support for A6 records was accordingly removed
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews from <acronym class="acronym">BIND</acronym> 9.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews load zone files containing A6 records correctly, answer queries
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for A6 records, and accept zone transfer for a zone containing A6
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the traditional "nibble" format used in the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span class="emphasis"><em>ip6.int</em></span> domain.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Older versions of <acronym class="acronym">BIND</acronym> 9
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews supported the "binary label" (also known as "bitstring") format,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews but support of binary labels has been completely removed per
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the binary label format at all any more, and will return an
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews error if given.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews name server will not load a zone file containing binary labels.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews For an overview of the format and structure of IPv6 addresses,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id-1.5.15.6"></a>Address Lookups Using AAAA Records</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The IPv6 AAAA record is a parallel to the IPv4 A record,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and, unlike the deprecated A6 record, specifies the entire
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IPv6 address in a single record. For example,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrewshost 3600 IN AAAA 2001:db8::1
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Use of IPv4-in-IPv6 mapped addresses is not recommended.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If a host has an IPv4 address, use an A record, not
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the address.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id-1.5.15.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When looking up an address in nibble format, the address
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews components are simply reversed, just as in IPv4, and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="literal">ip6.arpa.</code> is appended to the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews resulting name.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews For example, the following would provide reverse name lookup for
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a host with address
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<table width="100%" summary="Navigation footer">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>