60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<HTML

11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User><HEAD

75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews><TITLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Advanced DNS Features</TITLE

4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater><META

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein"><LINK

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.html"><LINK

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch03.html"><LINK

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch05.html"></HEAD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><BODY

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TABLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TH

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND 9 Administrator Reference Manual</TH

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Prev</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><A

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Next</A

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TABLE

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><HR

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserWIDTH="100%"></DIV

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><DIV

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><H1

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Chapter 4. Advanced DNS Features</A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></H1

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DL

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Table of Contents</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.1. <A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Notify</A

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.2. <A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Dynamic Update</A

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.3. <A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Incremental Zone Transfers (IXFR)</A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.4. <A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Split DNS</A

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.5. <A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>TSIG</A

bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.6. <A

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>TKEY</A

983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.7. <A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>SIG(0)</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>4.8. <A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>DNSSEC</A

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews></DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>4.9. <A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>IPv6 Support in <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews> 9</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DL

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H1

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>4.1. Notify</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>DNS</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> NOTIFY is a mechanism that allows master

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinservers to notify their slave servers of changes to a zone's data. In

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinresponse to a <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>NOTIFY</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> from a master server, the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinslave will check to see that its version of the zone is the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeincurrent version and, if not, initiate a zone transfer.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>DNS</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>

852ccdd42a71550c974111b49415204ffeca6573Automatic UpdaterFor more information about

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<B

3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater>NOTIFY</B

3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater>, see the description of the

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<B

852ccdd42a71550c974111b49415204ffeca6573Automatic Updater>notify</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> option in <A

66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater>Section 6.2.16.1</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> and

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntthe description of the zone option <B

66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater>also-notify</B

66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater> in

66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater<A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Section 6.2.16.7</A

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>. The <B

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>NOTIFY</B

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updaterprotocol is specified in RFC 1996.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>4.2. Dynamic Update</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Dynamic Update is a method for adding, replacing or deleting

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein records in a master server by sending it a special form of DNS

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein messages. The format and meaning of these messages is specified

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in RFC 2136.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Dynamic update is enabled on a zone-by-zone basis, by

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein including an <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-update</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> or

3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater <B

3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater>update-policy</B

3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater> clause in the

3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>zone</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> statement.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Updating of secure zones (zones using DNSSEC) follows

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 3007: SIG and NXT records affected by updates are automatically

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein regenerated by the server using an online zone key.

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Update authorization is based

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on transaction signatures and an explicit server policy.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H2

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews>4.2.1. The journal file</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H2

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>All changes made to a zone using dynamic update are stored in the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone's journal file. This file is automatically created by the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server when when the first dynamic update takes place. The name of

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User the journal file is formed by appending the

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User extension <TT

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User>.jnl</TT

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User> to the

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User name of the corresponding zone file. The journal file is in a

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt binary format and should not be edited manually.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>The server will also occasionally write ("dump")

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the complete contents of the updated zone to its zone file.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This is not done immediately after

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User each dynamic update, because that would be too slow when a large

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User zone is updated frequently. Instead, the dump is delayed by

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User up to 15 minutes, allowing additional updates to take place.</P

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>When a server is restarted after a shutdown or crash, it will replay

794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User the journal file to incorporate into the zone any updates that took

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User place after the last zone dump.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Changes that result from incoming incremental zone transfers are also

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein journalled in a similar way.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The zone files of dynamic zones cannot normally be edited by

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein hand because they are not guaranteed to contain the most recent

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dynamic changes - those are only in the journal file.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The only way to ensure that the zone file of a dynamic zone

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is up to date is to run <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>rndc stop</B

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews>.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>If you have to make changes to a dynamic zone

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein manually, the following procedure will work: Disable dynamic updates

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the zone using

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>rndc freeze <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>zone</I

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews></TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This will also remove the zone's <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>.jnl</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> file

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and update the master file. Edit the zone file. Run

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>rndc unfreeze <TT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>zone</I

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to reload the changed zone and re-enable dynamic updates.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H1

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>4.3. Incremental Zone Transfers (IXFR)</A

a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews></H1

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>The incremental zone transfer (IXFR) protocol is a way for

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userslave servers to transfer only changed data, instead of having to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintransfer the entire zone. The IXFR protocol is specified in RFC

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein1995. See <A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Proposed Standards</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>When acting as a master, <SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>BIND</SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> 9

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usersupports IXFR for those zones

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userwhere the necessary change history information is available. These

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userinclude master zones maintained by dynamic update and slave zones

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userwhose data was obtained by IXFR. For manually maintained master

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userzones, and for slave zones obtained by performing a full zone

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usertransfer (AXFR), IXFR is supported only if the option

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>ixfr-from-differences</B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> is set

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto <TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>yes</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>.

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>When acting as a slave, <SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>BIND</SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> 9 will

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userattempt to use IXFR unless

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userit is explicitly disabled. For more information about disabling

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserIXFR, see the description of the <B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>request-ixfr</B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> clause

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userof the <B

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>server</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> statement.</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></DIV

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><DIV

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><H1

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><A

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>4.4. Split DNS</A

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></H1

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Setting up different views, or visibility, of the DNS space to

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userinternal and external resolvers is usually referred to as a <SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><I

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Split

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserDNS</I

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> setup. There are several reasons an organization

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userwould want to set up its DNS this way.</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>One common reason for setting up a DNS system this way is

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto hide "internal" DNS information from "external" clients on the

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserInternet. There is some debate as to whether or not this is actually useful.

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserInternal DNS information leaks out in many ways (via email headers,

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userfor example) and most savvy "attackers" can find the information

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userthey need using other means.</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Another common reason for setting up a Split DNS system is

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto allow internal networks that are behind filters or in RFC 1918

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userspace (reserved IP space, as documented in RFC 1918) to resolve DNS

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useron the Internet. Split DNS can also be used to allow mail from outside

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userback in to the internal network.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Here is an example of a split DNS setup:</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Let's say a company named <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><I

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Example, Inc.</I

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User(<TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>example.com</TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>)

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userhas several corporate sites that have an internal network with reserved

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserInternet Protocol (IP) space and an external demilitarized zone (DMZ),

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useror "outside" section of a network, that is available to the public.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Example, Inc.</I

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> wants its internal clients

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto be able to resolve external hostnames and to exchange mail with

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userpeople on the outside. The company also wants its internal resolvers

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userto have access to certain internal-only zones that are not available

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinat all outside of the internal network.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>In order to accomplish this, the company will set up two sets

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userof name servers. One set will be on the inside network (in the reserved

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserIP space) and the other set will be on bastion hosts, which are "proxy"

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunthosts that can talk to both sides of its network, in the DMZ.</P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>The internal servers will be configured to forward all queries,

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userexcept queries for <TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>site1.internal</TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>, <TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>site2.internal</TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>, <TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>site1.example.com</TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>,

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userand <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>site2.example.com</TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>, to the servers in the

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserDMZ. These internal servers will have complete sets of information

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinfor <TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>site1.example.com</TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>, <TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>,<SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><I

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater> </I

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater></SPAN

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>site1.internal</TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>,

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterand <TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>site2.internal</TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>To protect the <TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>site1.internal</TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.internal</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> domains,

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterthe internal name servers must be configured to disallow all queries

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterto these domains from any external hosts, including the bastion

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucehosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>The external servers, which are on the bastion hosts, will

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Lucebe configured to serve the "public" version of the <TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site2.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> zones.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceThis could include things such as the host records for public servers

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce(<TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>www.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ftp.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>),

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand mail exchange (MX) records (<TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>a.mx.example.com</TT

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce> and <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>b.mx.example.com</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>).</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In addition, the public <TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>site1</TT

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> and <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>site2.example.com</TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> zones

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usershould have special MX records that contain wildcard (`*') records

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinpointing to the bastion hosts. This is needed because external mail

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinservers do not have any other way of looking up how to deliver mail

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luceto those internal hosts. With the wildcard records, the mail will

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebe delivered to the bastion host, which can then forward it on to

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luceinternal hosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here's an example of a wildcard MX record:</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><PRE

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater><TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>* IN MX 10 external1.example.com.</TT

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater></PRE

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater><P

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>Now that they accept mail on behalf of anything in the internal

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaternetwork, the bastion hosts will need to know how to deliver mail

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto internal hosts. In order for this to work properly, the resolvers on

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe bastion hosts will need to be configured to point to the internal

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucename servers for DNS resolution.</P

c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce><P

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>Queries for internal hostnames will be answered by the internal

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updaterservers, and queries for external hostnames will be forwarded back

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceout to the DNS servers on the bastion hosts.</P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><P

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order for all this to work properly, internal clients will

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceneed to be configured to query <SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>only</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> the internal

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucename servers for DNS queries. This could also be enforced via selective

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinfiltering on the network.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>If everything has been set properly, <SPAN

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Example, Inc.</I

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></SPAN

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>'s

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceinternal clients will now be able to:</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><UL

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><LI

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Look up any hostnames in the <TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>site1</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> and

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>site2.example.com</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> zones.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Look up any hostnames in the <TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>site1.internal</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> and

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>site2.internal</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> domains.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Look up any hostnames on the Internet.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Exchange mail with internal AND external people.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></UL

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Hosts on the Internet will be able to:</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><UL

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Look up any hostnames in the <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>site1</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>site2.example.com</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> zones.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Exchange mail with anyone in the <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>site1</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> and

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>site2.example.com</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> zones.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></LI

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></UL

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Here is an example configuration for the setup we just

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User described above. Note that this is only configuration information;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User for information on how to configure your zone files, see <A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>Section 3.1</A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Internal DNS server config:</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><PRE

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>&#13;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl externals { <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>bastion-ips-go-here</TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useroptions {

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forward only;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forwarders { // forward to external servers

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>bastion-ips-go-here</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User };

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-transfer { none; }; // sample allow-transfer (no one)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-query { internals; externals; }; // restrict query access

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-recursion { internals; }; // restrict recursion

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User ...

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userzone "site1.example.com" { // sample master zone

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User type master;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User file "m/site1.example.com";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forwarders { }; // do normal iterative

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User // resolution (do not forward)

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-query { internals; externals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { internals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userzone "site2.example.com" { // sample slave zone

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User type slave;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User file "s/site2.example.com";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User masters { 172.16.72.3; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forwarders { };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-query { internals; externals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { internals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userzone "site1.internal" {

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User type master;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file "m/site1.internal";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forwarders { };

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-query { internals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { internals; }

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userzone "site2.internal" {

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User type slave;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User file "s/site2.internal";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User masters { 172.16.72.3; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User forwarders { };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-query { internals };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { internals; }

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User</PRE

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>External (bastion host) DNS server config:</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><PRE

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>&#13;acl internals { 172.16.72.0/24; 192.168.1.0/24; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Useracl externals { bastion-ips-go-here; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ...

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { none; }; // sample allow-transfer (no one)

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { internals; externals; }; // restrict query access

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-recursion { internals; externals; }; // restrict recursion

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User ...

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "site1.example.com" { // sample slave zone

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User type master;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User file "m/site1.foo.com";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-query { any; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-transfer { internals; externals; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userzone "site2.example.com" {

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User type slave;

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User file "s/site2.foo.com";

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User masters { another_bastion_host_maybe; };

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User allow-query { any; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-transfer { internals; externals; }

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User};

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>In the <TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>resolv.conf</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> (or equivalent) on

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userthe bastion host(s):</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>&#13;search ...

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Usernameserver 172.16.72.2

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Usernameserver 172.16.72.3

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Usernameserver 172.16.72.4

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H1

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>4.5. TSIG</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>This is a short guide to setting up Transaction SIGnatures

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt(TSIG) based transaction security in <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>. It describes changes

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinto the configuration file as well as what changes are required for

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userdifferent features, including the process of creating transaction

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userkeys and using transaction signatures with <SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>BIND</SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>BIND</SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> primarily supports TSIG for server to server communication.

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox UserThis includes zone transfer, notify, and recursive query messages.

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox UserResolvers based on newer versions of <SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>BIND</SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> 8 have limited support

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userfor TSIG.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>TSIG might be most useful for dynamic update. A primary

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User server for a dynamic zone should use access control to control

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User updates, but IP-based access control is insufficient.

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User The cryptographic access control provided by TSIG

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User is far superior. The <B

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>nsupdate</B

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User program supports TSIG via the <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>-k</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> and

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <TT

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>-y</TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> command line options.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><DIV

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><H2

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>4.5.1. Generate Shared Keys for Each Pair of Hosts</A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></H2

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>A shared secret is generated to be shared between <SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><I

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>host1</I

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User> and <SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><I

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>host2</I

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User></SPAN

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>.

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox UserAn arbitrary key name is chosen: "host1-host2.". The key name must

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userbe the same on both hosts.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H3

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><A

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>4.5.1.1. Automatic Generation</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H3

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The following command will generate a 128 bit (16 byte) HMAC-MD5

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkey as described above. Longer keys are better, but shorter keys

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userare easier to read. Note that the maximum key length is 512 bits;

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userkeys longer than that will be digested with MD5 to produce a 128

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox Userbit key.</P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><TT

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User><P

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User>The key is in the file <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Khost1-host2.+157+00000.private</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>.

2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox UserNothing directly uses this file, but the base-64 encoded string

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinfollowing "<TT

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews>Key:</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>"

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeincan be extracted from the file and used as a shared secret:</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Key: La/E5CjG9O+os1jq0a2jdA==</PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The string "<TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>La/E5CjG9O+os1jq0a2jdA==</TT

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews>" can

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsbe used as the shared secret.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews><H3

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>4.5.1.2. Manual Generation</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H3

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>The shared secret is simply a random sequence of bits, encoded

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinin base-64. Most ASCII strings are valid base-64 strings (assuming

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinthe length is a multiple of 4 and only valid characters are used),

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinso the shared secret can be manually generated.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Also, a known string can be run through <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>mmencode</B

47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews> or

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeina similar program to generate base-64 encoded data.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H2

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.5.2. Copying the Shared Secret to Both Machines</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H2

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>This is beyond the scope of DNS. A secure transport mechanism

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntshould be used. This could be secure FTP, ssh, telephone, etc.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H2

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>4.5.3. Informing the Servers of the Key's Existence</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H2

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Imagine <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews>host1</I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> and <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>host 2</I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinboth servers. The following is added to each server's <TT

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews>named.conf</TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> file:</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>&#13;key host1-host2. {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm hmac-md5;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein secret "La/E5CjG9O+os1jq0a2jdA==";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>The algorithm, hmac-md5, is the only one supported by <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND</SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinThe secret is the one generated above. Since this is a secret, it

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useris recommended that either <TT

28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater>named.conf</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> be non-world

28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updaterreadable, or the key directive be added to a non-world readable

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userfile that is included by <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>named.conf</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>At this point, the key is recognized. This means that if the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userserver receives a message signed by this key, it can verify the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsignature. If the signature is successfully verified, the

af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userresponse is signed by the same key.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H2

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater><A

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>4.5.4. Instructing the Server to Use the Key</A

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater></H2

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater><P

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>Since keys are shared between two hosts only, the server must

38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updaterbe told when keys are to be used. The following is added to the <TT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>named.conf</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> file

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinfor <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>host1</I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>, if the IP address of <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>host2</I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein10.1.2.3:</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><PRE

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>&#13;server 10.1.2.3 {

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews keys { host1-host2. ;};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews</PRE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Multiple keys may be present, but only the first is used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinThis directive does not contain any secrets, so it may be in a world-readable

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userfile.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>If <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><I

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews>host1</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></SPAN

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater> sends a message that is a request

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinto that address, the message will be signed with the specified key. <SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><I

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater>host1</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></SPAN

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater> will

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updaterexpect any responses to signed messages to be signed with the same

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userkey.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater>A similar statement must be present in <SPAN

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater><I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>host2</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></SPAN

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updater>'s

ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updaterconfiguration file (with <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>host1</I

47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews></SPAN

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>'s address) for <SPAN

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews><I

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>host2</I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> to

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updatersign request messages to <SPAN

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>host1</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></SPAN

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>.</P

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews></DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews><H2

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.5.5. TSIG Key Based Access Control</A

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews></H2

d3907d27cc138f45772d3d63082ae02c7659148aAutomatic Updater><P

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews><SPAN

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> allows IP addresses and ranges to be specified in ACL

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updaterdefinitions and

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews<B

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>allow-{ query | transfer | update }</B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater> directives.

6101b9f0d904a708e900a74abc16d1e0eda67264Mark AndrewsThis has been extended to allow TSIG keys also. The above key would

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updaterbe denoted <B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>key host1-host2.</B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater></P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>An example of an allow-update directive would be:</P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><PRE

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>&#13;allow-update { key host1-host2. ;};

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</PRE

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><P

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>This allows dynamic updates to succeed only if the request

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater was signed by a key named

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater "<B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>host1-host2.</B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>".</P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>You may want to read about the more

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater powerful <B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>update-policy</B

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater> statement in <A

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>Section 6.2.24.4</A

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>.</P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater></DIV

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><DIV

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><H2

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><A

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>4.5.6. Errors</A

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater></H2

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater><P

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater>The processing of TSIG signed messages can result in

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater several errors. If a signed message is sent to a non-TSIG aware

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater server, a FORMERR will be returned, since the server will not

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater understand the record. This is a result of misconfiguration,

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater since the server must be explicitly configured to send a TSIG

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews signed message to a specific server.</P

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews><P

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews>If a TSIG aware server receives a message signed by an

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews unknown key, the response will be unsigned with the TSIG

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews extended error code set to BADKEY. If a TSIG aware server

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews receives a message with a signature that does not validate, the

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews response will be unsigned with the TSIG extended error code set

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews to BADSIG. If a TSIG aware server receives a message with a time

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User outside of the allowed range, the response will be signed with

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews the TSIG extended error code set to BADTIME, and the time values

47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews will be adjusted so that the response can be successfully

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews verified. In any of these cases, the message's rcode is set to

6101b9f0d904a708e900a74abc16d1e0eda67264Mark Andrews NOTAUTH.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater></DIV

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater><DIV

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater><H1

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater><A

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater>4.6. TKEY</A

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater></H1

5d564da348e890e42f63eebf2dced9a05b41f4fbTinderbox User><P

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater><B

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater>TKEY</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> is a mechanism for automatically

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater generating a shared secret between two hosts. There are several

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater "modes" of <B

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater>TKEY</B

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater> that specify how the key is

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater generated or assigned. <SPAN

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater>BIND</SPAN

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater> 9

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater implements only one of these modes,

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater the Diffie-Hellman key exchange. Both hosts are required to have

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater a Diffie-Hellman KEY record (although this record is not required

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to be present in a zone). The <B

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater>TKEY</B

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater> process

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater must use signed messages, signed either by TSIG or SIG(0). The

cbf7f1435f332b31f51a98611ccbfcd07c42c032Automatic Updater result of <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>TKEY</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> is a shared secret that can be

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User used to sign messages with TSIG. <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>TKEY</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> can also

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater be used to delete shared secrets that it had previously

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater generated.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>TKEY</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> process is initiated by a client

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User or server by sending a signed <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>TKEY</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> query

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater (including any appropriate KEYs) to a TKEY-aware server. The

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt server response, if it indicates success, will contain a

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>TKEY</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> record and any appropriate keys. After

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this exchange, both participants have enough information to

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt determine the shared secret; the exact process depends on the

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>TKEY</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> mode. When using the Diffie-Hellman

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>TKEY</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> mode, Diffie-Hellman keys are exchanged,

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater and the shared secret is derived by both participants.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>4.7. SIG(0)</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H1

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> 9 partially supports DNSSEC SIG(0)

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater uses public/private keys to authenticate messages. Access control

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is performed in the same manner as TSIG keys; privileges can be

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater granted or denied based on the key name.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>When a SIG(0) signed message is received, it will only be

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User verified if the key is known and trusted by the server; the server

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will not attempt to locate and/or validate the key.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>SIG(0) signing of multiple-message TCP streams is not

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt supported.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>The only tool shipped with <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> 9 that

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt generates SIG(0) signed messages is <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>nsupdate</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>4.8. DNSSEC</A

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></H1

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Cryptographic authentication of DNS information is possible

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt through the DNS Security (<SPAN

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>DNSSEC</I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></SPAN

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>) extensions,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt defined in RFC 2535. This section describes the creation and use

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater of DNSSEC signed zones.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>In order to set up a DNSSEC secure zone, there are a series

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of steps which must be followed. <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> 9 ships

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater with several tools

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater that are used in this process, which are explained in more detail

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater below. In all cases, the <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>-h</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> option prints a

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt full list of parameters. Note that the DNSSEC tools require the

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater keyset and signedkey files to be in the working directory or the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User directory specified by the <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>-h</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> option, and

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater that the tools shipped with BIND 9.0.x are not fully compatible

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater with the current ones.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>There must also be communication with the administrators of

ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User the parent and/or child zone to transmit keys and signatures. A

ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User zone's security status must be indicated by the parent zone for a

ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User DNSSEC capable resolver to trust its data.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User>For other servers to trust data in this zone, they must

ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User either be statically configured with this zone's zone key or the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone key of another zone above this one in the DNS tree.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><DIV

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><H2

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><A

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>4.8.1. Generating Keys</A

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></H2

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>dnssec-keygen</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> program is used to

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt generate keys.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>A secure zone must contain one or more zone keys. The

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone keys will sign all other records in the zone, as well as

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the zone keys of any secure delegated zones. Zone keys must

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User have the same name as the zone, a name type of

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>ZONE</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>, and must be usable for authentication.

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User It is recommended that zone keys use a cryptographic algorithm

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater designated as "mandatory to implement" by the IETF; currently

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater these are RSASHA1 and DSA.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The following command will generate a 768 bit DSA key for

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater the <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>child.example</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> zone:</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>Two output files will be produced:

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>Kchild.example.+003+12345.key</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> and

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>Kchild.example.+003+12345.private</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> (where

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater 12345 is an example of a key tag). The key file names contain

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater the key name (<TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>child.example.</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>), algorithm (3

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater The private key (in the <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>.private</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> file) is

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User used to generate signatures, and the public key (in the

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>.key</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> file) is used for signature

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User verification.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>To generate another key with the same properties (but with

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater a different key tag), repeat the above command.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>The public keys should be inserted into the zone file by

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater including the <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>.key</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> files using

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>$INCLUDE</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> statements.

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater </P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><H2

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.8.2. Creating a Keyset</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H2

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>The <B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>dnssec-makekeyset</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> program is used

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater to create a key set from one or more keys.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>Once the zone keys have been generated, a key set must be

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater built for transmission to the administrator of the parent zone,

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater so that the parent zone can sign the keys with its own zone key

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater and correctly indicate the security status of this zone. When

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User building a key set, the list of keys to be included and the TTL

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User of the set must be specified, and the desired signature validity

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User period of the parent's signature may also be specified.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>The list of keys to be inserted into the key set may also

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater included non-zone keys present at the top of the zone.

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>dnssec-makekeyset</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> may also be used at other

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater names in the zone.</P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>The following command generates a key set containing the

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater above key and another key similarly generated, with a TTL of

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 3600 and a signature validity period of 10 days starting from

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User now.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>One output file is produced:

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>keyset-child.example.</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>. This file should be

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater transmitted to the parent to be signed. It includes the keys,

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater as well as signatures over the key set generated by the zone

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User keys themselves, which are used to prove ownership of the

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater private keys and encode the desired validity period.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DIV

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><H2

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater><A

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>4.8.3. Signing the Child's Keyset</A

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></H2

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>dnssec-signkey</B

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> program is used to

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater sign one child's keyset.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>If the <TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>child.example</TT

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater> zone has any

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater delegations which are secure, for example,

6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>grand.child.example</TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>, the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>child.example</TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater> administrator should receive

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater keyset files for each secure subzone. These keys must be signed

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User by this zone's zone keys.</P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>The following command signs the child's key set with the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone keys:</P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><B

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>One output file is produced:

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>signedkey-grand.child.example.</TT

6478b87fd23bcd3ab74c25b261021fe19a239c4fTinderbox User>. This file

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater should be both transmitted back to the child and retained. It

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User includes all keys (the child's keys) from the keyset file and

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater signatures generated by this zone's zone keys.</P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></DIV

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><DIV

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><H2

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>4.8.4. Signing the Zone</A

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></H2

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>The <B

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>dnssec-signzone</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> program is used to

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater sign a zone.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>Any <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>signedkey</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> files corresponding to

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt secure subzones should be present, as well as a

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>signedkey</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> file for this zone generated by

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater the parent (if there is one). The zone signer will generate

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>NXT</TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater> and <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>SIG</TT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> records for

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater the zone, as well as incorporate the zone key signature from the

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User parent and indicate the security status at all delegation

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater points.</P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>The following command signs the zone, assuming it is in a

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User file called <TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>zone.child.example</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>. By

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater default, all zone keys which have an available private key are

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater used to generate signatures.</P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><B

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>dnssec-signzone -o child.example zone.child.example</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TT

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></P

6478b87fd23bcd3ab74c25b261021fe19a239c4fTinderbox User><P

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>One output file is produced:

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <TT

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>zone.child.example.signed</TT

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>. This file

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User should be referenced by <TT

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>named.conf</TT

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> as the

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User input file for the zone.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><DIV

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><H2

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User><A

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>4.8.5. Configuring Servers</A

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User></H2

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>Unlike <SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>BIND</SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> 8,

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>BIND</SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> 9 does not verify signatures on load,

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox Userso zone keys for authoritative zones do not need to be specified

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox Userin the configuration file.</P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>The public key for any security root must be present in

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox Userthe configuration file's <B

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>trusted-keys</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox Userstatement, as described later in this document. </P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><DIV

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><H1

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><A

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>4.9. IPv6 Support in <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> 9</A

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User></H1

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>BIND</SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User> 9 fully supports all currently defined forms of IPv6

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User name to address and address to name lookups. It will also use

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User IPv6 addresses to make queries when running on an IPv6 capable

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User system.</P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>For forward lookups, <SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>BIND</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> 9 supports only AAAA

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User records. The use of A6 records is deprecated by RFC 3363, and the

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User support for forward lookups in <SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>BIND</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> 9 is

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt removed accordingly.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt However, authoritative <SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>BIND</SPAN

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> 9 name servers still

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt load zone files containing A6 records correctly, answer queries

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for A6 records, and accept zone transfer for a zone containing A6

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt records.</P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>For IPv6 reverse lookups, <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> 9 supports

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User the traditional "nibble" format used in the

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User <SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User><I

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>ip6.arpa</I

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User> domain, as well as the older, deprecated

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User <SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User><I

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>ip6.int</I

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User></SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User> domain.

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User <SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User> 9 formerly

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User supported the "binary label" (also known as "bitstring") format.

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User The support of binary labels, however, is now completely removed

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User according to the changes in RFC 3363.

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User Any applications in <SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>BIND</SPAN

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> 9 do not understand

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User the format any more, and will return an error if given.

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User In particular, an authoritative <SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User>BIND</SPAN

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User> 9 name

2f161339d28f61a05dd92bbe01ce754e32e35addTinderbox User server rejects to load a zone file containing binary labels.</P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>For an overview of the format and structure of IPv6 addresses,

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User see <A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Section A.2.1</A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>.</P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><DIV

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><H2

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><A

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>4.9.1. Address Lookups Using AAAA Records</A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></H2

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>The AAAA record is a parallel to the IPv4 A record. It

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User specifies the entire address in a single record. For

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User example,</P

bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User><PRE

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>&#13;$ORIGIN example.com.