Bv9ARM.ch04.html revision 6478b87fd23bcd3ab74c25b261021fe19a239c4f
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569985">Split DNS</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570003">Example split DNS setup</a></span></dt></dl></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570436">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570578">Copying the Shared Secret to Both Machines</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570588">Informing the Servers of the Key's Existence</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570625">Instructing the Server to Use the Key</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570682">TSIG Key Based Access Control</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570731">Errors</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570745">TKEY</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570931">SIG(0)</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570999">Generating Keys</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571283">Signing the Zone</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571364">Configuring Servers</a></span></dt>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611910">Converting from insecure to secure</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611947">Dynamic DNS update method</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563651">Fully automatic zone signing</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563754">Private-type records</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563792">DNSKEY rollovers</a></span></dt>
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563804">Dynamic DNS update method</a></span></dt>
03c0efc6892ef2ed17338b2ecbb2c5f23fbad0c9Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563837">Automatic key rollovers</a></span></dt>
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563864">NSEC3PARAM rollovers via UPDATE</a></span></dt>
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563874">Converting from NSEC to NSEC3</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563883">Converting from NSEC3 to NSEC</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563964">Converting from secure to insecure</a></span></dt>
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564002">Periodic re-signing</a></span></dt>
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564011">NSEC3 and OPTOUT</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611694">Validating Resolver</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611717">Authoritative Server</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666563">Prerequisites</a></span></dt>
665a24faf6b3711e4012ac02ae5f0981c093ac1eTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611345">Native PKCS#11</a></span></dt>
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612040">OpenSSL-based PKCS#11</a></span></dt>
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639081">PKCS#11 Tools</a></span></dt>
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639117">Using the HSM</a></span></dt>
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639472">Specifying the engine on the command line</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639520">Running named with automatic zone re-signing</a></span></dt>
de283bda6a902c2102a795192eeab3a769001c7dTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639584">Configuring DLZ</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580060">Sample DLZ Driver</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571588">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571854">Address Lookups Using AAAA Records</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571876">Address to Name Lookups Using Nibble Format</a></span></dt>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<a name="notify"></a>Notify</h2></div></div></div>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User servers to notify their slave servers of changes to a zone's data. In
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User slave will check to see that its version of the zone is the
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User current version and, if not, initiate a zone transfer.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User For more information about <acronym class="acronym">DNS</acronym>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <span><strong class="command">NOTIFY</strong></span>, see the description of the
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User the description of the zone option <span><strong class="command">also-notify</strong></span> in
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User protocol is specified in RFC 1996.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User zones that it loads.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Dynamic Update is a method for adding, replacing or deleting
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User records in a master server by sending it a special form of DNS
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User messages. The format and meaning of these messages is specified
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Dynamic update is enabled by including an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews clause in the <span><strong class="command">zone</strong></span> statement.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the zone's <span><strong class="command">update-policy</strong></span> is set to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Dynamic updates using Kerberos signed requests can be made
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews using the TKEY/GSS protocol by setting either the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews Kerberos signed requests will be matched against the update
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews policies for the zone, using the Kerberos principal as the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signer for the request.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews automatically regenerated by the server using an online
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews zone key. Update authorization is based on transaction
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signatures and an explicit server policy.
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater<div class="titlepage"><div><div><h3 class="title">
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater<a name="journal"></a>The journal file</h3></div></div></div>
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater All changes made to a zone using dynamic update are stored
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in the zone's journal file. This file is automatically created
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews by the server when the first dynamic update takes place.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name of the journal file is formed by appending the extension
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">.jnl</code> to the name of the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews corresponding zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file unless specifically overridden. The journal file is in a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews binary format and should not be edited manually.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The server will also occasionally write ("dump")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the complete contents of the updated zone to its zone file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This is not done immediately after
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews each dynamic update, because that would be too slow when a large
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone is updated frequently. Instead, the dump is delayed by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews up to 15 minutes, allowing additional updates to take place.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews During the dump process, transient files will be created
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews with the extensions <code class="filename">.jnw</code> and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">.jbk</code>; under ordinary circumstances, these
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will be removed when the dump is complete, and can be safely
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When a server is restarted after a shutdown or crash, it will replay
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the journal file to incorporate into the zone any updates that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews place after the last zone dump.
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews Changes that result from incoming incremental zone transfers are
665a24faf6b3711e4012ac02ae5f0981c093ac1eTinderbox User journalled in a similar way.
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User The zone files of dynamic zones cannot normally be edited by
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User hand because they are not guaranteed to contain the most recent
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User dynamic changes — those are only in the journal file.
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User The only way to ensure that the zone file of a dynamic zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is up to date is to run <span><strong class="command">rndc stop</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If you have to make changes to a dynamic zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews manually, the following procedure will work:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Disable dynamic updates to the zone using
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This will update the zone's master file with the changes
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews stored in its <code class="filename">.jnl</code> file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Edit the zone file. Run
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to reload the changed zone and re-enable dynamic updates.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will update the zone file with changes from the journal file
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews without stopping dynamic updates; this may be useful for viewing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the current zone state. To remove the <code class="filename">.jnl</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file after updating the zone file, use
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">rndc sync -clean</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The incremental zone transfer (IXFR) protocol is a way for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews slave servers to transfer only changed data, instead of having to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews transfer the entire zone. The IXFR protocol is specified in RFC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When acting as a master, <acronym class="acronym">BIND</acronym> 9
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews supports IXFR for those zones
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews where the necessary change history information is available. These
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews include master zones maintained by dynamic update and slave zones
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews whose data was obtained by IXFR. For manually maintained master
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zones, and for slave zones obtained by performing a full zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews transfer (AXFR), IXFR is supported only if the option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">ixfr-from-differences</strong></span> is set
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to <strong class="userinput"><code>yes</code></strong>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews attempt to use IXFR unless
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it is explicitly disabled. For more information about disabling
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of the <span><strong class="command">server</strong></span> statement.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2569985"></a>Split DNS</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Setting up different views, or visibility, of the DNS space to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews internal and external resolvers is usually referred to as a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="emphasis"><em>Split DNS</em></span> setup. There are several
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews reasons an organization would want to set up its DNS this way.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews One common reason for setting up a DNS system this way is
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to hide "internal" DNS information from "external" clients on the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Internet. There is some debate as to whether or not this is actually
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Internal DNS information leaks out in many ways (via email headers,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews for example) and most savvy "attackers" can find the information
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews they need using other means.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User However, since listing addresses of internal servers that
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User external clients cannot possibly reach can result in
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User connection delays and other annoyances, an organization may
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews choose to use a Split DNS to present a consistent view of itself
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to the outside world.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Another common reason for setting up a Split DNS system is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to allow internal networks that are behind filters or in RFC 1918
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater space (reserved IP space, as documented in RFC 1918) to resolve DNS
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater on the Internet. Split DNS can also be used to allow mail from outside
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater back in to the internal network.
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater<a name="id2570003"></a>Example split DNS setup</h3></div></div></div>
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater (<code class="literal">example.com</code>)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User has several corporate sites that have an internal network with
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Internet Protocol (IP) space and an external demilitarized zone (DMZ),
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User or "outside" section of a network, that is available to the public.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to be able to resolve external hostnames and to exchange mail with
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User people on the outside. The company also wants its internal resolvers
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to have access to certain internal-only zones that are not available
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User at all outside of the internal network.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User In order to accomplish this, the company will set up two sets
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User of name servers. One set will be on the inside network (in the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User IP space) and the other set will be on bastion hosts, which are
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User hosts that can talk to both sides of its network, in the DMZ.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The internal servers will be configured to forward all queries,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User and <code class="filename">site2.example.com</code>, to the servers
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User DMZ. These internal servers will have complete sets of information
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User and <code class="filename">site2.internal</code>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the internal name servers must be configured to disallow all queries
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to these domains from any external hosts, including the bastion
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The external servers, which are on the bastion hosts, will
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User This could include things such as the host records for public servers
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User should have special MX records that contain wildcard (`*') records
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User pointing to the bastion hosts. This is needed because external mail
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User servers do not have any other way of looking up how to deliver mail
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to those internal hosts. With the wildcard records, the mail will
e68c527dff2f1f7df2a542f8d6f9181a27e05eb7Tinderbox User be delivered to the bastion host, which can then forward it on to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User internal hosts.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Here's an example of a wildcard MX record:
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Now that they accept mail on behalf of anything in the internal
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User network, the bastion hosts will need to know how to deliver mail
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to internal hosts. In order for this to work properly, the resolvers
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the bastion hosts will need to be configured to point to the internal
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User name servers for DNS resolution.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Queries for internal hostnames will be answered by the internal
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User servers, and queries for external hostnames will be forwarded back
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User out to the DNS servers on the bastion hosts.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User In order for all this to work properly, internal clients will
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User need to be configured to query <span class="emphasis"><em>only</em></span> the internal
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User name servers for DNS queries. This could also be enforced via
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User filtering on the network.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User internal clients will now be able to:
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Look up any hostnames in the <code class="literal">site1</code>
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User <code class="literal">site2.example.com</code> zones.
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User Look up any hostnames in the <code class="literal">site1.internal</code> and
a24330c4805a224191ab687d0291963062fe3355Tinderbox User <code class="literal">site2.internal</code> domains.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<li>Look up any hostnames on the Internet.</li>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<li>Exchange mail with both internal and external people.</li>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Hosts on the Internet will be able to:
4fe1df3962f1f37304b6789b2d1a33a70fcb0b28Tinderbox User Look up any hostnames in the <code class="literal">site1</code>
4fe1df3962f1f37304b6789b2d1a33a70fcb0b28Tinderbox User <code class="literal">site2.example.com</code> zones.
4fe1df3962f1f37304b6789b2d1a33a70fcb0b28Tinderbox User Exchange mail with anyone in the <code class="literal">site1</code> and
4fe1df3962f1f37304b6789b2d1a33a70fcb0b28Tinderbox User <code class="literal">site2.example.com</code> zones.
def82e8de9ff45e29ab21e5aba9a39539138c1f4Tinderbox User Here is an example configuration for the setup we just
def82e8de9ff45e29ab21e5aba9a39539138c1f4Tinderbox User described above. Note that this is only configuration information;
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Internal DNS server config:
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Useracl externals { <code class="varname">bastion-ips-go-here</code>; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User forward only;
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // forward to external servers
a3ff24aaa545c45b8c581b2127d02d735aff8881Tinderbox User <code class="varname">bastion-ips-go-here</code>;
a3ff24aaa545c45b8c581b2127d02d735aff8881Tinderbox User // sample allow-transfer (no one)
a3ff24aaa545c45b8c581b2127d02d735aff8881Tinderbox User allow-transfer { none; };
a3ff24aaa545c45b8c581b2127d02d735aff8881Tinderbox User // restrict query access
a3ff24aaa545c45b8c581b2127d02d735aff8881Tinderbox User allow-query { internals; externals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // restrict recursion
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-recursion { internals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User// sample master zone
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // do normal iterative resolution (do not forward)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User forwarders { };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-query { internals; externals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-transfer { internals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User// sample slave zone
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User masters { 172.16.72.3; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User forwarders { };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-query { internals; externals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-transfer { internals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User forwarders { };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-query { internals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-transfer { internals; }
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User masters { 172.16.72.3; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User forwarders { };
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User allow-query { internals };
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User allow-transfer { internals; }
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User External (bastion host) DNS server config:
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Useracl internals { 172.16.72.0/24; 192.168.1.0/24; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Useracl externals { bastion-ips-go-here; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // sample allow-transfer (no one)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-transfer { none; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // default query access
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-query { any; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // restrict cache access
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-query-cache { internals; externals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User // restrict recursion
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-recursion { internals; externals; };
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User// sample slave zone
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow-transfer { internals; externals; };
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater masters { another_bastion_host_maybe; };
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater allow-transfer { internals; externals; }
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User In the <code class="filename">resolv.conf</code> (or equivalent) on
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the bastion host(s):
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Usernameserver 172.16.72.2
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Usernameserver 172.16.72.3
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Usernameserver 172.16.72.4
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<a name="tsig"></a>TSIG</h2></div></div></div>
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User This is a short guide to setting up Transaction SIGnatures
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to the configuration file as well as what changes are required for
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User different features, including the process of creating transaction
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User to server communication.
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User This includes zone transfer, notify, and recursive query messages.
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User TSIG can also be useful for dynamic update. A primary
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User server for a dynamic zone should control access to the dynamic
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews update service, but IP-based access control is insufficient.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The cryptographic access control provided by TSIG
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is far superior. The <span><strong class="command">nsupdate</strong></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User program supports TSIG via the <code class="option">-k</code> and
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="option">-y</code> command line options or inline by use
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of the <span><strong class="command">key</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h3 class="title">
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<a name="id2570436"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User An arbitrary key name is chosen: "host1-host2.". The key name must
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User be the same on both hosts.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h4 class="title">
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<a name="id2570521"></a>Automatic Generation</h4></div></div></div>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The following command will generate a 128-bit (16 byte) HMAC-SHA256
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User key as described above. Longer keys are better, but shorter keys
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User are easier to read. Note that the maximum key length is the digest
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater length, here 256 bits.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Nothing directly uses this file, but the base-64 encoded string
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User following "<code class="literal">Key:</code>"
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User can be extracted from the file and used as a shared secret:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User be used as the shared secret.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h4 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2570560"></a>Manual Generation</h4></div></div></div>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The shared secret is simply a random sequence of bits, encoded
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User in base-64. Most ASCII strings are valid base-64 strings (assuming
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the length is a multiple of 4 and only valid characters are used),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews so the shared secret can be manually generated.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User a similar program to generate base-64 encoded data.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<a name="id2570578"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews This is beyond the scope of DNS. A secure transport mechanism
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User should be used. This could be secure FTP, ssh, telephone, etc.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h3 class="title">
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User<a name="id2570588"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User both servers. The following is added to each server's <code class="filename">named.conf</code> file:
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Userkey host1-host2. {
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User algorithm hmac-sha256;
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The secret is the one generated above. Since this is a secret, it
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is recommended that either <code class="filename">named.conf</code> be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User non-world readable, or the key directive be added to a non-world
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User readable file that is included by <code class="filename">named.conf</code>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User At this point, the key is recognized. This means that if the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User server receives a message signed by this key, it can verify the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User signature. If the signature is successfully verified, the
6c8a888822cfe45f0525e7496dcaa27d341b6a5eAutomatic Updater response is signed by the same key.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<div class="titlepage"><div><div><h3 class="title">
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<a name="id2570625"></a>Instructing the Server to Use the Key</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Since keys are shared between two hosts only, the server must
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox Userserver 10.1.2.3 {
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews keys { host1-host2. ;};
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Multiple keys may be present, but only the first is used.
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews This directive does not contain any secrets, so it may be in a
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews world-readable
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User If <span class="emphasis"><em>host1</em></span> sends a message that is a request
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User expect any responses to signed messages to be signed with the same
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User sign request messages to <span class="emphasis"><em>host1</em></span>.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<div class="titlepage"><div><div><h3 class="title">
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<a name="id2570682"></a>TSIG Key Based Access Control</h3></div></div></div>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to be specified in ACL
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User definitions and
def82e8de9ff45e29ab21e5aba9a39539138c1f4Tinderbox User <span><strong class="command">allow-{ query | transfer | update }</strong></span>
def82e8de9ff45e29ab21e5aba9a39539138c1f4Tinderbox User This has been extended to allow TSIG keys also. The above key would
def82e8de9ff45e29ab21e5aba9a39539138c1f4Tinderbox User be denoted <span><strong class="command">key host1-host2.</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews An example of an <span><strong class="command">allow-update</strong></span> directive would be:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsallow-update { key host1-host2. ;};
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This allows dynamic updates to succeed only if the request
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the more flexible <span><strong class="command">update-policy</strong></span> statement.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2570731"></a>Errors</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The processing of TSIG signed messages can result in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews several errors. If a signed message is sent to a non-TSIG aware
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews server, a FORMERR (format error) will be returned, since the server will not
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews understand the record. This is a result of misconfiguration,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews since the server must be explicitly configured to send a TSIG
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signed message to a specific server.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If a TSIG aware server receives a message signed by an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews unknown key, the response will be unsigned with the TSIG
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews extended error code set to BADKEY. If a TSIG aware server
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews receives a message with a signature that does not validate, the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews response will be unsigned with the TSIG extended error code set
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to BADSIG. If a TSIG aware server receives a message with a time
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews outside of the allowed range, the response will be signed with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the TSIG extended error code set to BADTIME, and the time values
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will be adjusted so that the response can be successfully
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews verified. In any of these cases, the message's rcode (response code) is set to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews NOTAUTH (not authenticated).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2570745"></a>TKEY</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span><strong class="command">TKEY</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is a mechanism for automatically generating a shared secret
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews between two hosts. There are several "modes" of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">TKEY</strong></span> that specify how the key is generated
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews these modes, the Diffie-Hellman key exchange. Both hosts are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews required to have a Diffie-Hellman KEY record (although this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews record is not required to be present in a zone). The
de283bda6a902c2102a795192eeab3a769001c7dTinderbox User <span><strong class="command">TKEY</strong></span> process must use signed messages,
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews signed either by TSIG or SIG(0). The result of
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews used to delete shared secrets that it had previously
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews The <span><strong class="command">TKEY</strong></span> process is initiated by a
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews or server by sending a signed <span><strong class="command">TKEY</strong></span>
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews (including any appropriate KEYs) to a TKEY-aware server. The
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews server response, if it indicates success, will contain a
de283bda6a902c2102a795192eeab3a769001c7dTinderbox User <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this exchange, both participants have enough information to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews determine the shared secret; the exact process depends on the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">TKEY</strong></span> mode. When using the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Diffie-Hellman
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and the shared secret is derived by both participants.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2570931"></a>SIG(0)</h2></div></div></div>
de283bda6a902c2102a795192eeab3a769001c7dTinderbox User <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews transaction signatures as specified in RFC 2535 and RFC 2931.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews uses public/private keys to authenticate messages. Access control
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is performed in the same manner as TSIG keys; privileges can be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews granted or denied based on the key name.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When a SIG(0) signed message is received, it will only be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews verified if the key is known and trusted by the server; the server
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will not attempt to locate and/or validate the key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews SIG(0) signing of multiple-message TCP streams is not
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
30c0c7470d5bfabd8f43c563f4eca636d06cc484Tinderbox User<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Cryptographic authentication of DNS information is possible
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
zone example.net {
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
and the <span><strong class="command">dnssec-*</strong></span> and <span><strong class="command">pkcs11-*</strong></span>
<span><strong class="command">dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8y.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
project (http://www.opendnssec.org) which provides a PKCS#11
$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
"sample-ksk" as the key-signing key for "example.net":
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
<a href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
this is accomplished by placing the PIN into the openssl.cnf file
The location of the openssl.cnf file can be overridden by
dynamically-linkable DLZ module--i.e., one which can be
"example.nil", which can answer queries and AXFR requests, and
example.nil. 1800 IN A 10.53.0.1
e.g., by providing different address records for a particular name
<a name="id2571588"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.