Bv9ARM.ch04.html revision 71cef386fae61275b03e203825680b39fedaa8c6
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara - This Source Code Form is subject to the terms of the Mozilla Public
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara - License, v. 2.0. If a copy of the MPL was not distributed with this
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h1></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara servers to notify their slave servers of changes to a zone's data. In
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara slave will check to see that its version of the zone is the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara current version and, if not, initiate a zone transfer.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara For more information about <acronym class="acronym">DNS</acronym>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>NOTIFY</strong></span>, see the description of the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the description of the zone option <span class="command"><strong>also-notify</strong></span> in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara protocol is specified in RFC 1996.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zones that it loads.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Dynamic Update is a method for adding, replacing or deleting
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara records in a master server by sending it a special form of DNS
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara messages. The format and meaning of these messages is specified
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara in RFC 2136.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Dynamic update is enabled by including an
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara clause in the <span class="command"><strong>zone</strong></span> statement.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If the zone's <span class="command"><strong>update-policy</strong></span> is set to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>local</code></strong>, updates to the zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will be permitted for the key <code class="varname">local-ddns</code>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara which will be generated by <span class="command"><strong>named</strong></span> at startup.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Dynamic updates using Kerberos signed requests can be made
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Kerberos signed requests will be matched against the update
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara policies for the zone, using the Kerberos principal as the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signer for the request.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Updating of secure zones (zones using DNSSEC) follows RFC
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 3007: RRSIG, NSEC and NSEC3 records affected by updates are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara automatically regenerated by the server using an online
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zone key. Update authorization is based on transaction
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signatures and an explicit server policy.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="journal"></a>The journal file</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara All changes made to a zone using dynamic update are stored
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara in the zone's journal file. This file is automatically created
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara by the server when the first dynamic update takes place.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The name of the journal file is formed by appending the extension
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">.jnl</code> to the name of the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara corresponding zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara file unless specifically overridden. The journal file is in a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara binary format and should not be edited manually.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The server will also occasionally write ("dump")
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the complete contents of the updated zone to its zone file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This is not done immediately after
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara each dynamic update, because that would be too slow when a large
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zone is updated frequently. Instead, the dump is delayed by
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara up to 15 minutes, allowing additional updates to take place.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara During the dump process, transient files will be created
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara with the extensions <code class="filename">.jnw</code> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">.jbk</code>; under ordinary circumstances, these
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will be removed when the dump is complete, and can be safely
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara When a server is restarted after a shutdown or crash, it will replay
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the journal file to incorporate into the zone any updates that
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara place after the last zone dump.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Changes that result from incoming incremental zone transfers are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara journalled in a similar way.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The zone files of dynamic zones cannot normally be edited by
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara hand because they are not guaranteed to contain the most recent
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara dynamic changes — those are only in the journal file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The only way to ensure that the zone file of a dynamic zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If you have to make changes to a dynamic zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara manually, the following procedure will work:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Disable dynamic updates to the zone using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This will update the zone's master file with the changes
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara stored in its <code class="filename">.jnl</code> file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Edit the zone file. Run
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to reload the changed zone and re-enable dynamic updates.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will update the zone file with changes from the journal file
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara without stopping dynamic updates; this may be useful for viewing
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the current zone state. To remove the <code class="filename">.jnl</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara file after updating the zone file, use
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>rndc sync -clean</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The incremental zone transfer (IXFR) protocol is a way for
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara slave servers to transfer only changed data, instead of having to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara transfer the entire zone. The IXFR protocol is specified in RFC
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara When acting as a master, <acronym class="acronym">BIND</acronym> 9
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara supports IXFR for those zones
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara where the necessary change history information is available. These
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara include master zones maintained by dynamic update and slave zones
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara whose data was obtained by IXFR. For manually maintained master
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zones, and for slave zones obtained by performing a full zone
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara transfer (AXFR), IXFR is supported only if the option
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara <span class="command"><strong>ixfr-from-differences</strong></span> is set
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara to <strong class="userinput"><code>yes</code></strong>.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara attempt to use IXFR unless
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara it is explicitly disabled. For more information about disabling
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara of the <span class="command"><strong>server</strong></span> statement.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="split_dns"></a>Split DNS</h2></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Setting up different views, or visibility, of the DNS space to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara internal and external resolvers is usually referred to as a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="emphasis"><em>Split DNS</em></span> setup. There are several
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara reasons an organization would want to set up its DNS this way.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara One common reason for setting up a DNS system this way is
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to hide "internal" DNS information from "external" clients on the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Internet. There is some debate as to whether or not this is actually
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Internal DNS information leaks out in many ways (via email headers,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara for example) and most savvy "attackers" can find the information
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara they need using other means.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara However, since listing addresses of internal servers that
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara external clients cannot possibly reach can result in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara connection delays and other annoyances, an organization may
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara choose to use a Split DNS to present a consistent view of itself
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to the outside world.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Another common reason for setting up a Split DNS system is
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to allow internal networks that are behind filters or in RFC 1918
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara space (reserved IP space, as documented in RFC 1918) to resolve DNS
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara on the Internet. Split DNS can also be used to allow mail from outside
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara back in to the internal network.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara has several corporate sites that have an internal network with
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Internet Protocol (IP) space and an external demilitarized zone (DMZ),
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara or "outside" section of a network, that is available to the public.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to be able to resolve external hostnames and to exchange mail with
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara people on the outside. The company also wants its internal resolvers
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to have access to certain internal-only zones that are not available
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara at all outside of the internal network.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara In order to accomplish this, the company will set up two sets
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara of name servers. One set will be on the inside network (in the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara IP space) and the other set will be on bastion hosts, which are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara hosts that can talk to both sides of its network, in the DMZ.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The internal servers will be configured to forward all queries,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara and <code class="filename">site2.example.com</code>, to the servers
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara DMZ. These internal servers will have complete sets of information
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the internal name servers must be configured to disallow all queries
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to these domains from any external hosts, including the bastion
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The external servers, which are on the bastion hosts, will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This could include things such as the host records for public servers
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara should have special MX records that contain wildcard (`*') records
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara pointing to the bastion hosts. This is needed because external mail
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara servers do not have any other way of looking up how to deliver mail
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to those internal hosts. With the wildcard records, the mail will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be delivered to the bastion host, which can then forward it on to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara internal hosts.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Here's an example of a wildcard MX record:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <pre class="programlisting">* IN MX 10 external1.example.com.</pre>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Now that they accept mail on behalf of anything in the internal
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara network, the bastion hosts will need to know how to deliver mail
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to internal hosts. In order for this to work properly, the resolvers
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the bastion hosts will need to be configured to point to the internal
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara name servers for DNS resolution.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Queries for internal hostnames will be answered by the internal
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara servers, and queries for external hostnames will be forwarded back
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara out to the DNS servers on the bastion hosts.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara In order for all this to work properly, internal clients will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara need to be configured to query <span class="emphasis"><em>only</em></span> the internal
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara name servers for DNS queries. This could also be enforced via
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara filtering on the network.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara internal clients will now be able to:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Look up any hostnames in the <code class="literal">site1</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="literal">site2.example.com</code> zones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Look up any hostnames in the <code class="literal">site1.internal</code> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="literal">site2.internal</code> domains.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Look up any hostnames on the Internet.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Exchange mail with both internal and external people.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Hosts on the Internet will be able to:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Look up any hostnames in the <code class="literal">site1</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="literal">site2.example.com</code> zones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Exchange mail with anyone in the <code class="literal">site1</code> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="literal">site2.example.com</code> zones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Here is an example configuration for the setup we just
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara described above. Note that this is only configuration information;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Internal DNS server config:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaraacl externals { <code class="varname">bastion-ips-go-here</code>; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forward only;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // forward to external servers
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forwarders {
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // sample allow-transfer (no one)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { none; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // restrict query access
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // restrict recursion
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-recursion { internals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara// sample master zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type master;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // do normal iterative resolution (do not forward)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forwarders { };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara// sample slave zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type slave;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara masters { 172.16.72.3; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forwarders { };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type master;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forwarders { };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { internals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; }
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type slave;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara masters { 172.16.72.3; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forwarders { };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { internals };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; }
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara External (bastion host) DNS server config:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaraacl externals { bastion-ips-go-here; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // sample allow-transfer (no one)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { none; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // default query access
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query { any; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // restrict cache access
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-query-cache { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara // restrict recursion
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-recursion { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara// sample slave zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type master;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; externals; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type slave;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara masters { another_bastion_host_maybe; };
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara allow-transfer { internals; externals; }
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara In the <code class="filename">resolv.conf</code> (or equivalent) on
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the bastion host(s):
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaranameserver 172.16.72.2
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaranameserver 172.16.72.3
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaranameserver 172.16.72.4
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara messages, originally specified in RFC 2845. It allows DNS messages
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to be cryptographically signed using a shared secret. TSIG can
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be used in any DNS transaction, as a way to restrict access to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara certain server functions (e.g., recursive queries) to authorized
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara clients when IP-based access control is insufficient or needs to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be overridden, or as a way to ensure message authenticity when it
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is critical to the integrity of the server, such as with dynamic
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara UPDATE messages or zone transfers from a master to a slave server.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara It describes the configuration syntax and the process of creating
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara communication, and some of the tools included with
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <acronym class="acronym">BIND</acronym> support it for sending messages to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>named</strong></span>:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="option">-k</code>, <code class="option">-l</code> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="option">-y</code> command line options, or via
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the <span class="command"><strong>key</strong></span> command when running
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara interactively.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="option">-k</code> and <code class="option">-y</code> command
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara line options.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara command; the output of the command is a <span class="command"><strong>key</strong></span> directive
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara suitable for inclusion in <code class="filename">named.conf</code>. The
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara key name, algorithm and size can be specified by command line parameters;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Any string which is a valid DNS name can be used as a key name.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara For example, a key to be shared between servers called
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be called "host1-host2.", and this key could be generated using:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara $ tsig-keygen host1-host2. > host1-host2.key
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This key may then be copied to both hosts. The key name and secret
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara must be identical on both hosts.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara (Note: copying a shared secret from one server to another is beyond
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the scope of the DNS. A secure transport mechanism should be used:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara secure FTP, SSL, ssh, telephone, encrypted email, etc.)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>tsig-keygen</strong></span> can also be run as
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara additional configuration text for setting up dynamic DNS in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>named</strong></span>. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara for details.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara For a key shared between servers called
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the following could be added to each server's
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergarakey "host1-host2." {
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara algorithm hmac-sha256;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara (This is the same key generated above using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>tsig-keygen</strong></span>.)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Since this text contains a secret, it
e2da4b3b1b47e899af887161f27fdaea492929d5jvergara is recommended that either <code class="filename">named.conf</code> not be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara world-readable, or that the <span class="command"><strong>key</strong></span> directive
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be stored in a file which is not world-readable, and which is
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara included in <code class="filename">named.conf</code> via the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>include</strong></span> directive.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Once a key has been added to <code class="filename">named.conf</code> and the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara server has been restarted or reconfigured, the server can recognize
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the key. If the server receives a message signed by the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara key, it will be able to verify the signature. If the signature
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is valid, the response will be signed using the same key.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TSIG keys that are known to a server can be listed using the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara command <span class="command"><strong>rndc tsig-list</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara A server sending a request to another server must be told whether
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to use a key, and if so, which key to use.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara For example, a key may be specified for each server in the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>masters</strong></span> statement in the definition of a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara slave zone; in this case, all SOA QUERY messages, NOTIFY
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara messages, and zone transfer requests (AXFR or IXFR) will be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signed using the specified key. Keys may also be specified
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara in the <span class="command"><strong>also-notify</strong></span> statement of a master
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara or slave zone, causing NOTIFY messages to be signed using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the specified key.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Keys can also be specified in a <span class="command"><strong>server</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signed using the <span class="command"><strong>host1-host2.</strong></span> key:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaraserver 10.1.2.3 {
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara keys { host1-host2. ;};
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara statement, but only the first one is used. As this directive does
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara not contain secrets, it can be used in a world-readable file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara would <span class="emphasis"><em>not</em></span> be signed, unless a similar
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara configuration file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Whenever any server sends a TSIG-signed DNS request, it will expect
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the response to be signed with the same key. If a response is not
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signed, or if the signature is not valid, the response will be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TSIG keys may be specified in ACL definitions and ACL directives
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara and <span class="command"><strong>allow-update</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The above key would be denoted in an ACL element as
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>key host1-host2.</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara An example of an <span class="command"><strong>allow-update</strong></span> directive using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara a TSIG key:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaraallow-update { !{ !localnets; any; }; key host1-host2. ;};
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This allows dynamic updates to succeed only if the UPDATE
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara request comes from an address in <span class="command"><strong>localnets</strong></span>,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="emphasis"><em>and</em></span> if it is signed using the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>host1-host2.</strong></span> key.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the more flexible <span class="command"><strong>update-policy</strong></span> statement.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Processing of TSIG-signed messages can result in several errors:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If a TSIG-aware server receives a message signed by an
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara unknown key, the response will be unsigned, with the TSIG
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara extended error code set to BADKEY.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If a TSIG-aware server receives a message from a known key
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara but with an invalid signature, the response will be unsigned,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara with the TSIG extended error code set to BADSIG.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If a TSIG-aware server receives a message with a time
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara outside of the allowed range, the response will be signed, with
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the TSIG extended error code set to BADTIME, and the time values
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will be adjusted so that the response can be successfully
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara In all of the above cases, the server will return a response code
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara of NOTAUTH (not authenticated).
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TKEY (Transaction KEY) is a mechanism for automatically negotiating
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara a shared secret between two hosts, originally specified in RFC 2930.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara There are several TKEY "modes" that specify how a key is to be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara one of these modes: Diffie-Hellman key exchange. Both hosts are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara required to have a KEY record with algorithm DH (though this
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara record is not required to be present in a zone).
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The TKEY process is initiated by a client or server by sending
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara a query of type TKEY to a TKEY-aware server. The query must include
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara an appropriate KEY record in the additional section, and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara must be signed using either TSIG or SIG(0) with a previously
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara established key. The server's response, if successful, will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara contain a TKEY record in its answer section. After this transaction,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara both participants will have enough information to calculate a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara shared secret using Diffie-Hellman key exchange. The shared secret
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara can then be used by to sign subsequent transactions between the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara two servers.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TSIG keys known by the server, including TKEY-negotiated keys, can
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TKEY-negotiated keys can be deleted from a server using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the TKEY protocol itself, by sending an authenticated TKEY query
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara specifying the "key deletion" mode.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara transaction signatures as specified in RFC 2535 and RFC 2931.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara SIG(0) uses public/private keys to authenticate messages. Access control
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is performed in the same manner as TSIG keys; privileges can be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara granted or denied in ACL directives based on the key name.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara When a SIG(0) signed message is received, it will only be
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara verified if the key is known and trusted by the server. The
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara server will not attempt to recursively fetch or validate the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara SIG(0) signing of multiple-message TCP streams is not supported.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Cryptographic authentication of DNS information is possible
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara defined in RFC 4033, RFC 4034, and RFC 4035.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara This section describes the creation and use of DNSSEC signed zones.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara In order to set up a DNSSEC secure zone, there are a series
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara of steps which must be followed. <acronym class="acronym">BIND</acronym>
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara with several tools
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara that are used in this process, which are explained in more detail
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara below. In all cases, the <code class="option">-h</code> option prints a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara full list of parameters. Note that the DNSSEC tools require the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara keyset files to be in the working directory or the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara directory specified by the <code class="option">-d</code> option, and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara that the tools shipped with BIND 9.2.x and earlier are not compatible
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara with the current ones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara There must also be communication with the administrators of
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the parent and/or child zone to transmit keys. A zone's security
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara status must be indicated by the parent zone for a DNSSEC capable
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara resolver to trust its data. This is done through the presence
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara or absence of a <code class="literal">DS</code> record at the
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara For other servers to trust data in this zone, they must
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara either be statically configured with this zone's zone key or the
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara zone key of another zone above this one in the DNS tree.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara generate keys.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara A secure zone must contain one or more zone keys. The
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zone keys will sign all other records in the zone, as well as
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the zone keys of any secure delegated zones. Zone keys must
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara have the same name as the zone, a name type of
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>ZONE</strong></span>, and must be usable for
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara authentication.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara It is recommended that zone keys use a cryptographic algorithm
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara designated as "mandatory to implement" by the IETF; currently
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the only one is RSASHA1.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The following command will generate a 768-bit RSASHA1 key for
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara the <code class="filename">child.example</code> zone:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Two output files will be produced:
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">Kchild.example.+005+12345.key</code> and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">Kchild.example.+005+12345.private</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 12345 is an example of a key tag). The key filenames contain
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the key name (<code class="filename">child.example.</code>),
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara algorithm (3
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara this case).
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The private key (in the <code class="filename">.private</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara used to generate signatures, and the public key (in the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">.key</code> file) is used for signature
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara verification.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara To generate another key with the same properties (but with
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara a different key tag), repeat the above command.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara to get a key pair from a crypto hardware and build the key
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The public keys should be inserted into the zone file by
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara including the <code class="filename">.key</code> files using
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>$INCLUDE</strong></span> statements.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The <span class="command"><strong>dnssec-signzone</strong></span> program is used
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to sign a zone.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Any <code class="filename">keyset</code> files corresponding to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara secure subzones should be present. The zone signer will
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara and <code class="literal">RRSIG</code> records for the zone, as
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara well as <code class="literal">DS</code> for the child zones if
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is not specified, then DS RRsets for the secure child
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara zones need to be added manually.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The following command signs the zone, assuming it is in a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara file called <code class="filename">zone.child.example</code>. By
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara default, all zone keys which have an available private key are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara used to generate signatures.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara One output file is produced:
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara <code class="filename">zone.child.example.signed</code>. This
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara should be referenced by <code class="filename">named.conf</code>
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara input file for the zone.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <p><span class="command"><strong>dnssec-signzone</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will also produce a keyset and dsset files and optionally a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara dlvset file. These are used to provide the parent zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara administrators with the <code class="literal">DNSKEYs</code> (or their
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara corresponding <code class="literal">DS</code> records) that are the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara secure entry point to the zone.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara To enable <span class="command"><strong>named</strong></span> to respond appropriately
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to DNS requests from DNSSEC aware clients,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara (This is the default setting.)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara To enable <span class="command"><strong>named</strong></span> to validate answers from
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara must be set to <strong class="userinput"><code>yes</code></strong>, and the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>dnssec-validation</strong></span> options must be set to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If <span class="command"><strong>dnssec-validation</strong></span> is set to
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>auto</code></strong>, then a default
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara trust anchor for the DNS root zone will be used.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If it is set to <strong class="userinput"><code>yes</code></strong>, however,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara then at least one trust anchor must be configured
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara with a <span class="command"><strong>trusted-keys</strong></span> or
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>managed-keys</strong></span> statement in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">named.conf</code>, or DNSSEC validation
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will not occur. The default setting is
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <strong class="userinput"><code>yes</code></strong>.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara for zones that are used to form the first link in the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara cryptographic chain of trust. All keys listed in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara are deemed to exist and only the listed keys will be used
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara to validated the DNSKEY RRset that they are from.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara automatically kept up to date via RFC 5011 trust anchor
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara maintenance.
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara <span class="command"><strong>trusted-keys</strong></span> and
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara <span class="command"><strong>managed-keys</strong></span> are described in more detail
54ac0f0e15f19812c45dad54af9ad54e7b99a0bfjvergara later in this document.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 9 does not verify signatures on load, so zone keys for
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara authoritative zones do not need to be specified in the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara configuration file.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara After DNSSEC gets established, a typical DNSSEC configuration
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will look something like the following. It has one or
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara more public keys for the root. This allows answers from
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara outside the organization to be validated. It will also
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara have several keys for parts of the namespace the organization
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara controls. These are here to ensure that <span class="command"><strong>named</strong></span>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is immune to compromises in the DNSSEC components of the security
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara of parent zones.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaramanaged-keys {
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara /* Root Key */
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara dgxbcDTClU0CRBdiieyLMNzXG3";
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergaratrusted-keys {
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara /* Key for our organization's forward zone */
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 1OTQ09A0=";
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara /* Key for our reverse zone. */
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara xOdNax071L18QqZnQQQAVVr+i
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara LhGTnNGp3HoWQLUIzKrJVZ3zg
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara gy3WwNT6kZo6c0tszYqbtvchm
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara siaOdS0yOI6BgPsw+YZdzlYMa
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara IJGf4M4dyoKIhzdZyQ2bYQrjy
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Q4LB0lC7aOnsMyYKHHYeRvPxj
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara IQXmdqgOJGq+vsevG06zW+1xg
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara 59VvjSPsZJHeDCUyWYrvPZesZ
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara DIRvhDD52SKvbheeTJUm6Ehkz
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara dnssec-enable yes;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara dnssec-validation yes;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara None of the keys listed in this example are valid. In particular,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the root key is not valid.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara When DNSSEC validation is enabled and properly configured,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara the resolver will reject any answers from signed, secure zones
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara which fail to validate, and will return SERVFAIL to the client.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara Responses may fail to validate for any of several reasons,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara including missing, expired, or invalid signatures, a key which
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara does not match the DS RRset in the parent zone, or an insecure
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara response from a zone which, according to its parent, should have
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara been secure.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara When the validator receives a response from an unsigned zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara that has a signed parent, it must confirm with the parent
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara that the zone was intentionally left unsigned. It does
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara this by verifying, via signed and validated NSEC/NSEC3 records,
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara that the parent zone contains no DS records for the child.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara If the validator <span class="emphasis"><em>can</em></span> prove that the zone
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara is insecure, then the response is accepted. However, if it
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara cannot, then it must assume an insecure response to be a
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara forgery; it rejects the response and logs an error.
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara The logged error reads "insecurity proof failed" and
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara "got insecure response; parent indicates it should be secure".
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara<a name="id-1.5.10.2"></a>Converting from insecure to secure</h3></div></div></div>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <p>Changing a zone from insecure to secure can be done in two
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara ways: using a dynamic DNS update, or the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <p>For either method, you need to configure
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>named</strong></span> so that it can see the
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <code class="filename">K*</code> files which contain the public and private
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara parts of the keys that will be used to sign the zone. These files
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara will have been generated by
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara in the key-directory, as specified in
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara type master;
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara update-policy local;
098e548e58d50f922236182f793a0ce65e56a247jvergara <p>If one KSK and one ZSK DNSKEY key have been generated, this
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara configuration will cause all records in the zone to be signed
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara with the ZSK, and the DNSKEY RRset to be signed with the KSK as
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara well. An NSEC chain will be generated as part of the initial
b85c88cbfc058d4a45163446a2e8d665fa50f5ddjvergara signing process.</p>
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
<a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
<span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
<span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
"sample-ksk" as the key-signing key for "example.net":
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
<a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
this is accomplished by placing the PIN into the openssl.cnf file
The location of the openssl.cnf file can be overridden by
Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
"dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
dynamically-linkable DLZ module--i.e., one which can be
"example.nil", which can answer queries and AXFR requests, and
example.nil. 1800 IN A 10.53.0.1
e.g., by providing different address records for a particular name
(see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
<a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
dyndb example "driver.so" {
"example.nil", which can answer queries and AXFR requests, and
example.nil. 86400 IN A 127.0.0.1
whether the updated RR is an address (i.e., type A or AAAA) and if
zone "catalog.example"
means <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
catalog.example. IN SOA . . 2016022901 900 600 86400 1
catalog.example. IN NS nsexample.
version.catalog.example. IN TXT "1"
Global options are set at the apex of the catalog zone, e.g.:
masters.catalog.example. IN AAAA 2001:db8::1
masters.catalog.example. IN A 192.0.2.1
label.masters.catalog.example. IN A 192.0.2.2
label.masters.catalog.example. IN TXT "tsig_key_name"
label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.
<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2 (Extended Support Version)</p>