Bv9ARM.ch04.html revision 9941177e7eb530451d5970959cc2828c53cb36c9
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Permission to use, copy, modify, and/or distribute this software for any
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - purpose with or without fee is hereby granted, provided that the above
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - copyright notice and this permission notice appear in all copies.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<!-- $Id$ -->
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571267">Split DNS</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571285">Example split DNS setup</a></span></dt></dl></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564004">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564077">Copying the Shared Secret to Both Machines</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564088">Informing the Servers of the Key's Existence</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564124">Instructing the Server to Use the Key</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572169">TSIG Key Based Access Control</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572218">Errors</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572232">TKEY</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572281">SIG(0)</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572486">Generating Keys</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572633">Signing the Zone</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572782">Configuring Servers</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563415">Converting from insecure to secure</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563452">Dynamic DNS update method</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563557">Fully automatic zone signing</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563660">Private-type records</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563834">DNSKEY rollovers</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563847">Dynamic DNS update method</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563880">Automatic key rollovers</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563907">NSEC3PARAM rollovers via UPDATE</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563916">Converting from NSEC to NSEC3</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563926">Converting from NSEC3 to NSEC</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Converting from secure to insecure</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571963">Periodic re-signing</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571973">NSEC3 and OPTOUT</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Validating Resolver</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608278">Authoritative Server</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611658">Prerequisites</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636122">Building BIND 9 with PKCS#11</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636247">PKCS #11 Tools</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636278">Using the HSM</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636476">Specifying the engine on the command line</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636522">Running named with automatic zone re-signing</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573002">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573064">Address Lookups Using AAAA Records</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573085">Address to Name Lookups Using Nibble Format</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt servers to notify their slave servers of changes to a zone's data. In
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt slave will check to see that its version of the zone is the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt current version and, if not, initiate a zone transfer.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt For more information about <acronym class="acronym">DNS</acronym>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">NOTIFY</strong></span>, see the description of the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the description of the zone option <span><strong class="command">also-notify</strong></span> in
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt protocol is specified in RFC 1996.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt zones that it loads.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Dynamic Update is a method for adding, replacing or deleting
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt records in a master server by sending it a special form of DNS
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt messages. The format and meaning of these messages is specified
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt in RFC 2136.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Dynamic update is enabled by including an
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt clause in the <span><strong class="command">zone</strong></span> statement.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt If the zone's <span><strong class="command">update-policy</strong></span> is set to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <strong class="userinput"><code>local</code></strong>, updates to the zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt will be permitted for the key <code class="varname">local-ddns</code>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt which will be generated by <span><strong class="command">named</strong></span> at startup.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Dynamic updates using Kerberos signed requests can be made
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Kerberos signed requests will be matched against the update
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt policies for the zone, using the Kerberos principal as the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt signer for the request.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Updating of secure zones (zones using DNSSEC) follows RFC
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt 3007: RRSIG, NSEC and NSEC3 records affected by updates are
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt automatically regenerated by the server using an online
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt zone key. Update authorization is based on transaction
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt signatures and an explicit server policy.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="journal"></a>The journal file</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt All changes made to a zone using dynamic update are stored
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt in the zone's journal file. This file is automatically created
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt by the server when the first dynamic update takes place.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The name of the journal file is formed by appending the extension
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="filename">.jnl</code> to the name of the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt corresponding zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt file unless specifically overridden. The journal file is in a
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt binary format and should not be edited manually.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The server will also occasionally write ("dump")
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the complete contents of the updated zone to its zone file.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This is not done immediately after
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt each dynamic update, because that would be too slow when a large
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt zone is updated frequently. Instead, the dump is delayed by
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt up to 15 minutes, allowing additional updates to take place.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt During the dump process, transient files will be created
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt with the extensions <code class="filename">.jnw</code> and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="filename">.jbk</code>; under ordinary circumstances, these
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt will be removed when the dump is complete, and can be safely
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt When a server is restarted after a shutdown or crash, it will replay
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the journal file to incorporate into the zone any updates that
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt place after the last zone dump.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Changes that result from incoming incremental zone transfers are
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt journalled in a similar way.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The zone files of dynamic zones cannot normally be edited by
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt hand because they are not guaranteed to contain the most recent
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt dynamic changes — those are only in the journal file.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The only way to ensure that the zone file of a dynamic zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is up to date is to run <span><strong class="command">rndc stop</strong></span>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt If you have to make changes to a dynamic zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt manually, the following procedure will work: Disable dynamic updates
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to the zone using
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This will also remove the zone's <code class="filename">.jnl</code> file
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt and update the master file. Edit the zone file. Run
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to reload the changed zone and re-enable dynamic updates.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The incremental zone transfer (IXFR) protocol is a way for
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt slave servers to transfer only changed data, instead of having to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt transfer the entire zone. The IXFR protocol is specified in RFC
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt When acting as a master, <acronym class="acronym">BIND</acronym> 9
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt supports IXFR for those zones
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt where the necessary change history information is available. These
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt include master zones maintained by dynamic update and slave zones
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt whose data was obtained by IXFR. For manually maintained master
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt zones, and for slave zones obtained by performing a full zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt transfer (AXFR), IXFR is supported only if the option
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">ixfr-from-differences</strong></span> is set
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to <strong class="userinput"><code>yes</code></strong>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt attempt to use IXFR unless
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt it is explicitly disabled. For more information about disabling
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt of the <span><strong class="command">server</strong></span> statement.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2571267"></a>Split DNS</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Setting up different views, or visibility, of the DNS space to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt internal and external resolvers is usually referred to as a
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span class="emphasis"><em>Split DNS</em></span> setup. There are several
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt reasons an organization would want to set up its DNS this way.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt One common reason for setting up a DNS system this way is
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to hide "internal" DNS information from "external" clients on the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Internet. There is some debate as to whether or not this is actually
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Internal DNS information leaks out in many ways (via email headers,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt for example) and most savvy "attackers" can find the information
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt they need using other means.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt However, since listing addresses of internal servers that
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt external clients cannot possibly reach can result in
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt connection delays and other annoyances, an organization may
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt choose to use a Split DNS to present a consistent view of itself
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to the outside world.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Another common reason for setting up a Split DNS system is
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to allow internal networks that are behind filters or in RFC 1918
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt space (reserved IP space, as documented in RFC 1918) to resolve DNS
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt on the Internet. Split DNS can also be used to allow mail from outside
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt back in to the internal network.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2571285"></a>Example split DNS setup</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt has several corporate sites that have an internal network with
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Internet Protocol (IP) space and an external demilitarized zone (DMZ),
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt or "outside" section of a network, that is available to the public.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to be able to resolve external hostnames and to exchange mail with
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt people on the outside. The company also wants its internal resolvers
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to have access to certain internal-only zones that are not available
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt at all outside of the internal network.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In order to accomplish this, the company will set up two sets
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt of name servers. One set will be on the inside network (in the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt IP space) and the other set will be on bastion hosts, which are
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt hosts that can talk to both sides of its network, in the DMZ.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The internal servers will be configured to forward all queries,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt and <code class="filename">site2.example.com</code>, to the servers
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt DMZ. These internal servers will have complete sets of information
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the internal name servers must be configured to disallow all queries
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to these domains from any external hosts, including the bastion
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The external servers, which are on the bastion hosts, will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This could include things such as the host records for public servers
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt should have special MX records that contain wildcard (`*') records
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt pointing to the bastion hosts. This is needed because external mail
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt servers do not have any other way of looking up how to deliver mail
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to those internal hosts. With the wildcard records, the mail will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt be delivered to the bastion host, which can then forward it on to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt internal hosts.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Here's an example of a wildcard MX record:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Now that they accept mail on behalf of anything in the internal
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt network, the bastion hosts will need to know how to deliver mail
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to internal hosts. In order for this to work properly, the resolvers
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the bastion hosts will need to be configured to point to the internal
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt name servers for DNS resolution.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Queries for internal hostnames will be answered by the internal
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt servers, and queries for external hostnames will be forwarded back
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt out to the DNS servers on the bastion hosts.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In order for all this to work properly, internal clients will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt need to be configured to query <span class="emphasis"><em>only</em></span> the internal
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt name servers for DNS queries. This could also be enforced via
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt filtering on the network.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt internal clients will now be able to:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Look up any hostnames in the <code class="literal">site1</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="literal">site2.example.com</code> zones.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Look up any hostnames in the <code class="literal">site1.internal</code> and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="literal">site2.internal</code> domains.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<li>Exchange mail with both internal and external people.</li>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Hosts on the Internet will be able to:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Look up any hostnames in the <code class="literal">site1</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="literal">site2.example.com</code> zones.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Exchange mail with anyone in the <code class="literal">site1</code> and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="literal">site2.example.com</code> zones.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Here is an example configuration for the setup we just
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt described above. Note that this is only configuration information;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Internal DNS server config:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntacl externals { <code class="varname">bastion-ips-go-here</code>; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forward only;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // forward to external servers
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forwarders {
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // sample allow-transfer (no one)
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { none; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // restrict query access
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // restrict recursion
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-recursion { internals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// sample master zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt type master;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // do normal iterative resolution (do not forward)
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forwarders { };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// sample slave zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt masters { 172.16.72.3; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forwarders { };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt type master;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forwarders { };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { internals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; }
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt masters { 172.16.72.3; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forwarders { };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { internals };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; }
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt External (bastion host) DNS server config:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntacl externals { bastion-ips-go-here; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // sample allow-transfer (no one)
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { none; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // default query access
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { any; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // restrict cache access
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query-cache { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt // restrict recursion
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-recursion { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// sample slave zone
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt type master;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; externals; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt masters { another_bastion_host_maybe; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-transfer { internals; externals; }
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In the <code class="filename">resolv.conf</code> (or equivalent) on
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the bastion host(s):
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntnameserver 172.16.72.2
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntnameserver 172.16.72.3
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntnameserver 172.16.72.4
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This is a short guide to setting up Transaction SIGnatures
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to the configuration file as well as what changes are required for
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt different features, including the process of creating transaction
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to server communication.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This includes zone transfer, notify, and recursive query messages.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt TSIG can also be useful for dynamic update. A primary
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt server for a dynamic zone should control access to the dynamic
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt update service, but IP-based access control is insufficient.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The cryptographic access control provided by TSIG
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is far superior. The <span><strong class="command">nsupdate</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt program supports TSIG via the <code class="option">-k</code> and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <code class="option">-y</code> command line options or inline by use
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt of the <span><strong class="command">key</strong></span>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564004"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt An arbitrary key name is chosen: "host1-host2.". The key name must
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt be the same on both hosts.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h4 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564021"></a>Automatic Generation</h4></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The following command will generate a 128-bit (16 byte) HMAC-SHA256
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt key as described above. Longer keys are better, but shorter keys
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt are easier to read. Note that the maximum key length is the digest
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt length, here 256 bits.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Nothing directly uses this file, but the base-64 encoded string
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt can be extracted from the file and used as a shared secret:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt be used as the shared secret.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h4 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564059"></a>Manual Generation</h4></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The shared secret is simply a random sequence of bits, encoded
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt in base-64. Most ASCII strings are valid base-64 strings (assuming
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the length is a multiple of 4 and only valid characters are used),
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt so the shared secret can be manually generated.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt a similar program to generate base-64 encoded data.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564077"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt This is beyond the scope of DNS. A secure transport mechanism
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt should be used. This could be secure FTP, ssh, telephone, etc.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564088"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt both servers. The following is added to each server's <code class="filename">named.conf</code> file:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntkey host1-host2. {
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt algorithm hmac-sha256;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The secret is the one generated above. Since this is a secret, it
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is recommended that either <code class="filename">named.conf</code> be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt non-world readable, or the key directive be added to a non-world
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt readable file that is included by <code class="filename">named.conf</code>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt At this point, the key is recognized. This means that if the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt server receives a message signed by this key, it can verify the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt signature. If the signature is successfully verified, the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt response is signed by the same key.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2564124"></a>Instructing the Server to Use the Key</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
that the tools shipped with BIND 9.2.x and earlier are not compatible
<strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
zone example.net {
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
(See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
project (http://www.opendnssec.org) which provides a PKCS#11
$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
by placing the PIN into the openssl.cnf file (in the above
<a name="id2573002"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.