Bv9ARM.ch04.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - This Source Code Form is subject to the terms of the Mozilla Public
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - License, v. 2.0. If a copy of the MPL was not distributed with this
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - file, You can obtain one at http://mozilla.org/MPL/2.0/.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h1></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin servers to notify their slave servers of changes to a zone's data. In
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin slave will check to see that its version of the zone is the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin current version and, if not, initiate a zone transfer.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin For more information about <acronym class="acronym">DNS</acronym>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>NOTIFY</strong></span>, see the description of the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the description of the zone option <span class="command"><strong>also-notify</strong></span> in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin protocol is specified in RFC 1996.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zones that it loads.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Dynamic Update is a method for adding, replacing or deleting
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin records in a master server by sending it a special form of DNS
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin messages. The format and meaning of these messages is specified
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in RFC 2136.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Dynamic update is enabled by including an
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin clause in the <span class="command"><strong>zone</strong></span> statement.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If the zone's <span class="command"><strong>update-policy</strong></span> is set to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <strong class="userinput"><code>local</code></strong>, updates to the zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin will be permitted for the key <code class="varname">local-ddns</code>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin which will be generated by <span class="command"><strong>named</strong></span> at startup.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Dynamic updates using Kerberos signed requests can be made
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Kerberos signed requests will be matched against the update
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin policies for the zone, using the Kerberos principal as the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signer for the request.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Updating of secure zones (zones using DNSSEC) follows RFC
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin 3007: RRSIG, NSEC and NSEC3 records affected by updates are
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin automatically regenerated by the server using an online
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zone key. Update authorization is based on transaction
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signatures and an explicit server policy.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="journal"></a>The journal file</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin All changes made to a zone using dynamic update are stored
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in the zone's journal file. This file is automatically created
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin by the server when the first dynamic update takes place.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The name of the journal file is formed by appending the extension
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin corresponding zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin file unless specifically overridden. The journal file is in a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin binary format and should not be edited manually.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The server will also occasionally write ("dump")
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the complete contents of the updated zone to its zone file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This is not done immediately after
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin each dynamic update, because that would be too slow when a large
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zone is updated frequently. Instead, the dump is delayed by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin up to 15 minutes, allowing additional updates to take place.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin During the dump process, transient files will be created
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin with the extensions <code class="filename">.jnw</code> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">.jbk</code>; under ordinary circumstances, these
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin will be removed when the dump is complete, and can be safely
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When a server is restarted after a shutdown or crash, it will replay
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the journal file to incorporate into the zone any updates that
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin place after the last zone dump.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Changes that result from incoming incremental zone transfers are
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin journalled in a similar way.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The zone files of dynamic zones cannot normally be edited by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin hand because they are not guaranteed to contain the most recent
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin dynamic changes — those are only in the journal file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The only way to ensure that the zone file of a dynamic zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If you have to make changes to a dynamic zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin manually, the following procedure will work:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Disable dynamic updates to the zone using
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This will update the zone's master file with the changes
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Edit the zone file. Run
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to reload the changed zone and re-enable dynamic updates.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin will update the zone file with changes from the journal file
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin without stopping dynamic updates; this may be useful for viewing
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the current zone state. To remove the <code class="filename">.jnl</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin file after updating the zone file, use
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>rndc sync -clean</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The incremental zone transfer (IXFR) protocol is a way for
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin slave servers to transfer only changed data, instead of having to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin transfer the entire zone. The IXFR protocol is specified in RFC
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When acting as a master, <acronym class="acronym">BIND</acronym> 9
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin supports IXFR for those zones
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin where the necessary change history information is available. These
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin include master zones maintained by dynamic update and slave zones
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin whose data was obtained by IXFR. For manually maintained master
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zones, and for slave zones obtained by performing a full zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin transfer (AXFR), IXFR is supported only if the option
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>ixfr-from-differences</strong></span> is set
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to <strong class="userinput"><code>yes</code></strong>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin attempt to use IXFR unless
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin it is explicitly disabled. For more information about disabling
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin of the <span class="command"><strong>server</strong></span> statement.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="split_dns"></a>Split DNS</h2></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Setting up different views, or visibility, of the DNS space to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin internal and external resolvers is usually referred to as a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="emphasis"><em>Split DNS</em></span> setup. There are several
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin reasons an organization would want to set up its DNS this way.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin One common reason for setting up a DNS system this way is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to hide "internal" DNS information from "external" clients on the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Internet. There is some debate as to whether or not this is actually
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Internal DNS information leaks out in many ways (via email headers,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for example) and most savvy "attackers" can find the information
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin they need using other means.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin However, since listing addresses of internal servers that
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin external clients cannot possibly reach can result in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin connection delays and other annoyances, an organization may
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin choose to use a Split DNS to present a consistent view of itself
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to the outside world.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Another common reason for setting up a Split DNS system is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to allow internal networks that are behind filters or in RFC 1918
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin space (reserved IP space, as documented in RFC 1918) to resolve DNS
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin on the Internet. Split DNS can also be used to allow mail from outside
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin back in to the internal network.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin has several corporate sites that have an internal network with
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Internet Protocol (IP) space and an external demilitarized zone (DMZ),
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin or "outside" section of a network, that is available to the public.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to be able to resolve external hostnames and to exchange mail with
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin people on the outside. The company also wants its internal resolvers
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to have access to certain internal-only zones that are not available
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin at all outside of the internal network.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin In order to accomplish this, the company will set up two sets
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin of name servers. One set will be on the inside network (in the
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz IP space) and the other set will be on bastion hosts, which are
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz hosts that can talk to both sides of its network, in the DMZ.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The internal servers will be configured to forward all queries,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz and <code class="filename">site2.example.com</code>, to the servers
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin DMZ. These internal servers will have complete sets of information
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin and <code class="filename">site2.internal</code>.
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the internal name servers must be configured to disallow all queries
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to these domains from any external hosts, including the bastion
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The external servers, which are on the bastion hosts, will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This could include things such as the host records for public servers
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin should have special MX records that contain wildcard (`*') records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin pointing to the bastion hosts. This is needed because external mail
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin servers do not have any other way of looking up how to deliver mail
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to those internal hosts. With the wildcard records, the mail will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be delivered to the bastion host, which can then forward it on to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin internal hosts.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Here's an example of a wildcard MX record:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Now that they accept mail on behalf of anything in the internal
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin network, the bastion hosts will need to know how to deliver mail
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to internal hosts. In order for this to work properly, the resolvers
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the bastion hosts will need to be configured to point to the internal
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin name servers for DNS resolution.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Queries for internal hostnames will be answered by the internal
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin servers, and queries for external hostnames will be forwarded back
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin out to the DNS servers on the bastion hosts.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin In order for all this to work properly, internal clients will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin need to be configured to query <span class="emphasis"><em>only</em></span> the internal
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin name servers for DNS queries. This could also be enforced via
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin filtering on the network.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin internal clients will now be able to:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Look up any hostnames in the <code class="literal">site1</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Look up any hostnames in the <code class="literal">site1.internal</code> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<li class="listitem">Look up any hostnames on the Internet.</li>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<li class="listitem">Exchange mail with both internal and external people.</li>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Hosts on the Internet will be able to:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Look up any hostnames in the <code class="literal">site1</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Exchange mail with anyone in the <code class="literal">site1</code> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Here is an example configuration for the setup we just
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin described above. Note that this is only configuration information;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Internal DNS server config:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinacl externals { <code class="varname">bastion-ips-go-here</code>; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forward only;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // forward to external servers
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forwarders {
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // sample allow-transfer (no one)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { none; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // restrict query access
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // restrict recursion
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-recursion { internals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin// sample master zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type master;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // do normal iterative resolution (do not forward)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forwarders { };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin// sample slave zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type slave;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin masters { 172.16.72.3; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forwarders { };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type master;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forwarders { };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { internals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; }
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type slave;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin masters { 172.16.72.3; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forwarders { };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { internals };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; }
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin External (bastion host) DNS server config:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinacl externals { bastion-ips-go-here; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // sample allow-transfer (no one)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { none; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // default query access
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query { any; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // restrict cache access
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-query-cache { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin // restrict recursion
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-recursion { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin// sample slave zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type master;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; externals; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin type slave;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin masters { another_bastion_host_maybe; };
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin allow-transfer { internals; externals; }
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin In the <code class="filename">resolv.conf</code> (or equivalent) on
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the bastion host(s):
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinnameserver 172.16.72.2
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinnameserver 172.16.72.3
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinnameserver 172.16.72.4
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin messages, originally specified in RFC 2845. It allows DNS messages
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to be cryptographically signed using a shared secret. TSIG can
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be used in any DNS transaction, as a way to restrict access to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin certain server functions (e.g., recursive queries) to authorized
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin clients when IP-based access control is insufficient or needs to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be overridden, or as a way to ensure message authenticity when it
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is critical to the integrity of the server, such as with dynamic
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin UPDATE messages or zone transfers from a master to a slave server.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin It describes the configuration syntax and the process of creating
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TSIG keys.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin communication, and some of the tools included with
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <acronym class="acronym">BIND</acronym> support it for sending messages to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">-k</code>, <code class="option">-l</code> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">-y</code> command line options, or via
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the <span class="command"><strong>key</strong></span> command when running
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin interactively.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">-k</code> and <code class="option">-y</code> command
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin line options.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin command; the output of the command is a <span class="command"><strong>key</strong></span> directive
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin suitable for inclusion in <code class="filename">named.conf</code>. The
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin key name, algorithm and size can be specified by command line parameters;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Any string which is a valid DNS name can be used as a key name.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin For example, a key to be shared between servers called
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be called "host1-host2.", and this key could be generated using:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin $ tsig-keygen host1-host2. > host1-host2.key
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This key may then be copied to both hosts. The key name and secret
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin must be identical on both hosts.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (Note: copying a shared secret from one server to another is beyond
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the scope of the DNS. A secure transport mechanism should be used:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin secure FTP, SSL, ssh, telephone, encrypted email, etc.)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>tsig-keygen</strong></span> can also be run as
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin additional configuration text for setting up dynamic DNS in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>named</strong></span>. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for details.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin For a key shared between servers called
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the following could be added to each server's
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinkey "host1-host2." {
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin algorithm hmac-sha256;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (This is the same key generated above using
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>tsig-keygen</strong></span>.)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Since this text contains a secret, it
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is recommended that either <code class="filename">named.conf</code> not be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin world-readable, or that the <span class="command"><strong>key</strong></span> directive
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin be stored in a file which is not world-readable, and which is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin included in <code class="filename">named.conf</code> via the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>include</strong></span> directive.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Once a key has been added to <code class="filename">named.conf</code> and the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin server has been restarted or reconfigured, the server can recognize
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the key. If the server receives a message signed by the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin key, it will be able to verify the signature. If the signature
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is valid, the response will be signed using the same key.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TSIG keys that are known to a server can be listed using the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin command <span class="command"><strong>rndc tsig-list</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin A server sending a request to another server must be told whether
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to use a key, and if so, which key to use.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin For example, a key may be specified for each server in the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>masters</strong></span> statement in the definition of a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin slave zone; in this case, all SOA QUERY messages, NOTIFY
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin messages, and zone transfer requests (AXFR or IXFR) will be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signed using the specified key. Keys may also be specified
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in the <span class="command"><strong>also-notify</strong></span> statement of a master
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin or slave zone, causing NOTIFY messages to be signed using
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the specified key.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Keys can also be specified in a <span class="command"><strong>server</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signed using the <span class="command"><strong>host1-host2.</strong></span> key:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinserver 10.1.2.3 {
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin keys { host1-host2. ;};
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statement, but only the first one is used. As this directive does
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin not contain secrets, it can be used in a world-readable file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin would <span class="emphasis"><em>not</em></span> be signed, unless a similar
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin configuration file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Whenever any server sends a TSIG-signed DNS request, it will expect
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the response to be signed with the same key. If a response is not
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signed, or if the signature is not valid, the response will be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TSIG keys may be specified in ACL definitions and ACL directives
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and <span class="command"><strong>allow-update</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The above key would be denoted in an ACL element as
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>key host1-host2.</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin An example of an <span class="command"><strong>allow-update</strong></span> directive using
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin a TSIG key:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinallow-update { !{ !localnets; any; }; key host1-host2. ;};
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin This allows dynamic updates to succeed only if the UPDATE
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin request comes from an address in <span class="command"><strong>localnets</strong></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="emphasis"><em>and</em></span> if it is signed using the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span class="command"><strong>host1-host2.</strong></span> key.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the more flexible <span class="command"><strong>update-policy</strong></span> statement.
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin<div class="titlepage"><div><div><h3 class="title">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Processing of TSIG-signed messages can result in several errors:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If a TSIG-aware server receives a message signed by an
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin unknown key, the response will be unsigned, with the TSIG
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin extended error code set to BADKEY.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If a TSIG-aware server receives a message from a known key
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin but with an invalid signature, the response will be unsigned,
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin with the TSIG extended error code set to BADSIG.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If a TSIG-aware server receives a message with a time
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin outside of the allowed range, the response will be signed, with
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the TSIG extended error code set to BADTIME, and the time values
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin will be adjusted so that the response can be successfully
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin In all of the above cases, the server will return a response code
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin of NOTAUTH (not authenticated).
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="titlepage"><div><div><h2 class="title" style="clear: both">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin TKEY (Transaction KEY) is a mechanism for automatically negotiating
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin a shared secret between two hosts, originally specified in RFC 2930.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin There are several TKEY "modes" that specify how a key is to be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin one of these modes: Diffie-Hellman key exchange. Both hosts are
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin required to have a KEY record with algorithm DH (though this
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin record is not required to be present in a zone).
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The TKEY process is initiated by a client or server by sending
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin a query of type TKEY to a TKEY-aware server. The query must include
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin an appropriate KEY record in the additional section, and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin must be signed using either TSIG or SIG(0) with a previously
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin established key. The server's response, if successful, will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin contain a TKEY record in its answer section. After this transaction,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin both participants will have enough information to calculate a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin shared secret using Diffie-Hellman key exchange. The shared secret
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin can then be used by to sign subsequent transactions between the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin two servers.
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
zone example.net {
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
<a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
<span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
<span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
"sample-ksk" as the key-signing key for "example.net":
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
<a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
this is accomplished by placing the PIN into the openssl.cnf file
The location of the openssl.cnf file can be overridden by
Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
"dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
dynamically-linkable DLZ module--i.e., one which can be
"example.nil", which can answer queries and AXFR requests, and
example.nil. 1800 IN A 10.53.0.1
e.g., by providing different address records for a particular name
(see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
<a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
dyndb example "driver.so" {
"example.nil", which can answer queries and AXFR requests, and
example.nil. 86400 IN A 127.0.0.1
whether the updated RR is an address (i.e., type A or AAAA) and if
zone "catalog.example"
means <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
catalog.example. IN SOA . . 2016022901 900 600 86400 1
catalog.example. IN NS nsexample.
version.catalog.example. IN TXT "1"
Global options are set at the apex of the catalog zone, e.g.:
masters.catalog.example. IN AAAA 2001:db8::1
masters.catalog.example. IN A 192.0.2.1
label.masters.catalog.example. IN A 192.0.2.2
label.masters.catalog.example. IN TXT "tsig_key_name"
label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.