Bv9ARM.ch04.html revision 65f32cd8bf0924a9d7b7fde03d1a45407dc6f422
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - purpose with or without fee is hereby granted, provided that the above
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - copyright notice and this permission notice appear in all copies.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews - PERFORMANCE OF THIS SOFTWARE.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<!-- $Id$ -->
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<table width="100%" summary="Navigation header">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569819">Split DNS</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569906">Example split DNS setup</a></span></dt></dl></dd>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570544">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570617">Copying the Shared Secret to Both Machines</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570628">Informing the Servers of the Key's Existence</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570664">Instructing the Server to Use the Key</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570722">TSIG Key Based Access Control</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570771">Errors</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570785">TKEY</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570834">SIG(0)</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571038">Generating Keys</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571117">Signing the Zone</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571267">Configuring Servers</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610405">Converting from insecure to secure</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610442">Dynamic DNS update method</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563579">Fully automatic zone signing</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563751">Private-type records</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563788">DNSKEY rollovers</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563801">Dynamic DNS update method</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583427">Automatic key rollovers</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583453">NSEC3PARAM rollovers via UPDATE</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583463">Converting from NSEC to NSEC3</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583473">Converting from NSEC3 to NSEC</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583485">Converting from secure to insecure</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583523">Periodic re-signing</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2583532">NSEC3 and OPTOUT</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610053">Validating Resolver</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610075">Authoritative Server</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610357">Configuring DLZ</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610499">Sample DLZ Driver</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571627">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571757">Address Lookups Using AAAA Records</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571779">Address to Name Lookups Using Nibble Format</a></span></dt>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="notify"></a>Notify</h2></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews servers to notify their slave servers of changes to a zone's data. In
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews slave will check to see that its version of the zone is the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews current version and, if not, initiate a zone transfer.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews For more information about <acronym class="acronym">DNS</acronym>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">NOTIFY</strong></span>, see the description of the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the description of the zone option <span><strong class="command">also-notify</strong></span> in
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews protocol is specified in RFC 1996.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews zones that it loads.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Dynamic Update is a method for adding, replacing or deleting
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews records in a master server by sending it a special form of DNS
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews messages. The format and meaning of these messages is specified
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews in RFC 2136.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Dynamic update is enabled by including an
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews clause in the <span><strong class="command">zone</strong></span> statement.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews If the zone's <span><strong class="command">update-policy</strong></span> is set to
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Dynamic updates using Kerberos signed requests can be made
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews using the TKEY/GSS protocol by setting either the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Kerberos signed requests will be matched against the update
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews policies for the zone, using the Kerberos principal as the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews signer for the request.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews automatically regenerated by the server using an online
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews zone key. Update authorization is based on transaction
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews signatures and an explicit server policy.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h3 class="title">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="journal"></a>The journal file</h3></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews All changes made to a zone using dynamic update are stored
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews in the zone's journal file. This file is automatically created
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews by the server when the first dynamic update takes place.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The name of the journal file is formed by appending the extension
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="filename">.jnl</code> to the name of the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews corresponding zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews file unless specifically overridden. The journal file is in a
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews binary format and should not be edited manually.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The server will also occasionally write ("dump")
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the complete contents of the updated zone to its zone file.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews This is not done immediately after
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews each dynamic update, because that would be too slow when a large
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews zone is updated frequently. Instead, the dump is delayed by
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews up to 15 minutes, allowing additional updates to take place.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews During the dump process, transient files will be created
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews with the extensions <code class="filename">.jnw</code> and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="filename">.jbk</code>; under ordinary circumstances, these
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews will be removed when the dump is complete, and can be safely
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews When a server is restarted after a shutdown or crash, it will replay
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the journal file to incorporate into the zone any updates that
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews place after the last zone dump.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Changes that result from incoming incremental zone transfers are
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews journalled in a similar way.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The zone files of dynamic zones cannot normally be edited by
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews hand because they are not guaranteed to contain the most recent
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews dynamic changes — those are only in the journal file.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The only way to ensure that the zone file of a dynamic zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews is up to date is to run <span><strong class="command">rndc stop</strong></span>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews If you have to make changes to a dynamic zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews manually, the following procedure will work: Disable dynamic updates
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to the zone using
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews This will also remove the zone's <code class="filename">.jnl</code> file
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews and update the master file. Edit the zone file. Run
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to reload the changed zone and re-enable dynamic updates.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The incremental zone transfer (IXFR) protocol is a way for
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews slave servers to transfer only changed data, instead of having to
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews transfer the entire zone. The IXFR protocol is specified in RFC
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews When acting as a master, <acronym class="acronym">BIND</acronym> 9
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews supports IXFR for those zones
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews where the necessary change history information is available. These
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews include master zones maintained by dynamic update and slave zones
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews whose data was obtained by IXFR. For manually maintained master
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews zones, and for slave zones obtained by performing a full zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews transfer (AXFR), IXFR is supported only if the option
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span><strong class="command">ixfr-from-differences</strong></span> is set
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to <strong class="userinput"><code>yes</code></strong>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews attempt to use IXFR unless
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews it is explicitly disabled. For more information about disabling
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews of the <span><strong class="command">server</strong></span> statement.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="id2569819"></a>Split DNS</h2></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Setting up different views, or visibility, of the DNS space to
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews internal and external resolvers is usually referred to as a
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span class="emphasis"><em>Split DNS</em></span> setup. There are several
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews reasons an organization would want to set up its DNS this way.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews One common reason for setting up a DNS system this way is
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to hide "internal" DNS information from "external" clients on the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Internet. There is some debate as to whether or not this is actually
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Internal DNS information leaks out in many ways (via email headers,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews for example) and most savvy "attackers" can find the information
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews they need using other means.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews However, since listing addresses of internal servers that
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews external clients cannot possibly reach can result in
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews connection delays and other annoyances, an organization may
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews choose to use a Split DNS to present a consistent view of itself
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to the outside world.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Another common reason for setting up a Split DNS system is
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to allow internal networks that are behind filters or in RFC 1918
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews space (reserved IP space, as documented in RFC 1918) to resolve DNS
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews on the Internet. Split DNS can also be used to allow mail from outside
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews back in to the internal network.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h3 class="title">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="id2569906"></a>Example split DNS setup</h3></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews has several corporate sites that have an internal network with
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Internet Protocol (IP) space and an external demilitarized zone (DMZ),
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews or "outside" section of a network, that is available to the public.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to be able to resolve external hostnames and to exchange mail with
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews people on the outside. The company also wants its internal resolvers
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to have access to certain internal-only zones that are not available
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews at all outside of the internal network.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews In order to accomplish this, the company will set up two sets
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews of name servers. One set will be on the inside network (in the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews IP space) and the other set will be on bastion hosts, which are
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews hosts that can talk to both sides of its network, in the DMZ.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The internal servers will be configured to forward all queries,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews and <code class="filename">site2.example.com</code>, to the servers
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews DMZ. These internal servers will have complete sets of information
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews and <code class="filename">site2.internal</code>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the internal name servers must be configured to disallow all queries
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to these domains from any external hosts, including the bastion
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The external servers, which are on the bastion hosts, will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews This could include things such as the host records for public servers
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews should have special MX records that contain wildcard (`*') records
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews pointing to the bastion hosts. This is needed because external mail
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews servers do not have any other way of looking up how to deliver mail
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to those internal hosts. With the wildcard records, the mail will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews be delivered to the bastion host, which can then forward it on to
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews internal hosts.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Here's an example of a wildcard MX record:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Now that they accept mail on behalf of anything in the internal
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews network, the bastion hosts will need to know how to deliver mail
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to internal hosts. In order for this to work properly, the resolvers
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the bastion hosts will need to be configured to point to the internal
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews name servers for DNS resolution.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Queries for internal hostnames will be answered by the internal
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews servers, and queries for external hostnames will be forwarded back
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews out to the DNS servers on the bastion hosts.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews In order for all this to work properly, internal clients will
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews need to be configured to query <span class="emphasis"><em>only</em></span> the internal
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews name servers for DNS queries. This could also be enforced via
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews filtering on the network.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews internal clients will now be able to:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Look up any hostnames in the <code class="literal">site1</code>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="literal">site2.example.com</code> zones.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Look up any hostnames in the <code class="literal">site1.internal</code> and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="literal">site2.internal</code> domains.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<li>Exchange mail with both internal and external people.</li>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Hosts on the Internet will be able to:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Look up any hostnames in the <code class="literal">site1</code>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="literal">site2.example.com</code> zones.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Exchange mail with anyone in the <code class="literal">site1</code> and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="literal">site2.example.com</code> zones.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Here is an example configuration for the setup we just
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews described above. Note that this is only configuration information;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Internal DNS server config:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsacl externals { <code class="varname">bastion-ips-go-here</code>; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forward only;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // forward to external servers
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forwarders {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="varname">bastion-ips-go-here</code>;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // sample allow-transfer (no one)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { none; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // restrict query access
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // restrict recursion
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-recursion { internals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews// sample master zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews type master;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // do normal iterative resolution (do not forward)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forwarders { };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews// sample slave zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews masters { 172.16.72.3; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forwarders { };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews type master;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forwarders { };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { internals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; }
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews masters { 172.16.72.3; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews forwarders { };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { internals };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; }
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews External (bastion host) DNS server config:
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsacl externals { bastion-ips-go-here; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // sample allow-transfer (no one)
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { none; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // default query access
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query { any; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // restrict cache access
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-query-cache { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews // restrict recursion
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-recursion { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews// sample slave zone
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews type master;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; externals; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews masters { another_bastion_host_maybe; };
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews allow-transfer { internals; externals; }
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews In the <code class="filename">resolv.conf</code> (or equivalent) on
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews the bastion host(s):
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsnameserver 172.16.72.2
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsnameserver 172.16.72.3
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsnameserver 172.16.72.4
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews This is a short guide to setting up Transaction SIGnatures
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to the configuration file as well as what changes are required for
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews different features, including the process of creating transaction
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews to server communication.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews This includes zone transfer, notify, and recursive query messages.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews TSIG can also be useful for dynamic update. A primary
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews server for a dynamic zone should control access to the dynamic
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews update service, but IP-based access control is insufficient.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The cryptographic access control provided by TSIG
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews is far superior. The <span><strong class="command">nsupdate</strong></span>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews program supports TSIG via the <code class="option">-k</code> and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews <code class="option">-y</code> command line options or inline by use
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews of the <span><strong class="command">key</strong></span>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h3 class="title">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="id2570544"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews An arbitrary key name is chosen: "host1-host2.". The key name must
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews be the same on both hosts.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<div class="titlepage"><div><div><h4 class="title">
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews<a name="id2570561"></a>Automatic Generation</h4></div></div></div>
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews The following command will generate a 128-bit (16 byte) HMAC-SHA256
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews key as described above. Longer keys are better, but shorter keys
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews are easier to read. Note that the maximum key length is the digest
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews length, here 256 bits.
<strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
both servers. The following is added to each server's <code class="filename">named.conf</code> file:
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
zone example.net {
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
dynamically-linkable DLZ module--i.e., one which can be
"example.nil", which can answer queries and AXFR requests, and
example.nil. 1800 IN A 10.53.0.1
e.g., by providing different address records for a particular name
<a name="id2571627"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.