Bv9ARM.ch04.html revision 9b26804b581d11dc845e96073bda32f739581aee
e999539fb3e45b2617571e0e3ecd651992291701Mark Andrews>Advanced Concepts</TITLE
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterNAME="GENERATOR"
555d01f4c02295e896a26c649d0ffc8808a0bbdcAutomatic UpdaterCONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonREL="PREVIOUS"
ac4e70ff8955669341f435bc0a734a17c01af124Mark AndrewsTITLE="Nameserver Configuration"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterTITLE="The BIND 9 Lightweight Resolver"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="chapter"
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic UpdaterBGCOLOR="#FFFFFF"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark AndrewsTEXT="#000000"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsLINK="#0000FF"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsVLINK="#840084"
04eba969cb9a54bbda2896db2067c07b2ac5ba16Automatic UpdaterALINK="#0000FF"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="NAVHEADER"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCELLPADDING="0"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCELLSPACING="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonALIGN="center"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsVALIGN="bottom"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark AndrewsALIGN="center"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsVALIGN="bottom"
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsALIGN="right"
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark AndrewsVALIGN="bottom"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark AndrewsCLASS="chapter"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews>Chapter 4. Advanced Concepts</A
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>Table of Contents</B
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsHREF="Bv9ARM.ch04.html#dynamic_update"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>Dynamic Update</A
80f9a970ae6681c08529ef209eaabbe078c27ca3Mark AndrewsHREF="Bv9ARM.ch04.html#incremental_zone_transfers"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Incremental Zone Transfers (IXFR)</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>IPv6 Support in <SPAN
ea935c46e8261ea10621e5b038426539fe8a7cc5Mark AndrewsCLASS="acronym"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsNAME="dynamic_update"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.1. Dynamic Update</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Dynamic update is the term used for the ability under
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic Updater certain specified conditions to add, modify or delete records or
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews RRsets in the master zone files. Dynamic update is fully described
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in RFC 2136.</P
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>Dynamic update is enabled on a zone-by-zone basis, by
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews including an <B
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>allow-update</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>update-policy</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> clause in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> statement.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Updating of secure zones (zones using DNSSEC) is modelled
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="emphasis"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>simple-secure-update</I
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> proposal, a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater work in progress in the DNS Extensions working group of the IETF.
04eba969cb9a54bbda2896db2067c07b2ac5ba16Automatic UpdaterHREF="http://www.ietf.org/html.charters/dnsext-charter.html"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>http://www.ietf.org/html.charters/dnsext-charter.html</A
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews for information about the DNS Extensions working group.) SIG and
703b7fa47ef96b4d2ae1a61cde773c98824a25f2Automatic Updater NXT records affected by updates are automatically regenerated by
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews the server using an online zone key. Update authorization is based
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews on transaction signatures and an explicit server policy.</P
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>The zone files of dynamic zones must not be edited by hand.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The zone file on disk at any given time may not contain the latest
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington changes performed by dynamic update. The zone file is written to
8ae412a86ed138263796195eed82a4716e7effcbMark Andrews disk only periodically, and changes that have occurred since the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone file was last written to disk are stored only in the zone's
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews journal (<TT
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic UpdaterCLASS="filename"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>) file. <SPAN
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> 9 currently does
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews not update the zone file when it exits as <SPAN
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark AndrewsCLASS="acronym"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews> 8 does, so editing
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the zone file manually is unsafe even when the server has been
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson shut down. </P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect1"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="incremental_zone_transfers"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.2. Incremental Zone Transfers (IXFR)</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>The incremental zone transfer (IXFR) protocol is a way for
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews slave servers to transfer only changed data, instead of having to
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews transfer the entire zone. The IXFR protocol is documented in RFC
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews 1995. See </P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>When acting as a master, <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> 9 supports IXFR for those zones
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterwhere the necessary change history information is available. These
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterinclude master zones maintained by dynamic update and slave zones
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterwhose data was obtained by IXFR, but not manually maintained master
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterzones nor slave zones obtained by performing a full zone transfer
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>When acting as a slave, <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> 9 will attempt to use IXFR unless
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonit is explicitly disabled. For more information about disabling
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonIXFR, see the description of the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>request-ixfr</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> statement.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>4.3. Split DNS</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Setting up different views, or visibility, of DNS space to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtoninternal and external resolvers is usually referred to as a <I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> setup. There are several reasons an organization
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonwould want to set up its DNS this way.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>One common reason for setting up a DNS system this way is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto hide "internal" DNS information from "external" clients on the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonInternet. There is some debate as to whether or not this is actually useful.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonInternal DNS information leaks out in many ways (via email headers,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonfor example) and most savvy "attackers" can find the information
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthey need using other means.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Another common reason for setting up a Split DNS system is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto allow internal networks that are behind filters or in RFC 1918
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonspace (reserved IP space, as documented in RFC 1918) to resolve DNS
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonon the Internet. Split DNS can also be used to allow mail from outside
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonback in to the internal network.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Here is an example of a split DNS setup:</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Let's say a company named <I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Example, Inc.</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonhas several corporate sites that have an internal network with reserved
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterInternet Protocol (IP) space and an external demilitarized zone (DMZ),
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateror "outside" section of a network, that is available to the public.</P
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="emphasis"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>Example, Inc.</I
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington> wants its internal clients
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsto be able to resolve external hostnames and to exchange mail with
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewspeople on the outside. The company also wants its internal resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto have access to certain internal-only zones that are not available
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsat all outside of the internal network.</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>In order to accomplish this, the company will set up two sets
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterof nameservers. One set will be on the inside network (in the reserved
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonIP space) and the other set will be on bastion hosts, which are "proxy"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterhosts that can talk to both sides of its network, in the DMZ.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>The internal servers will be configured to forward all queries,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonexcept queries for <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
2d4f33db52cdd5c8bb7cd86b4c5f74205d686646Automatic Updater>, to the servers in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterDMZ. These internal servers will have complete sets of information
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>To protect the<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthe internal nameservers must be configured to disallow all queries
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterto these domains from any external hosts, including the bastion
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>The external servers, which are on the bastion hosts, will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterbe configured to serve the "public" version of the <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonThis could include things such as the host records for public servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonand mail exchange (MX) records (<TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>In addition, the public <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonshould have special MX records that contain wildcard (`*') records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonpointing to the bastion hosts. This is needed because external mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonservers do not have any other way of looking up how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto those internal hosts. With the wildcard records, the mail will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonbe delivered to the bastion host, which can then forward it on to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtoninternal hosts.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Here's an example of a wildcard MX record:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="literal"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Now that they accept mail on behalf of anything in the internal
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaternetwork, the bastion hosts will need to know how to deliver mail
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterto internal hosts. In order for this to work properly, the resolvers on
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterthe bastion hosts will need to be configured to point to the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameservers for DNS resolution.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Queries for internal hostnames will be answered by the internal
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewsservers, and queries for external hostnames will be forwarded back
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonout to the DNS servers on the bastion hosts.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>In order for all this to work properly, internal clients will
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewsneed to be configured to query <I
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsCLASS="emphasis"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews> the internal
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewsnameservers for DNS queries. This could also be enforced via selective
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonfiltering on the network.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>If everything has been set properly, <I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Example, Inc.</I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtoninternal clients will now be able to:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Look up any hostnames in the <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Look up any hostnames in the <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Look up any hostnames on the Internet.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Exchange mail with internal AND external people.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Hosts on the Internet will be able to:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Look up any hostnames in the <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Exchange mail with anyone in the <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Here is an example configuration for the setup we just
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater described above. Note that this is only configuration information;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for information on how to configure your zone files, see <A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterHREF="Bv9ARM.ch03.html#sample_configuration"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Section 3.1</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Internal DNS server config:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateracl internals { 172.16.72.0/24; 192.168.1.0/24; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateracl externals { <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="varname"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>bastion-ips-go-here</TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders { // forward to external servers
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="varname"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>bastion-ips-go-here</TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { none; }; // sample allow-transfer (no one)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { internals; externals; }; // restrict query access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-recursion { internals; }; // restrict recursion
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterzone "site1.example.com" { // sample slave zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders { }; // do normal iterative
2da2220fe7af2c45724b50b0187523b1fab0cf08Rob Austein // resolution (do not forward)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater masters { 172.16.72.3; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater allow-transfer { internals; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders { };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { internals; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders { };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { internals };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>External (bastion host) DNS server config:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> acl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { bastion-ips-go-here; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-transfer { none; }; // sample allow-transfer (no one)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { internals; externals; }; // restrict query access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-recursion { internals; externals; }; // restrict recursion
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewszone "site1.example.com" { // sample slave zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { any; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-transfer { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { another_bastion_host_maybe; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { any; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; externals; }
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> (or equivalent) on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthe bastion host(s):</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> search ...
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaternameserver 172.16.72.2
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaternameserver 172.16.72.3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.4
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>This is a short guide to setting up Transaction SIGnatures
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson(TSIG) based transaction security in <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>. It describes changes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterto the configuration file as well as what changes are required for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterdifferent features, including the process of creating transaction
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterkeys and using transaction signatures with <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> primarily supports TSIG for server to server communication.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonThis includes zone transfer, notify, and recursive query messages.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterResolvers based on newer versions of <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> 8 have limited support
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>TSIG might be most useful for dynamic update. A primary
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server for a dynamic zone should use access control to control
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington updates, but IP-based access control is insufficient. Key-based
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater access control is far superior, see . The <B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater program supports TSIG via the <TT
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="option"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> command line options.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>4.4.1. Generate Shared Keys for Each Pair of Hosts</A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>A shared secret is generated to be shared between <I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic UpdaterAn arbitrary key name is chosen: "host1-host2.". The key name must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonbe the same on both hosts.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.1.1. Automatic Generation</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>The following command will generate a 128 bit (16 byte) HMAC-MD5
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterkey as described above. Longer keys are better, but shorter keys
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterare easier to read. Note that the maximum key length is 512 bits;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterkeys longer than that will be digested with MD5 to produce a 128
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsCLASS="userinput"
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews>The key is in the file <TT
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsCLASS="filename"
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsNothing directly uses this file, but the base-64 encoded string
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrewsfollowing "<TT
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsCLASS="literal"
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrewscan be extracted from the file and used as a shared secret:</P
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsCLASS="programlisting"
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews>The string "<TT
7e1a8f402e3881388db37152f71c698cb1f1c426Mark AndrewsCLASS="literal"
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrewsbe used as the shared secret.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.1.2. Manual Generation</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>The shared secret is simply a random sequence of bits, encoded
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonin base-64. Most ASCII strings are valid base-64 strings (assuming
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterthe length is a multiple of 4 and only valid characters are used),
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterso the shared secret can be manually generated.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Also, a known string can be run through <B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrewsa similar program to generate base-64 encoded data.</P
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater>4.4.2. Copying the Shared Secret to Both Machines</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>This is beyond the scope of DNS. A secure transport mechanism
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatershould be used. This could be secure FTP, ssh, telephone, etc.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.3. Informing the Servers of the Key's Existence</A
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic UpdaterCLASS="emphasis"
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian WellingtonCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterboth servers. The following is added to each server's <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> key host1-host2. {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater algorithm hmac-md5;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>The algorithm, hmac-md5, is the only one supported by <SPAN
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterThe secret is the one generated above. Since this is a secret, it
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateris recommended that either <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterreadable, or the key directive be added to a non-world readable
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterfile that is included by <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>At this point, the key is recognized. This means that if the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver receives a message signed by this key, it can verify the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonsignature. If the signature succeeds, the response is signed by
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterthe same key.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.4. Instructing the Server to Use the Key</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Since keys are shared between two hosts only, the server must
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafssonbe told when keys are to be used. The following is added to the <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas GustafssonCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>, if the IP address of <I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> server 10.1.2.3 {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys { host1-host2. ;};
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Multiple keys may be present, but only the first is used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterThis directive does not contain any secrets, so it may be in a world-readable
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> sends a message that is a response
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsto that address, the message will be signed with the specified key. <I
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonexpect any responses to signed messages to be signed with the same
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater>A similar statement must be present in <I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonconfiguration file (with <I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>'s address) for <I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatersign non-response messages to <I
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.5. TSIG Key Based Access Control</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> allows IP addresses and ranges to be specified in ACL
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtondefinitions and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>allow-{ query | transfer | update } </B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonThis has been extended to allow TSIG keys also. The above key would
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>key host1-host2.</B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>An example of an allow-update directive would be:</P
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> allow-update { key host1-host2. ;};
a070512005933acaf17f635c6371e555425d9641Automatic Updater>This allows dynamic updates to succeed only if the request
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater was signed by a key named
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>host1-host2.</B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>You may want to read about the more
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="command"
d912d1139efa8410785f0fc88dfb7dc7fbaae6deMark Andrews>update-policy</B
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews> statement in <A
ac4e70ff8955669341f435bc0a734a17c01af124Mark AndrewsHREF="Bv9ARM.ch06.html#dynamic_update_policies"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Section 6.2.20.4</A
5147281cb8e25c599d759dfa65fdb6f9125efefbMark AndrewsCLASS="sect2"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.4.6. Errors</A
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews>The processing of TSIG signed messages can result in
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews several errors. If a signed message is sent to a non-TSIG aware
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews server, a FORMERR will be returned, since the server will not
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews understand the record. This is a result of misconfiguration,
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews since the server must be explicitly configured to send a TSIG
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews signed message to a specific server.</P
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater>If a TSIG aware server receives a message signed by an
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews unknown key, the response will be unsigned with the TSIG
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater extended error code set to BADKEY. If a TSIG aware server
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater receives a message with a signature that does not validate, the
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews response will be unsigned with the TSIG extended error code set
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews to BADSIG. If a TSIG aware server receives a message with a time
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews outside of the allowed range, the response will be signed with
10b4a0c3a4eec1b22b990c0a0595fbda51f54e94Automatic Updater the TSIG extended error code set to BADTIME, and the time values
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews will be adjusted so that the response can be successfully
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews verified. In any of these cases, the message's rcode is set to
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsCLASS="sect1"
bf1263835e8e35421960f65088c043f42aacef13Mark AndrewsCLASS="sect1"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsNAME="AEN816"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews>4.5. TKEY</A
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsCLASS="command"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews> is a mechanism for automatically
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews generating a shared secret between two hosts. There are several
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews "modes" of <B
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark AndrewsCLASS="command"
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews> that specify how the key is
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews generated or assigned. <SPAN
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="acronym"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> implements only one of these modes,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the Diffie-Hellman key exchange. Both hosts are required to have
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a Diffie-Hellman KEY record (although this record is not required
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews to be present in a zone). The <B
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews must use signed messages, signed either by TSIG or SIG(0). The
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews result of <B
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> is a shared secret that can be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used to sign messages with TSIG. <B
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews be used to delete shared secrets that it had previously
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews generated.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> process is initiated by a client
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews or server by sending a signed <B
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (including any appropriate KEYs) to a TKEY-aware server. The
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews server response, if it indicates success, will contain a
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> record and any appropriate keys. After
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews this exchange, both participants have enough information to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews determine the shared secret; the exact process depends on the
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> mode. When using the Diffie-Hellman
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> mode, Diffie-Hellman keys are exchanged,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and the shared secret is derived by both participants.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect1"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect1"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsNAME="AEN831"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>4.6. SIG(0)</A
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="acronym"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> 9 partially supports DNSSEC SIG(0) transaction
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews signatures as specified in RFC 2535. SIG(0) uses public/private
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews keys to authenticate messages. Access control is performed in the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews same manner as TSIG keys; privileges can be granted or denied
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews based on the key name.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>When a SIG(0) signed message is received, it will only be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews verified if the key is known and trusted by the server; the server
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews will not attempt to locate and/or validate the key.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="acronym"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> 9 does not ship with any tools that generate SIG(0)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews signed messages.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect1"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect1"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsNAME="DNSSEC"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>4.7. DNSSEC</A
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>Cryptographic authentication of DNS information is possible
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews through the DNS Security (<I
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="emphasis"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>) extensions,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews defined in RFC 2535. This section describes the creation and use
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews of DNSSEC signed zones.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>In order to set up a DNSSEC secure zone, there are a series
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews of steps which must be followed. <SPAN
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="acronym"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> 9 ships with several tools
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that are used in this process, which are explained in more detail
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews below. In all cases, the "<TT
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="option"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>" option prints a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews full list of parameters.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>There must also be communication with the administrators of
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the parent and/or child zone to transmit keys and signatures. A
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zone's security status must be indicated by the parent zone for a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DNSSEC capable resolver to trust its data.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>For other servers to trust data in this zone, they must
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews either be statically configured with this zone's zone key or the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zone key of another zone above this one in the DNS tree.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect2"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="sect2"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsNAME="AEN847"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>4.7.1. Generating Keys</A
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>dnssec-keygen</B
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> program is used to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews generate keys.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>A secure zone must contain one or more zone keys. The
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zone keys will sign all other records in the zone, as well as
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the zone keys of any secure delegated zones. Zone keys must
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews have the same name as the zone, a name type of
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>, and must be usable for authentication.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews It is recommended that zone keys be mandatory to implement a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews cryptographic algorithm; currently the only key mandatory to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews implement an algorithm is DSA.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>The following command will generate a 768 bit DSA key for
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="userinput"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>Two output files will be produced:
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 12345 is an example of a key tag). The key file names contain
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the key name (<TT
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>), algorithm (3
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The private key (in the <TT
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>.private</TT
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used to generate signatures, and the public key (in the
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> file) is used for signature
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews verification.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>To generate another key with the same properties (but with
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a different key tag), repeat the above command.</P
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews>The public keys should be inserted into the zone file with
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="command"
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews> statements, including the
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsCLASS="filename"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="AEN867"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>4.7.2. Creating a Keyset</A
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="command"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>dnssec-makekeyset</B
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews> program is used
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to create a key set from one or more keys.</P
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>Once the zone keys have been generated, a key set must be
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews built for transmission to the administrator of the parent zone,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews so that the parent zone can sign the keys with its own zone key
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews and correctly indicate the security status of this zone. When
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews building a key set, the list of keys to be included and the TTL
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews of the set must be specified, and the desired signature validity
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews period of the parent's signature may also be specified.</P
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>The list of keys to be inserted into the key set may also
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews included non-zone keys present at the top of the zone.
959fb01017fa83578e7c8776ed3baba3076a2409Mark AndrewsCLASS="command"
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews>dnssec-makekeyset</B
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews> may also be used at other
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews names in the zone.</P
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews>The following command generates a key set containing the
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews above key and another key similarly generated, with a TTL of
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews 3600 and a signature validity period of 10 days starting from
959fb01017fa83578e7c8776ed3baba3076a2409Mark AndrewsCLASS="userinput"
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews>dnssec-makekeyset -t 3600 -e +86400 Kchild.example.+003+12345 Kchild.example.+003+23456</B
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson>One output file is produced:
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic UpdaterCLASS="filename"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson>. This file should be
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson transmitted to the parent to be signed. It includes the keys,
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews as well as signatures over the key set generated by the zone
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews keys themselves, which are used to prove ownership of the
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews private keys and encode the desired validity period.</P
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark AndrewsCLASS="sect2"
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark AndrewsCLASS="sect2"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.7.3. Signing the Child's Keyset</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="command"
da93950363b307b718d156514b95b9df93a63776Mark Andrews>dnssec-signkey</B
da93950363b307b718d156514b95b9df93a63776Mark Andrews> program is used to
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews sign one child's keyset.</P
f55369d776907119cd8699a4119d9c80daa7cae4Mark AndrewsCLASS="filename"
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater delegations which are secure, for example,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> administrator should receive
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews keyset files for each secure subzone. These keys must be signed
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews by this zone's zone keys.</P
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews>The following command signs the child's key set with the
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews zone keys:</P
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark AndrewsCLASS="userinput"
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews>dnssec-signkey grand.child.example.keyset Kchild.example.+003+12345 Kchild.example.+003+23456</B
c51b419ad4ebc3997e16ddb8760245fc8ebf522bAutomatic Updater>One output file is produced:
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="filename"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should be both transmitted back to the child and retained. It
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews includes all keys (the child's keys) from the keyset file and
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews signatures generated by this zone's zone keys.</P
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark AndrewsCLASS="sect2"
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark AndrewsCLASS="sect2"
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark AndrewsNAME="AEN892"
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews>4.7.4. Signing the Zone</A
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="command"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>dnssec-signzone</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> program is used to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews sign a zone.</P
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="filename"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>signedkey</TT
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> files corresponding to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews secure subzones should be present, as well as a
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="filename"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>signedkey</TT
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> file for this zone generated by
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the parent (if there is one). The zone signer will generate
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="literal"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="literal"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews> records for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the zone, as well as incorporate the zone key signature from the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews parent and indicate the security status at all delegation
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>The following command signs the zone, assuming it is in a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file called <TT
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="filename"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews default, all zone keys which have an available private key are
195e7b7a6e0bdc80373d65085e12a2950e9a1226Mark Andrews used to generate signatures.</P
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsCLASS="userinput"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>dnssec-signzone -o child.example zone.child.example</B
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews>One output file is produced:
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="filename"
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews should be referenced by <TT
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington input file for the zone.</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>4.7.5. Configuring Servers</A
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>Unlike in <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews> 8, data is not verified on load in <SPAN
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews so zone keys for authoritative zones do not need to be specified
5f7e0eb1cb917b788906d3e2aa01bfc4885dcae4Mark Andrews in the configuration file.</P
15ae68f3db8261770fc33b8e0f83f5d8c7021e84Mark Andrews>The public key for any security root must be present in
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews the configuration file's <B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews>trusted-keys</B
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews statement, as described later in this document. </P
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsNAME="AEN915"
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews>4.8. IPv6 Support in <SPAN
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsCLASS="acronym"
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsCLASS="acronym"
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews> 9 fully supports all currently defined forms of IPv6
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews name to address and address to name lookups. It will also use
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews IPv6 addresses to make queries when running on an IPv6 capable
a8644ebab678a1de66cbfaabb513651a739958afAutomatic Updater>For forward lookups, <SPAN
a8644ebab678a1de66cbfaabb513651a739958afAutomatic UpdaterCLASS="acronym"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson> 9 supports both A6 and AAAA
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater records. The use of AAAA records is deprecated, but it is still
981fd9903a13ba8b13e181a9eee51f228c7204c1Automatic Updater useful for hosts to have both AAAA and A6 records to maintain
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews backward compatibility with installations where AAAA records are
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater still used. In fact, the stub resolvers currently shipped with
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews most operating system support only AAAA lookups, because following
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews A6 chains is much harder than doing A or AAAA lookups.</P
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews>For IPv6 reverse lookups, <SPAN
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCLASS="acronym"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> 9 supports the new
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews "bitstring" format used in the <I
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="emphasis"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews domain, as well as the older, deprecated "nibble" format used in
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="emphasis"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="acronym"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> 9 includes a new lightweight resolver library and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews resolver daemon which new applications may choose to use to avoid
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the complexities of A6 chain following and bitstring labels, see <A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>Chapter 5</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="AEN929"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>4.8.1. Address Lookups Using AAAA Records</A
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews>The AAAA record is a parallel to the IPv4 A record. It
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews specifies the entire address in a single record. For
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewshost 3600 IN AAAA 3ffe:8050:201:1860:42::1
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>While their use is deprecated, they are useful to support
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews older IPv6 applications. They should not be added where they
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson are not absolutely necessary.</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="AEN934"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>4.8.2. Address Lookups Using A6 Records</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>The A6 record is more flexible than the AAAA record, and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews is therefore more complicated. The A6 record can be used to
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews form a chain of A6 records, each specifying part of the IPv6
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews address. It can also be used to specify the entire record as
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews well. For example, this record supplies the same data as the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews AAAA record in the previous example:</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewshost 3600 IN A6 0 3ffe:8050:201:1860:42::1
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect3"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect3"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="AEN938"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>4.8.2.1. A6 Chains</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>A6 records are designed to allow network
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews renumbering. This works when an A6 record only specifies the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews part of the address space the domain owner controls. For
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews example, a host may be at a company named "company." It has
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews two ISPs which provide IPv6 address space for it. These two
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews ISPs fully specify the IPv6 prefix they supply.</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>In the company's address space:</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewshost 3600 IN A6 64 0:0:0:0:42::1 company.example1.net.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewshost 3600 IN A6 64 0:0:0:0:42::1 company.example2.net.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>ISP1 will use:</P
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic UpdaterCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewscompany 3600 IN A6 0 3ffe:8050:201:1860::
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>ISP2 will use:</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewscompany 3600 IN A6 0 1234:5678:90ab:fffa::
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="systemitem"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> is looked up,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the resolver (in the resolver daemon or caching name server)
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews will find two partial A6 records, and will use the additional
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews name to find the remainder of the data.</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect3"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect3"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>4.8.2.2. A6 Records for DNS Servers</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>When an A6 record specifies the address of a name
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews server, it should use the full address rather than specifying
a8644ebab678a1de66cbfaabb513651a739958afAutomatic Updater a partial address. For example:</P
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews@ 14400 IN NS ns0
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews 14400 IN NS ns1
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsns0 14400 IN A6 0 3ffe:8050:201:1860:42::1
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsns1 14400 IN A 192.168.42.1
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>It is recommended that IPv4-in-IPv6 mapped addresses not
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be used. If a host has an IPv4 address, use an A record, not
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews an A6, with <TT
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="literal"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>::ffff:192.168.42.1</TT
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews>4.8.3. Address to Name Lookups Using Nibble Format</A
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson>While the use of nibble format to look up names is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater deprecated, it is supported for backwards compatiblity with
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews existing IPv6 applications.</P
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>When looking up an address in nibble format, the address
981fd9903a13ba8b13e181a9eee51f228c7204c1Automatic Updater components are simply reversed, just as in IPv4, and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="literal"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> is appended to the resulting name.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews For example, the following would provide reverse name lookup for
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews a host with address
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="literal"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>3ffe:8050:201:1860:42::1</TT
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.int.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>4.8.4. Address to Name Lookups Using Bitstring Format</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>Bitstring labels can start and end on any bit boundary,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews rather than on a multiple of 4 bits as in the nibble
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater format. They also use <I
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCLASS="emphasis"
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews> rather than
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="emphasis"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>To replicate the previous example using bitstrings:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson> $ORIGIN \[x3ffe805002011860/64].ip6.arpa.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater\[x0042000000000001/64] 14400 IN PTR host.example.com.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="sect2"
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark AndrewsCLASS="sect2"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsNAME="AEN969"
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews>4.8.5. Using DNAME for Delegation of IPv6 Reverse Addresses</A
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews>In IPV6, the same host may have many addresses from many
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews network providers. Since the trailing portion of the address
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews usually remains constant, <B
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark AndrewsCLASS="command"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson reduce the number of zone files used for reverse mapping that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater need to be maintained.</P
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>For example, consider a host which has two providers
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCLASS="systemitem"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater therefore two IPv6 addresses. Since the host chooses its own 64
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews bit host address portion, the provider address is the only part
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews that changes:</P
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCLASS="programlisting"
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrewshost A6 64 ::1234:5678:1212:5675 cust1.example.net.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews A6 64 ::1234:5678:1212:5675 subnet5.example2.net.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrewscust1 A6 48 0:0:0:dddd:: ipv6net.example.net.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateripv6net A6 0 aa:bb:cccc::
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatersubnet5 A6 48 0:0:0:1:: ipv6net2.example2.net.
4e6b8a18ff7dd22797970208060cca9f99f54dafAndreas Gustafssonipv6net2 A6 0 6666:5555:4::
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>This sets up forward lookups. To handle the reverse lookups,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterthe provider <SPAN
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCLASS="systemitem"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewswould have:</P
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="programlisting"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson> $ORIGIN \[x00aa00bbcccc/48].ip6.arpa.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsCLASS="systemitem"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson> would have:</P
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark AndrewsCLASS="programlisting"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="systemitem"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater needs only one zone file to handle both of these reverse
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark AndrewsCLASS="programlisting"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="NAVFOOTER"
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas GustafssonCELLPADDING="0"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCELLSPACING="0"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews>Nameserver Configuration</TD
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> 9 Lightweight Resolver</TD