Bv9ARM.ch04.html revision 6478b87fd23bcd3ab74c25b261021fe19a239c4f
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Copyright (C) 2000-2003 Internet Software Consortium.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Permission to use, copy, modify, and/or distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - copyright notice and this permission notice appear in all copies.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - PERFORMANCE OF THIS SOFTWARE.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<title>Chapter�4.�Advanced DNS Features</title>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<table width="100%" summary="Navigation header">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h2 class="title">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569985">Split DNS</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570003">Example split DNS setup</a></span></dt></dl></dd>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570436">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570578">Copying the Shared Secret to Both Machines</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570588">Informing the Servers of the Key's Existence</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570625">Instructing the Server to Use the Key</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570682">TSIG Key Based Access Control</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570731">Errors</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570745">TKEY</a></span></dt>
7aacbd685b2107670e4179689abec9cb82d972abBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570931">SIG(0)</a></span></dt>
66100d11b586099b48d6d7e3668fbf80d3802af4Bob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
853befffcfe6b9d3941e6038bd5ff7cb7e9f20dfBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570999">Generating Keys</a></span></dt>
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571283">Signing the Zone</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571364">Configuring Servers</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
7aacbd685b2107670e4179689abec9cb82d972abBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611910">Converting from insecure to secure</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611947">Dynamic DNS update method</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563651">Fully automatic zone signing</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563754">Private-type records</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563792">DNSKEY rollovers</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563804">Dynamic DNS update method</a></span></dt>
aca2a14afc404d0eee34d5210f885b7e4ad5f099Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563837">Automatic key rollovers</a></span></dt>
aca2a14afc404d0eee34d5210f885b7e4ad5f099Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563864">NSEC3PARAM rollovers via UPDATE</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563874">Converting from NSEC to NSEC3</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563883">Converting from NSEC3 to NSEC</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563964">Converting from secure to insecure</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564002">Periodic re-signing</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564011">NSEC3 and OPTOUT</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
231c2cf6142186dd8def2764af29ab60c57eb240Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611694">Validating Resolver</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611717">Authoritative Server</a></span></dt>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666563">Prerequisites</a></span></dt>
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611345">Native PKCS#11</a></span></dt>
3740b569ae76295b941d57a724a43beb75b533baBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612040">OpenSSL-based PKCS#11</a></span></dt>
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639081">PKCS#11 Tools</a></span></dt>
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639117">Using the HSM</a></span></dt>
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639472">Specifying the engine on the command line</a></span></dt>
81231fc4c34b7fb8613ce7ee449866edab2e3c80Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639520">Running named with automatic zone re-signing</a></span></dt>
81231fc4c34b7fb8613ce7ee449866edab2e3c80Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
81231fc4c34b7fb8613ce7ee449866edab2e3c80Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639584">Configuring DLZ</a></span></dt>
3740b569ae76295b941d57a724a43beb75b533baBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580060">Sample DLZ Driver</a></span></dt>
3740b569ae76295b941d57a724a43beb75b533baBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571588">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
bb039bc91ef7d5b82cdba64e0a8a965790e06700Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571854">Address Lookups Using AAAA Records</a></span></dt>
231c2cf6142186dd8def2764af29ab60c57eb240Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571876">Address to Name Lookups Using Nibble Format</a></span></dt>
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff<a name="notify"></a>Notify</h2></div></div></div>
8b7f5960034a27fbc2f1bd6a4745e7fcc0dec885Michael Graff <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
8b7f5960034a27fbc2f1bd6a4745e7fcc0dec885Michael Graff servers to notify their slave servers of changes to a zone's data. In
8b7f5960034a27fbc2f1bd6a4745e7fcc0dec885Michael Graff response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff slave will check to see that its version of the zone is the
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff current version and, if not, initiate a zone transfer.
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff For more information about <acronym class="acronym">DNS</acronym>
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff <span><strong class="command">NOTIFY</strong></span>, see the description of the
f64ded0ac7e31cdda1cca5a42131f8bafadf7c28Michael Graff <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
6149906644219cd01a9fd2625c08b1592dcdb1c8Michael Graff the description of the zone option <span><strong class="command">also-notify</strong></span> in
ae8d0aedd64a7580dc2fc4a9cd61934527552f3bMichael Graff <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
ae8d0aedd64a7580dc2fc4a9cd61934527552f3bMichael Graff protocol is specified in RFC 1996.
ae8d0aedd64a7580dc2fc4a9cd61934527552f3bMichael Graff<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ae8d0aedd64a7580dc2fc4a9cd61934527552f3bMichael Graff As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
f64ded0ac7e31cdda1cca5a42131f8bafadf7c28Michael Graff by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
7b0fde02e4feecdf40d3603c3f93c74d591d5386Michael Graff it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff zones that it loads.
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff Dynamic Update is a method for adding, replacing or deleting
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff records in a master server by sending it a special form of DNS
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff messages. The format and meaning of these messages is specified
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Dynamic update is enabled by including an
62252f8b2e62d2c022fb5619593fdd9cd16f16b6Bob Halley <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
62252f8b2e62d2c022fb5619593fdd9cd16f16b6Bob Halley clause in the <span><strong class="command">zone</strong></span> statement.
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff If the zone's <span><strong class="command">update-policy</strong></span> is set to
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff <strong class="userinput"><code>local</code></strong>, updates to the zone
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff will be permitted for the key <code class="varname">local-ddns</code>,
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff which will be generated by <span><strong class="command">named</strong></span> at startup.
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff Dynamic updates using Kerberos signed requests can be made
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff using the TKEY/GSS protocol by setting either the
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff Kerberos signed requests will be matched against the update
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff policies for the zone, using the Kerberos principal as the
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff signer for the request.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Updating of secure zones (zones using DNSSEC) follows RFC
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff 3007: RRSIG, NSEC and NSEC3 records affected by updates are
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff automatically regenerated by the server using an online
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff zone key. Update authorization is based on transaction
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff signatures and an explicit server policy.
3740b569ae76295b941d57a724a43beb75b533baBob Halley<div class="titlepage"><div><div><h3 class="title">
86bbe826f056144100837b9801cb834b636fe8f6Bob Halley<a name="journal"></a>The journal file</h3></div></div></div>
3740b569ae76295b941d57a724a43beb75b533baBob Halley All changes made to a zone using dynamic update are stored
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff in the zone's journal file. This file is automatically created
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff by the server when the first dynamic update takes place.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The name of the journal file is formed by appending the extension
86bbe826f056144100837b9801cb834b636fe8f6Bob Halley <code class="filename">.jnl</code> to the name of the
86bbe826f056144100837b9801cb834b636fe8f6Bob Halley corresponding zone
86bbe826f056144100837b9801cb834b636fe8f6Bob Halley file unless specifically overridden. The journal file is in a
86bbe826f056144100837b9801cb834b636fe8f6Bob Halley binary format and should not be edited manually.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The server will also occasionally write ("dump")
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff the complete contents of the updated zone to its zone file.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff This is not done immediately after
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff each dynamic update, because that would be too slow when a large
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff zone is updated frequently. Instead, the dump is delayed by
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff up to 15 minutes, allowing additional updates to take place.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff During the dump process, transient files will be created
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff with the extensions <code class="filename">.jnw</code> and
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <code class="filename">.jbk</code>; under ordinary circumstances, these
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff will be removed when the dump is complete, and can be safely
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff When a server is restarted after a shutdown or crash, it will replay
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff the journal file to incorporate into the zone any updates that
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff place after the last zone dump.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff Changes that result from incoming incremental zone transfers are
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff journalled in a similar way.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff The zone files of dynamic zones cannot normally be edited by
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff hand because they are not guaranteed to contain the most recent
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff dynamic changes — those are only in the journal file.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff The only way to ensure that the zone file of a dynamic zone
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff is up to date is to run <span><strong class="command">rndc stop</strong></span>.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff If you have to make changes to a dynamic zone
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff manually, the following procedure will work:
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff Disable dynamic updates to the zone using
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff This will update the zone's master file with the changes
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff stored in its <code class="filename">.jnl</code> file.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff Edit the zone file. Run
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff to reload the changed zone and re-enable dynamic updates.
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff <span><strong class="command">rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff will update the zone file with changes from the journal file
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff without stopping dynamic updates; this may be useful for viewing
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff the current zone state. To remove the <code class="filename">.jnl</code>
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff file after updating the zone file, use
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <span><strong class="command">rndc sync -clean</strong></span>.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The incremental zone transfer (IXFR) protocol is a way for
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff slave servers to transfer only changed data, instead of having to
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff transfer the entire zone. The IXFR protocol is specified in RFC
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff When acting as a master, <acronym class="acronym">BIND</acronym> 9
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff supports IXFR for those zones
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff where the necessary change history information is available. These
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff include master zones maintained by dynamic update and slave zones
7251d776466396a2a8f2769c8fa0c13e4db8ef9cMichael Graff whose data was obtained by IXFR. For manually maintained master
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff zones, and for slave zones obtained by performing a full zone
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff transfer (AXFR), IXFR is supported only if the option
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <span><strong class="command">ixfr-from-differences</strong></span> is set
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to <strong class="userinput"><code>yes</code></strong>.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
3740b569ae76295b941d57a724a43beb75b533baBob Halley attempt to use IXFR unless
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff it is explicitly disabled. For more information about disabling
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff of the <span><strong class="command">server</strong></span> statement.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="id2569985"></a>Split DNS</h2></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Setting up different views, or visibility, of the DNS space to
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff internal and external resolvers is usually referred to as a
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <span class="emphasis"><em>Split DNS</em></span> setup. There are several
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff reasons an organization would want to set up its DNS this way.
3740b569ae76295b941d57a724a43beb75b533baBob Halley One common reason for setting up a DNS system this way is
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to hide "internal" DNS information from "external" clients on the
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Internet. There is some debate as to whether or not this is actually
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Internal DNS information leaks out in many ways (via email headers,
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff for example) and most savvy "attackers" can find the information
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff they need using other means.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff However, since listing addresses of internal servers that
c12e9c47b380045128571156b12b4b1809d39bcdAndreas Gustafsson external clients cannot possibly reach can result in
c12e9c47b380045128571156b12b4b1809d39bcdAndreas Gustafsson connection delays and other annoyances, an organization may
c12e9c47b380045128571156b12b4b1809d39bcdAndreas Gustafsson choose to use a Split DNS to present a consistent view of itself
c12e9c47b380045128571156b12b4b1809d39bcdAndreas Gustafsson to the outside world.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Another common reason for setting up a Split DNS system is
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to allow internal networks that are behind filters or in RFC 1918
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff space (reserved IP space, as documented in RFC 1918) to resolve DNS
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff on the Internet. Split DNS can also be used to allow mail from outside
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff back in to the internal network.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h3 class="title">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="id2570003"></a>Example split DNS setup</h3></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff has several corporate sites that have an internal network with
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Internet Protocol (IP) space and an external demilitarized zone (DMZ),
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff or "outside" section of a network, that is available to the public.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to be able to resolve external hostnames and to exchange mail with
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff people on the outside. The company also wants its internal resolvers
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to have access to certain internal-only zones that are not available
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff at all outside of the internal network.
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff In order to accomplish this, the company will set up two sets
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff of name servers. One set will be on the inside network (in the
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff IP space) and the other set will be on bastion hosts, which are
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff hosts that can talk to both sides of its network, in the DMZ.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The internal servers will be configured to forward all queries,
3740b569ae76295b941d57a724a43beb75b533baBob Halley except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff and <code class="filename">site2.example.com</code>, to the servers
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff DMZ. These internal servers will have complete sets of information
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff and <code class="filename">site2.internal</code>.
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff the internal name servers must be configured to disallow all queries
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff to these domains from any external hosts, including the bastion
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The external servers, which are on the bastion hosts, will
96e3bc37e6ef95fb9ab97f08b88900e1193c4ec2Michael Graff be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff This could include things such as the host records for public servers
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff should have special MX records that contain wildcard (`*') records
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff pointing to the bastion hosts. This is needed because external mail
3740b569ae76295b941d57a724a43beb75b533baBob Halley servers do not have any other way of looking up how to deliver mail
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence to those internal hosts. With the wildcard records, the mail will
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff be delivered to the bastion host, which can then forward it on to
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff internal hosts.
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff Here's an example of a wildcard MX record:
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
96e3bc37e6ef95fb9ab97f08b88900e1193c4ec2Michael Graff Now that they accept mail on behalf of anything in the internal
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff network, the bastion hosts will need to know how to deliver mail
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff to internal hosts. In order for this to work properly, the resolvers
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff the bastion hosts will need to be configured to point to the internal
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff name servers for DNS resolution.
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff Queries for internal hostnames will be answered by the internal
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff servers, and queries for external hostnames will be forwarded back
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff out to the DNS servers on the bastion hosts.
3740b569ae76295b941d57a724a43beb75b533baBob Halley In order for all this to work properly, internal clients will
c8e5c5f5b42c4db1035d581bfbcd00dfaed18d1aBob Halley need to be configured to query <span class="emphasis"><em>only</em></span> the internal
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence name servers for DNS queries. This could also be enforced via
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff filtering on the network.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff internal clients will now be able to:
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Look up any hostnames in the <code class="literal">site1</code>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <code class="literal">site2.example.com</code> zones.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Look up any hostnames in the <code class="literal">site1.internal</code> and
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <code class="literal">site2.internal</code> domains.
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff<li>Look up any hostnames on the Internet.</li>
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff<li>Exchange mail with both internal and external people.</li>
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff Hosts on the Internet will be able to:
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff Look up any hostnames in the <code class="literal">site1</code>
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff <code class="literal">site2.example.com</code> zones.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Exchange mail with anyone in the <code class="literal">site1</code> and
c8e5c5f5b42c4db1035d581bfbcd00dfaed18d1aBob Halley <code class="literal">site2.example.com</code> zones.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Here is an example configuration for the setup we just
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff described above. Note that this is only configuration information;
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Internal DNS server config:
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffacl internals { 172.16.72.0/24; 192.168.1.0/24; };
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffacl externals { <code class="varname">bastion-ips-go-here</code>; };
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff forward only;
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff // forward to external servers
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff <code class="varname">bastion-ips-go-here</code>;
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff // sample allow-transfer (no one)
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff allow-transfer { none; };
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff // restrict query access
a0084eaa9f134e32d456537c67d2db7516aba867Michael Graff allow-query { internals; externals; };
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff // restrict recursion
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff allow-recursion { internals; };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff// sample master zone
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff // do normal iterative resolution (do not forward)
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff forwarders { };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff allow-query { internals; externals; };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff allow-transfer { internals; };
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff// sample slave zone
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff masters { 172.16.72.3; };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff forwarders { };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff allow-query { internals; externals; };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff allow-transfer { internals; };
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff forwarders { };
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff allow-query { internals; };
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff allow-transfer { internals; }
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff masters { 172.16.72.3; };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff forwarders { };
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff allow-query { internals };
96e3bc37e6ef95fb9ab97f08b88900e1193c4ec2Michael Graff allow-transfer { internals; }
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graff External (bastion host) DNS server config:
c138fc279178a6224a48c35dc7cb9b5c3e6ee879Michael Graffacl internals { 172.16.72.0/24; 192.168.1.0/24; };
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffacl externals { bastion-ips-go-here; };
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff // sample allow-transfer (no one)
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff allow-transfer { none; };
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff // default query access
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff allow-query { any; };
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff // restrict cache access
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff allow-query-cache { internals; externals; };
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff // restrict recursion
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff allow-recursion { internals; externals; };
3740b569ae76295b941d57a724a43beb75b533baBob Halley// sample slave zone
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence allow-transfer { internals; externals; };
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff masters { another_bastion_host_maybe; };
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence allow-transfer { internals; externals; }
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff In the <code class="filename">resolv.conf</code> (or equivalent) on
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff the bastion host(s):
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graffnameserver 172.16.72.2
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffnameserver 172.16.72.3
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffnameserver 172.16.72.4
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff This is a short guide to setting up Transaction SIGnatures
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to the configuration file as well as what changes are required for
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff different features, including the process of creating transaction
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff to server communication.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff This includes zone transfer, notify, and recursive query messages.
c520793fb93228db5d92434fc6b701d4b53e2e0eMichael Graff Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff TSIG can also be useful for dynamic update. A primary
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff server for a dynamic zone should control access to the dynamic
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff update service, but IP-based access control is insufficient.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The cryptographic access control provided by TSIG
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff is far superior. The <span><strong class="command">nsupdate</strong></span>
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff program supports TSIG via the <code class="option">-k</code> and
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff <code class="option">-y</code> command line options or inline by use
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff of the <span><strong class="command">key</strong></span>.
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff<div class="titlepage"><div><div><h3 class="title">
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff<a name="id2570436"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff An arbitrary key name is chosen: "host1-host2.". The key name must
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff be the same on both hosts.
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence<div class="titlepage"><div><div><h4 class="title">
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff<a name="id2570521"></a>Automatic Generation</h4></div></div></div>
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence The following command will generate a 128-bit (16 byte) HMAC-SHA256
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff key as described above. Longer keys are better, but shorter keys
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff are easier to read. Note that the maximum key length is the digest
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff length, here 256 bits.
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
96e3bc37e6ef95fb9ab97f08b88900e1193c4ec2Michael Graff The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff Nothing directly uses this file, but the base-64 encoded string
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff can be extracted from the file and used as a shared secret:
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff be used as the shared secret.
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff<div class="titlepage"><div><div><h4 class="title">
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff<a name="id2570560"></a>Manual Generation</h4></div></div></div>
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff The shared secret is simply a random sequence of bits, encoded
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff in base-64. Most ASCII strings are valid base-64 strings (assuming
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff the length is a multiple of 4 and only valid characters are used),
0c7244d35222b48c016e348bfa59234f6e1a8256Michael Graff so the shared secret can be manually generated.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
8dcce6f92254680aaa9b66afb927a30316b9e46eBob Halley a similar program to generate base-64 encoded data.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h3 class="title">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="id2570578"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff This is beyond the scope of DNS. A secure transport mechanism
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff should be used. This could be secure FTP, ssh, telephone, etc.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h3 class="title">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="id2570588"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff both servers. The following is added to each server's <code class="filename">named.conf</code> file:
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graffkey host1-host2. {
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff algorithm hmac-sha256;
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff The secret is the one generated above. Since this is a secret, it
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff is recommended that either <code class="filename">named.conf</code> be
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff non-world readable, or the key directive be added to a non-world
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff readable file that is included by <code class="filename">named.conf</code>.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff At this point, the key is recognized. This means that if the
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff server receives a message signed by this key, it can verify the
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff signature. If the signature is successfully verified, the
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff response is signed by the same key.
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<div class="titlepage"><div><div><h3 class="title">
9de9ae0839fd5c5f286a837f02fff4825cce12a2Michael Graff<a name="id2570625"></a>Instructing the Server to Use the Key</h3></div></div></div>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff Since keys are shared between two hosts only, the server must
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graffserver 10.1.2.3 {
b456d8063724aa920bb3d325f30c93402c4f0940Michael Graff keys { host1-host2. ;};
b456d8063724aa920bb3d325f30c93402c4f0940Michael Graff Multiple keys may be present, but only the first is used.
b456d8063724aa920bb3d325f30c93402c4f0940Michael Graff This directive does not contain any secrets, so it may be in a
b456d8063724aa920bb3d325f30c93402c4f0940Michael Graff world-readable
2fc337ec385271b8963d05f2e0f8f4edc5bb0636Michael Graff If <span class="emphasis"><em>host1</em></span> sends a message that is a request
2fc337ec385271b8963d05f2e0f8f4edc5bb0636Michael Graff to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
2fc337ec385271b8963d05f2e0f8f4edc5bb0636Michael Graff expect any responses to signed messages to be signed with the same
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
zone example.net {
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
and the <span><strong class="command">dnssec-*</strong></span> and <span><strong class="command">pkcs11-*</strong></span>
<span><strong class="command">dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8y.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
project (http://www.opendnssec.org) which provides a PKCS#11
$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
"sample-ksk" as the key-signing key for "example.net":
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
<a href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
this is accomplished by placing the PIN into the openssl.cnf file
The location of the openssl.cnf file can be overridden by
dynamically-linkable DLZ module--i.e., one which can be
"example.nil", which can answer queries and AXFR requests, and
example.nil. 1800 IN A 10.53.0.1
e.g., by providing different address records for a particular name
<a name="id2571588"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.