Bv9ARM.ch04.html revision a3ff24aaa545c45b8c581b2127d02d735aff8881
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - copyright notice and this permission notice appear in all copies.
5e047890ac9b745db060d95f7d1b4f876511240dTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="titlepage"><div><div><h2 class="title">
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569985">Split DNS</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570003">Example split DNS setup</a></span></dt></dl></dd>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570436">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570578">Copying the Shared Secret to Both Machines</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570588">Informing the Servers of the Key's Existence</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570625">Instructing the Server to Use the Key</a></span></dt>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570682">TSIG Key Based Access Control</a></span></dt>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570731">Errors</a></span></dt>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570745">TKEY</a></span></dt>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570931">SIG(0)</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570999">Generating Keys</a></span></dt>
c59750de3ea3c7d5890000fb4606e8f5835a52aaTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571283">Signing the Zone</a></span></dt>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571364">Configuring Servers</a></span></dt>
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611934">Converting from insecure to secure</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563639">Dynamic DNS update method</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563675">Fully automatic zone signing</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563779">Private-type records</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563816">DNSKEY rollovers</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563897">Dynamic DNS update method</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563930">Automatic key rollovers</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563957">NSEC3PARAM rollovers via UPDATE</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563966">Converting from NSEC to NSEC3</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563976">Converting from NSEC3 to NSEC</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563989">Converting from secure to insecure</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564026">Periodic re-signing</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580625">NSEC3 and OPTOUT</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580794">Validating Resolver</a></span></dt>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580817">Authoritative Server</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666656">Prerequisites</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666665">Native PKCS#11</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611792">OpenSSL-based PKCS#11</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639242">PKCS#11 Tools</a></span></dt>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639415">Using the HSM</a></span></dt>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639701">Specifying the engine on the command line</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639749">Running named with automatic zone re-signing</a></span></dt>
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2639813">Configuring DLZ</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612443">Sample DLZ Driver</a></span></dt>
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571588">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571854">Address Lookups Using AAAA Records</a></span></dt>
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571876">Address to Name Lookups Using Nibble Format</a></span></dt>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="notify"></a>Notify</h2></div></div></div>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews servers to notify their slave servers of changes to a zone's data. In
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User slave will check to see that its version of the zone is the
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews current version and, if not, initiate a zone transfer.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater For more information about <acronym class="acronym">DNS</acronym>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater <span><strong class="command">NOTIFY</strong></span>, see the description of the
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User the description of the zone option <span><strong class="command">also-notify</strong></span> in
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User protocol is specified in RFC 1996.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zones that it loads.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Dynamic Update is a method for adding, replacing or deleting
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson records in a master server by sending it a special form of DNS
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater messages. The format and meaning of these messages is specified
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Dynamic update is enabled by including an
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User clause in the <span><strong class="command">zone</strong></span> statement.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If the zone's <span><strong class="command">update-policy</strong></span> is set to
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater <strong class="userinput"><code>local</code></strong>, updates to the zone
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews Dynamic updates using Kerberos signed requests can be made
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User using the TKEY/GSS protocol by setting either the
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Kerberos signed requests will be matched against the update
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater policies for the zone, using the Kerberos principal as the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews signer for the request.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater 3007: RRSIG, NSEC and NSEC3 records affected by updates are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater automatically regenerated by the server using an online
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone key. Update authorization is based on transaction
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater signatures and an explicit server policy.
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater<div class="titlepage"><div><div><h3 class="title">
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<a name="journal"></a>The journal file</h3></div></div></div>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews All changes made to a zone using dynamic update are stored
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews in the zone's journal file. This file is automatically created
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater by the server when the first dynamic update takes place.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater The name of the journal file is formed by appending the extension
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">.jnl</code> to the name of the
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater corresponding zone
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater file unless specifically overridden. The journal file is in a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater binary format and should not be edited manually.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The server will also occasionally write ("dump")
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews the complete contents of the updated zone to its zone file.
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User This is not done immediately after
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User each dynamic update, because that would be too slow when a large
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater zone is updated frequently. Instead, the dump is delayed by
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews up to 15 minutes, allowing additional updates to take place.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater During the dump process, transient files will be created
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater with the extensions <code class="filename">.jnw</code> and
bbb069be941f649228760edcc241122933c066d2Automatic Updater <code class="filename">.jbk</code>; under ordinary circumstances, these
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater will be removed when the dump is complete, and can be safely
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater When a server is restarted after a shutdown or crash, it will replay
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the journal file to incorporate into the zone any updates that
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User place after the last zone dump.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews Changes that result from incoming incremental zone transfers are
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User journalled in a similar way.
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User The zone files of dynamic zones cannot normally be edited by
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User hand because they are not guaranteed to contain the most recent
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater dynamic changes — those are only in the journal file.
a792d42c3cdd6cd4608b936c0a06437b8c2d99ccTinderbox User The only way to ensure that the zone file of a dynamic zone
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User is up to date is to run <span><strong class="command">rndc stop</strong></span>.
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User If you have to make changes to a dynamic zone
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater manually, the following procedure will work:
0ea1646bf1253f50946ed5e4d3c01c1d2767012bTinderbox User Disable dynamic updates to the zone using
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User This will update the zone's master file with the changes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater stored in its <code class="filename">.jnl</code> file.
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater Edit the zone file. Run
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to reload the changed zone and re-enable dynamic updates.
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater <span><strong class="command">rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User will update the zone file with changes from the journal file
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User without stopping dynamic updates; this may be useful for viewing
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User the current zone state. To remove the <code class="filename">.jnl</code>
e20309353e6246485c521278131d3fced73d7957Tinderbox User file after updating the zone file, use
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews <span><strong class="command">rndc sync -clean</strong></span>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews The incremental zone transfer (IXFR) protocol is a way for
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews slave servers to transfer only changed data, instead of having to
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews transfer the entire zone. The IXFR protocol is specified in RFC
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User When acting as a master, <acronym class="acronym">BIND</acronym> 9
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews supports IXFR for those zones
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater where the necessary change history information is available. These
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater include master zones maintained by dynamic update and slave zones
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews whose data was obtained by IXFR. For manually maintained master
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zones, and for slave zones obtained by performing a full zone
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews transfer (AXFR), IXFR is supported only if the option
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <span><strong class="command">ixfr-from-differences</strong></span> is set
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews to <strong class="userinput"><code>yes</code></strong>.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews attempt to use IXFR unless
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews it is explicitly disabled. For more information about disabling
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews of the <span><strong class="command">server</strong></span> statement.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<a name="id2569985"></a>Split DNS</h2></div></div></div>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Setting up different views, or visibility, of the DNS space to
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater internal and external resolvers is usually referred to as a
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="emphasis"><em>Split DNS</em></span> setup. There are several
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater reasons an organization would want to set up its DNS this way.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User One common reason for setting up a DNS system this way is
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User to hide "internal" DNS information from "external" clients on the
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Internet. There is some debate as to whether or not this is actually
dc435f1033bcba88b748074987db6cfd34c057a4Tinderbox User Internal DNS information leaks out in many ways (via email headers,
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews for example) and most savvy "attackers" can find the information
dc435f1033bcba88b748074987db6cfd34c057a4Tinderbox User they need using other means.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews However, since listing addresses of internal servers that
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User external clients cannot possibly reach can result in
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User connection delays and other annoyances, an organization may
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater choose to use a Split DNS to present a consistent view of itself
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews to the outside world.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Another common reason for setting up a Split DNS system is
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User to allow internal networks that are behind filters or in RFC 1918
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews space (reserved IP space, as documented in RFC 1918) to resolve DNS
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User on the Internet. Split DNS can also be used to allow mail from outside
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews back in to the internal network.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="id2570003"></a>Example split DNS setup</h3></div></div></div>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User has several corporate sites that have an internal network with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internet Protocol (IP) space and an external demilitarized zone (DMZ),
e20309353e6246485c521278131d3fced73d7957Tinderbox User or "outside" section of a network, that is available to the public.
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to be able to resolve external hostnames and to exchange mail with
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User people on the outside. The company also wants its internal resolvers
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater to have access to certain internal-only zones that are not available
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews at all outside of the internal network.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews In order to accomplish this, the company will set up two sets
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews of name servers. One set will be on the inside network (in the
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User IP space) and the other set will be on bastion hosts, which are
bc0a4c01beede169df81a3ee5b614ed9e82339dbAutomatic Updater hosts that can talk to both sides of its network, in the DMZ.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The internal servers will be configured to forward all queries,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <code class="filename">site2.example.com</code>, to the servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DMZ. These internal servers will have complete sets of information
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <code class="filename">site2.internal</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the internal name servers must be configured to disallow all queries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to these domains from any external hosts, including the bastion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The external servers, which are on the bastion hosts, will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This could include things such as the host records for public servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington should have special MX records that contain wildcard (`*') records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington pointing to the bastion hosts. This is needed because external mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers do not have any other way of looking up how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to those internal hosts. With the wildcard records, the mail will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be delivered to the bastion host, which can then forward it on to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Here's an example of a wildcard MX record:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Now that they accept mail on behalf of anything in the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network, the bastion hosts will need to know how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to internal hosts. In order for this to work properly, the resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion hosts will need to be configured to point to the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name servers for DNS resolution.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Queries for internal hostnames will be answered by the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers, and queries for external hostnames will be forwarded back
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington out to the DNS servers on the bastion hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In order for all this to work properly, internal clients will
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User need to be configured to query <span class="emphasis"><em>only</em></span> the internal
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User name servers for DNS queries. This could also be enforced via
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater filtering on the network.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater internal clients will now be able to:
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Look up any hostnames in the <code class="literal">site1</code>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <code class="literal">site2.example.com</code> zones.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Look up any hostnames in the <code class="literal">site1.internal</code> and
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <code class="literal">site2.internal</code> domains.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<li>Look up any hostnames on the Internet.</li>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<li>Exchange mail with both internal and external people.</li>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Hosts on the Internet will be able to:
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Look up any hostnames in the <code class="literal">site1</code>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <code class="literal">site2.example.com</code> zones.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Exchange mail with anyone in the <code class="literal">site1</code> and
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <code class="literal">site2.example.com</code> zones.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Here is an example configuration for the setup we just
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater described above. Note that this is only configuration information;
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Internal DNS server config:
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updateracl internals { 172.16.72.0/24; 192.168.1.0/24; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateracl externals { <code class="varname">bastion-ips-go-here</code>; };
e20309353e6246485c521278131d3fced73d7957Tinderbox User forward only;
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User // forward to external servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">bastion-ips-go-here</code>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // sample allow-transfer (no one)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { none; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // restrict recursion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-recursion { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample master zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // do normal iterative resolution (do not forward)
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews forwarders { };
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater// sample slave zone
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater masters { 172.16.72.3; };
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater forwarders { };
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User allow-query { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { internals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { 172.16.72.3; };
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User forwarders { };
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews allow-query { internals };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { internals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington External (bastion host) DNS server config:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonacl externals { bastion-ips-go-here; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // sample allow-transfer (no one)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-transfer { none; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // default query access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query { any; };
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User // restrict cache access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-query-cache { internals; externals; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // restrict recursion
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-recursion { internals; externals; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater// sample slave zone
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews allow-transfer { internals; externals; };
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews masters { another_bastion_host_maybe; };
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews allow-transfer { internals; externals; }
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In the <code class="filename">resolv.conf</code> (or equivalent) on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion host(s):
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.2
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.4
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="tsig"></a>TSIG</h2></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This is a short guide to setting up Transaction SIGnatures
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews to the configuration file as well as what changes are required for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater different features, including the process of creating transaction
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to server communication.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This includes zone transfer, notify, and recursive query messages.
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User TSIG can also be useful for dynamic update. A primary
cc5a9ce75af9870f2cb9e2bf00548c2f7e6398d6Automatic Updater server for a dynamic zone should control access to the dynamic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater update service, but IP-based access control is insufficient.
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User The cryptographic access control provided by TSIG
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews is far superior. The <span><strong class="command">nsupdate</strong></span>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews program supports TSIG via the <code class="option">-k</code> and
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="option">-y</code> command line options or inline by use
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater of the <span><strong class="command">key</strong></span>.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater<div class="titlepage"><div><div><h3 class="title">
91faa748a27dee38f6caea461d3e87f15b93abeaTinderbox User<a name="id2570436"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
91faa748a27dee38f6caea461d3e87f15b93abeaTinderbox User A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews An arbitrary key name is chosen: "host1-host2.". The key name must
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews be the same on both hosts.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<div class="titlepage"><div><div><h4 class="title">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id2570521"></a>Automatic Generation</h4></div></div></div>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews The following command will generate a 128-bit (16 byte) HMAC-SHA256
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews key as described above. Longer keys are better, but shorter keys
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews are easier to read. Note that the maximum key length is the digest
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews length, here 256 bits.
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater Nothing directly uses this file, but the base-64 encoded string
9c446b72069d0ab9f710502f4d7048e50875fccbAutomatic Updater following "<code class="literal">Key:</code>"
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater can be extracted from the file and used as a shared secret:
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater be used as the shared secret.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h4 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id2570560"></a>Manual Generation</h4></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The shared secret is simply a random sequence of bits, encoded
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater in base-64. Most ASCII strings are valid base-64 strings (assuming
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the length is a multiple of 4 and only valid characters are used),
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater so the shared secret can be manually generated.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater a similar program to generate base-64 encoded data.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h3 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id2570578"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater This is beyond the scope of DNS. A secure transport mechanism
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater should be used. This could be secure FTP, ssh, telephone, etc.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h3 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id2570588"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater both servers. The following is added to each server's <code class="filename">named.conf</code> file:
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updaterkey host1-host2. {
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater algorithm hmac-sha256;
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User The secret is the one generated above. Since this is a secret, it
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater is recommended that either <code class="filename">named.conf</code> be
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater non-world readable, or the key directive be added to a non-world
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater readable file that is included by <code class="filename">named.conf</code>.
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater At this point, the key is recognized. This means that if the
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater server receives a message signed by this key, it can verify the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User signature. If the signature is successfully verified, the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User response is signed by the same key.
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews<div class="titlepage"><div><div><h3 class="title">
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews<a name="id2570625"></a>Instructing the Server to Use the Key</h3></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater Since keys are shared between two hosts only, the server must
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox Userserver 10.1.2.3 {
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater keys { host1-host2. ;};
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater Multiple keys may be present, but only the first is used.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater This directive does not contain any secrets, so it may be in a
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater world-readable
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater If <span class="emphasis"><em>host1</em></span> sends a message that is a request
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater expect any responses to signed messages to be signed with the same
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater sign request messages to <span class="emphasis"><em>host1</em></span>.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<a name="id2570682"></a>TSIG Key Based Access Control</h3></div></div></div>
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater to be specified in ACL
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater definitions and
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater <span><strong class="command">allow-{ query | transfer | update }</strong></span>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater This has been extended to allow TSIG keys also. The above key would
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User be denoted <span><strong class="command">key host1-host2.</strong></span>
7dd02af3c9350553e1d52d980a7812425b3f1295Automatic Updater An example of an <span><strong class="command">allow-update</strong></span> directive would be:
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtonallow-update { key host1-host2. ;};
01f91b9cd440833f66e7476e43659655cb52ad10Automatic Updater This allows dynamic updates to succeed only if the request
3e5b24a74c03d5b52f32d138e64e427bd2cbc8f3Automatic Updater was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User the more flexible <span><strong class="command">update-policy</strong></span> statement.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="titlepage"><div><div><h3 class="title">
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews<a name="id2570731"></a>Errors</h3></div></div></div>
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User The processing of TSIG signed messages can result in
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User several errors. If a signed message is sent to a non-TSIG aware
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User server, a FORMERR (format error) will be returned, since the server will not
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews understand the record. This is a result of misconfiguration,
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews since the server must be explicitly configured to send a TSIG
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews signed message to a specific server.
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews If a TSIG aware server receives a message signed by an
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews unknown key, the response will be unsigned with the TSIG
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews extended error code set to BADKEY. If a TSIG aware server
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews receives a message with a signature that does not validate, the
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User response will be unsigned with the TSIG extended error code set
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User to BADSIG. If a TSIG aware server receives a message with a time
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt outside of the allowed range, the response will be signed with
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt the TSIG extended error code set to BADTIME, and the time values
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt will be adjusted so that the response can be successfully
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt verified. In any of these cases, the message's rcode (response code) is set to
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt NOTAUTH (not authenticated).
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<a name="id2570745"></a>TKEY</h2></div></div></div>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<p><span><strong class="command">TKEY</strong></span>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt is a mechanism for automatically generating a shared secret
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt between two hosts. There are several "modes" of
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">TKEY</strong></span> that specify how the key is generated
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater these modes, the Diffie-Hellman key exchange. Both hosts are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater required to have a Diffie-Hellman KEY record (although this
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater record is not required to be present in a zone). The
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">TKEY</strong></span> process must use signed messages,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signed either by TSIG or SIG(0). The result of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater used to delete shared secrets that it had previously
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <span><strong class="command">TKEY</strong></span> process is initiated by a
e20309353e6246485c521278131d3fced73d7957Tinderbox User or server by sending a signed <span><strong class="command">TKEY</strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews (including any appropriate KEYs) to a TKEY-aware server. The
ff62ab3c2e6274f19190ded15548c723d38bbbe3Automatic Updater server response, if it indicates success, will contain a
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
e20309353e6246485c521278131d3fced73d7957Tinderbox User this exchange, both participants have enough information to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User determine the shared secret; the exact process depends on the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">TKEY</strong></span> mode. When using the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Diffie-Hellman
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and the shared secret is derived by both participants.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews<a name="id2570931"></a>SIG(0)</h2></div></div></div>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews transaction signatures as specified in RFC 2535 and RFC 2931.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews uses public/private keys to authenticate messages. Access control
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews is performed in the same manner as TSIG keys; privileges can be
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews granted or denied based on the key name.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews When a SIG(0) signed message is received, it will only be
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews verified if the key is known and trusted by the server; the server
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews will not attempt to locate and/or validate the key.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews SIG(0) signing of multiple-message TCP streams is not
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Cryptographic authentication of DNS information is possible
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User defined in RFC 4033, RFC 4034, and RFC 4035.
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User This section describes the creation and use of DNSSEC signed zones.
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater In order to set up a DNSSEC secure zone, there are a series
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of steps which must be followed. <acronym class="acronym">BIND</acronym>
88d58d79c5bc7ce3c20a42461a5070116c736836Automatic Updater with several tools
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that are used in this process, which are explained in more detail
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater below. In all cases, the <code class="option">-h</code> option prints a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User full list of parameters. Note that the DNSSEC tools require the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keyset files to be in the working directory or the
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater directory specified by the <code class="option">-d</code> option, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that the tools shipped with BIND 9.2.x and earlier are not compatible
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with the current ones.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater There must also be communication with the administrators of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the parent and/or child zone to transmit keys. A zone's security
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater status must be indicated by the parent zone for a DNSSEC capable
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater resolver to trust its data. This is done through the presence
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User or absence of a <code class="literal">DS</code> record at the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User For other servers to trust data in this zone, they must
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User either be statically configured with this zone's zone key or the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User zone key of another zone above this one in the DNS tree.
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater<div class="titlepage"><div><div><h3 class="title">
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater<a name="id2570999"></a>Generating Keys</h3></div></div></div>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User The <span><strong class="command">dnssec-keygen</strong></span> program is used to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User generate keys.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User A secure zone must contain one or more zone keys. The
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews zone keys will sign all other records in the zone, as well as
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews the zone keys of any secure delegated zones. Zone keys must
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews have the same name as the zone, a name type of
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews <span><strong class="command">ZONE</strong></span>, and must be usable for
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews authentication.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User It is recommended that zone keys use a cryptographic algorithm
560d6da48f066000541dd43f5d407644dee12bebTinderbox User designated as "mandatory to implement" by the IETF; currently
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the only one is RSASHA1.
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User The following command will generate a 768-bit RSASHA1 key for
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater the <code class="filename">child.example</code> zone:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews Two output files will be produced:
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews <code class="filename">Kchild.example.+005+12345.key</code> and
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews <code class="filename">Kchild.example.+005+12345.private</code>
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews 12345 is an example of a key tag). The key filenames contain
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews the key name (<code class="filename">child.example.</code>),
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews algorithm (3
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The private key (in the <code class="filename">.private</code>
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont used to generate signatures, and the public key (in the
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont <code class="filename">.key</code> file) is used for signature
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User To generate another key with the same properties (but with
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater a different key tag), repeat the above command.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater to get a key pair from a crypto hardware and build the key
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User The public keys should be inserted into the zone file by
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater including the <code class="filename">.key</code> files using
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater <span><strong class="command">$INCLUDE</strong></span> statements.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User<div class="titlepage"><div><div><h3 class="title">
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater<a name="id2571283"></a>Signing the Zone</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <span><strong class="command">dnssec-signzone</strong></span> program is used
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User to sign a zone.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User Any <code class="filename">keyset</code> files corresponding to
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater secure subzones should be present. The zone signer will
e20309353e6246485c521278131d3fced73d7957Tinderbox User generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User and <code class="literal">RRSIG</code> records for the zone, as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater well as <code class="literal">DS</code> for the child zones if
e20309353e6246485c521278131d3fced73d7957Tinderbox User <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
e20309353e6246485c521278131d3fced73d7957Tinderbox User is not specified, then DS RRsets for the secure child
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater zones need to be added manually.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The following command signs the zone, assuming it is in a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file called <code class="filename">zone.child.example</code>. By
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater default, all zone keys which have an available private key are
af9cf290cea6ada6ce27b51c724ab77ad5d73fa0Tinderbox User used to generate signatures.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater One output file is produced:
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater <code class="filename">zone.child.example.signed</code>. This
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should be referenced by <code class="filename">named.conf</code>
19ad308d84cbf446a144e5a91f2032389a9d65c1Tinderbox User input file for the zone.
b3386fba31414344f38f0c30849c056dceb22dceTinderbox User<p><span><strong class="command">dnssec-signzone</strong></span>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater will also produce a keyset and dsset files and optionally a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater dlvset file. These are used to provide the parent zone
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater administrators with the <code class="literal">DNSKEYs</code> (or their
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater corresponding <code class="literal">DS</code> records) that are the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater secure entry point to the zone.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<div class="titlepage"><div><div><h3 class="title">
6671e343b8c7e44ac10a7900fde59555fbc71571Automatic Updater<a name="id2571364"></a>Configuring Servers</h3></div></div></div>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater To enable <span><strong class="command">named</strong></span> to respond appropriately
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater to DNS requests from DNSSEC aware clients,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater (This is the default setting.)
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater To enable <span><strong class="command">named</strong></span> to validate answers from
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User other servers, the <span><strong class="command">dnssec-enable</strong></span> option
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater must be set to <strong class="userinput"><code>yes</code></strong>, and the
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater <span><strong class="command">dnssec-validation</strong></span> options must be set to
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater If <span><strong class="command">dnssec-validation</strong></span> is set to
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <strong class="userinput"><code>auto</code></strong>, then a default
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews trust anchor for the DNS root zone will be used.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews If it is set to <strong class="userinput"><code>yes</code></strong>, however,
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User then at least one trust anchor must be configured
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater with a <span><strong class="command">trusted-keys</strong></span> or
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater <span><strong class="command">managed-keys</strong></span> statement in
664917bedafa65dee4349c84324a31731aa1e228Francis Dupont <code class="filename">named.conf</code>, or DNSSEC validation
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater will not occur. The default setting is
af9cf290cea6ada6ce27b51c724ab77ad5d73fa0Tinderbox User <strong class="userinput"><code>yes</code></strong>.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater for zones that are used to form the first link in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater cryptographic chain of trust. All keys listed in
e20309353e6246485c521278131d3fced73d7957Tinderbox User <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
e20309353e6246485c521278131d3fced73d7957Tinderbox User are deemed to exist and only the listed keys will be used
e20309353e6246485c521278131d3fced73d7957Tinderbox User to validated the DNSKEY RRset that they are from.
f8a9a38ee40c139a8d145ac76ecbff3a0f986453Mark Andrews <span><strong class="command">managed-keys</strong></span> are trusted keys which are
e628576d3b3d91c8954679077f4c208f1e43b433Automatic Updater automatically kept up to date via RFC 5011 trust anchor
e20309353e6246485c521278131d3fced73d7957Tinderbox User <span><strong class="command">trusted-keys</strong></span> and
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span><strong class="command">managed-keys</strong></span> are described in more detail
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews later in this document.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews 9 does not verify signatures on load, so zone keys for
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews authoritative zones do not need to be specified in the
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews configuration file.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews After DNSSEC gets established, a typical DNSSEC configuration
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews will look something like the following. It has one or
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews more public keys for the root. This allows answers from
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews outside the organization to be validated. It will also
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews have several keys for parts of the namespace the organization
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews controls. These are here to ensure that <span><strong class="command">named</strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews is immune to compromises in the DNSSEC components of the security
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews of parent zones.
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox Usermanaged-keys {
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User /* Root Key */
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User dgxbcDTClU0CRBdiieyLMNzXG3";
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox Usertrusted-keys {
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User /* Key for our organization's forward zone */
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews /* Key for our reverse zone. */
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews xOdNax071L18QqZnQQQAVVr+i
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews LhGTnNGp3HoWQLUIzKrJVZ3zg
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews gy3WwNT6kZo6c0tszYqbtvchm
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews siaOdS0yOI6BgPsw+YZdzlYMa
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews IJGf4M4dyoKIhzdZyQ2bYQrjy
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews IQXmdqgOJGq+vsevG06zW+1xg
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User 59VvjSPsZJHeDCUyWYrvPZesZ
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User DIRvhDD52SKvbheeTJUm6Ehkz
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User dnssec-enable yes;
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User dnssec-validation yes;
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User None of the keys listed in this example are valid. In particular,
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater the root key is not valid.
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater When DNSSEC validation is enabled and properly configured,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the resolver will reject any answers from signed, secure zones
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User which fail to validate, and will return SERVFAIL to the client.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews Responses may fail to validate for any of several reasons,
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews including missing, expired, or invalid signatures, a key which
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews does not match the DS RRset in the parent zone, or an insecure
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews response from a zone which, according to its parent, should have
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews been secure.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When the validator receives a response from an unsigned zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that has a signed parent, it must confirm with the parent
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that the zone was intentionally left unsigned. It does
166c467a9414778bdd0f2a1e4a32220843c0fde3Tinderbox User this by verifying, via signed and validated NSEC/NSEC3 records,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that the parent zone contains no DS records for the child.
166c467a9414778bdd0f2a1e4a32220843c0fde3Tinderbox User If the validator <span class="emphasis"><em>can</em></span> prove that the zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is insecure, then the response is accepted. However, if it
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater cannot, then it must assume an insecure response to be a
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater forgery; it rejects the response and logs an error.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The logged error reads "insecurity proof failed" and
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews "got insecure response; parent indicates it should be secure".
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews (Prior to BIND 9.7, the logged error was "not insecure".
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews This referred to the zone, not the response.)
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>As of BIND 9.7.0 it is possible to change a dynamic zone
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews from insecure to signed and back again. A secure zone can use
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews either NSEC or NSEC3 chains.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id2611934"></a>Converting from insecure to secure</h3></div></div></div></div>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>Changing a zone from insecure to secure can be done in two
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews ways: using a dynamic DNS update, or the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>For either method, you need to configure
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">named</strong></span> so that it can see the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <code class="filename">K*</code> files which contain the public and private
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews parts of the keys that will be used to sign the zone. These files
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews will have been generated by
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews in the key-directory, as specified in
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews type master;
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews update-policy local;
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<p>If one KSK and one ZSK DNSKEY key have been generated, this
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews configuration will cause all records in the zone to be signed
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews with the ZSK, and the DNSKEY RRset to be signed with the KSK as
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews well. An NSEC chain will be generated as part of the initial
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews signing process.</p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="id2563639"></a>Dynamic DNS update method</h3></div></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
bbf7c3fd96ae5e02cb84743c581862e35327032aAutomatic Updater > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>While the update request will complete almost immediately,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the zone will not be completely signed until
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User <span><strong class="command">named</strong></span> has had time to walk the zone and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington generate the NSEC and RRSIG records. The NSEC record at the apex
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews will be added last, to signal that there is a complete NSEC
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<p>If you wish to sign using NSEC3 instead of NSEC, you should
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater add an NSEC3PARAM record to the initial update request. If you
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater wish the NSEC3 chain to have the OPTOUT bit set, set it in the
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User flags field of the NSEC3PARAM record.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User > ttl 3600
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
e135e3c4b1f4f986f00997f5ad5866effb203139Tinderbox User > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User > update add example.net NSEC3PARAM 1 1 100 1234567890
5e1503eb9464c2284bb782228d4c315087a2415fAutomatic Updater<p>Again, this update request will complete almost
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater immediately; however, the record won't show up until
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User <span><strong class="command">named</strong></span> has had a chance to build/remove the
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater relevant chain. A private type record will be created to record
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater the state of the operation (see below for more details), and will
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater be removed once the operation completes.</p>
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User<p>While the initial signing and NSEC/NSEC3 chain generation
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User is happening, other updates are possible as well.</p>
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater<a name="id2563675"></a>Fully automatic zone signing</h3></div></div></div></div>
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater<p>To enable automatic signing, add the
07d9d0dbcc0c79deb3c34f4a8af05ac68a6800e4Mark Andrews <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in
a66012b52c20200f118781463db4e4ee44454298Automatic Updater <span><strong class="command">auto-dnssec</strong></span> has two possible arguments:
e2e3f655d133f08056c9035412d4c013aab234e7Automatic Updater <span><strong class="command">auto-dnssec allow</strong></span>,
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <span><strong class="command">named</strong></span> can search the key directory for keys
e135e3c4b1f4f986f00997f5ad5866effb203139Tinderbox User matching the zone, insert them into the zone, and use them to
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User sign the zone. It will do so only when it receives an
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater <span><strong class="command">rndc sign <zonename></strong></span>.</p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater functionality, but will also automatically adjust the zone's
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater DNSKEY records on schedule according to the keys' timing metadata.
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
e2e3f655d133f08056c9035412d4c013aab234e7Automatic Updater <span><strong class="command">named</strong></span> will periodically search the key directory
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User for keys matching the zone, and if the keys' metadata indicates
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that any change should be made the zone, such as adding, removing,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or revoking a key, then that action will be carried out. By default,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the key directory is checked for changes every 60 minutes; this period
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to a maximum of 24 hours. The <span><strong class="command">rndc loadkeys</strong></span> forces
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span> to check for key updates immediately.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If keys are present in the key directory the first time the zone
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User is loaded, the zone will be signed immediately, without waiting for an
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User command. (Those commands can still be used when there are unscheduled
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User key changes, however.)
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater If you wish the zone to be signed using NSEC3 instead of NSEC,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User submit an NSEC3PARAM record via dynamic update prior to the
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User scheduled publication and activation of the keys. If you wish the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User NSEC3 chain to have the OPTOUT bit set, set it in the flags field
85b52a5959291f5014442814488ccb267cdea369Tinderbox User of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the zone immediately, but it will be stored for later reference. When
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews record will appear in the zone.
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configured to allow dynamic updates, by adding an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-update</strong></span> or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">update-policy</strong></span> statement to the zone
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater configuration. If this has not been done, the configuration will
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
85b52a5959291f5014442814488ccb267cdea369Tinderbox User<a name="id2563779"></a>Private-type records</h3></div></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>The state of the signing process is signaled by
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews private-type records (with a default type value of 65534). When
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews signing is complete, these records will have a nonzero value for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the final octet (for those records which have a nonzero initial
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>The private type record format: If the first octet is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater non-zero then the record indicates that the zone needs to be
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater signed with the key matching the record, or that all signatures
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater that match the record should be removed.</p>
52cfbde0bd391cfb37e3c1a1b460c16ba6bf1a73Automatic Updater��algorithm�(octet�1)<br>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User��key�id�in�network�order�(octet�2�and�3)<br>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User��removal�flag�(octet�4)<br>
24e0e8d17df315d5d494ca933874e545eadce773Automatic Updater��complete�flag�(octet�5)<br>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews<p>Only records flagged as "complete" can be removed via
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater dynamic update. Attempts to remove other private type records
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User will be silently ignored.</p>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<p>If the first octet is zero (this is a reserved algorithm
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User number that should never appear in a DNSKEY record) then the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User record indicates changes to the NSEC3 chains are in progress. The
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User rest of the record contains an NSEC3PARAM record. The flag field
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User tells what operation to perform based on the flag bits.</p>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater��0x01�OPTOUT<br>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater��0x80�CREATE<br>
0c7657e9302e7f9a8fe4f32fe561dc7e7e7ee6b5Automatic Updater��0x40�REMOVE<br>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater��0x20�NONSEC<br>
12ee3c02ab36d7e7430bd705cc289db1a69a5733Mark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater<a name="id2563816"></a>DNSKEY rollovers</h3></div></div></div></div>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<p>As with insecure-to-secure conversions, rolling DNSSEC
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater keys can be done in two ways: using a dynamic DNS update, or the
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<a name="id2563897"></a>Dynamic DNS update method</h3></div></div></div></div>
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater<p> To perform key rollovers via dynamic update, you need to add
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater the <code class="filename">K*</code> files for the new keys so that
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span><strong class="command">named</strong></span> can find them. You can then add the new
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater DNSKEY RRs via dynamic update.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">named</strong></span> will then cause the zone to be signed
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User with the new keys. When the signing is complete the private type
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User records will be updated so that the last octet is non
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews<p>If this is for a KSK you need to inform the parent and any
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews trust anchor repositories of the new KSK.</p>
fd8fb4df8499e292daeac765f599ac7c507d9ca3Mark Andrews<p>You should then wait for the maximum TTL in the zone before
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User removing the old DNSKEY. If it is a KSK that is being updated,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User you also need to wait for the DS RRset in the parent to be
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater updated and its TTL to expire. This ensures that all clients will
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater be able to verify at least one signature when you remove the old
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<p>The old DNSKEY can be removed via UPDATE. Take care to
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater specify the correct key.
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater <span><strong class="command">named</strong></span> will clean out any signatures generated
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater by the old key after the update completes.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater<a name="id2563930"></a>Automatic key rollovers</h3></div></div></div></div>
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater<p>When a new key reaches its activation date (as set by
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User automatically carry out the key rollover. If the key's algorithm
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User has not previously been used to sign the zone, then the zone will
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User be fully signed as quickly as possible. However, if the new key
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User is replacing an existing key of the same algorithm, then the
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater zone will be re-signed incrementally, with signatures from the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User old key being replaced with signatures from the new key as their
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User signature validity periods expire. By default, this rollover
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User completes in 30 days, after which it will be safe to remove the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User old key from the DNSKEY RRset.</p>
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
560d6da48f066000541dd43f5d407644dee12bebTinderbox User<a name="id2563957"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<p>Add the new NSEC3PARAM record via dynamic update. When the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater new NSEC3 chain has been generated, the NSEC3PARAM flag field
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater will be zero. At this point you can remove the old NSEC3PARAM
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater record. The old chain will be removed after the update request
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater completes.</p>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<a name="id2563966"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<p>To do this, you just need to add an NSEC3PARAM record. When
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater the conversion is complete, the NSEC chain will have been removed
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater and the NSEC3PARAM record will have a zero flag field. The NSEC3
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater chain will be generated before the NSEC chain is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User destroyed.</p>
560d6da48f066000541dd43f5d407644dee12bebTinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
560d6da48f066000541dd43f5d407644dee12bebTinderbox User<a name="id2563976"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
9bc394fffdd50f6e47614b2d317da7274122366fTinderbox User<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
560d6da48f066000541dd43f5d407644dee12bebTinderbox User remove all NSEC3PARAM records with a zero flag
560d6da48f066000541dd43f5d407644dee12bebTinderbox User field. The NSEC chain will be generated before the NSEC3 chain is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews removed.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2563989"></a>Converting from secure to insecure</h3></div></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>To convert a signed zone to unsigned using dynamic DNS,
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater delete all the DNSKEY records from the zone apex using
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater and associated NSEC3PARAM records will be removed automatically.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater This will take place after the update request completes.</p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p> This requires the
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <strong class="userinput"><code>yes</code></strong> in
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="filename">named.conf</code>.</p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User zone statement is used, it should be removed or changed to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">allow</strong></span> instead (or it will re-sign).
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2564026"></a>Periodic re-signing</h3></div></div></div></div>
e0bf4fc289705375be65c05a8fb085d514a98c97Tinderbox User<p>In any secure zone which supports dynamic updates, named
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater will periodically re-sign RRsets which have not been re-signed as
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater a result of some update action. The signature lifetimes will be
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User adjusted so as to spread the re-sign load over time rather than
a6e1f63f50af688610ebd2521ba7f028767b51f3Mark Andrews all at once.</p>
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
4d813066e967a36c407ee641155ada0c614d4dc6Automatic Updater<a name="id2580625"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater where all the NSEC3 records in the zone have the same OPTOUT
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
e0bf4fc289705375be65c05a8fb085d514a98c97Tinderbox User records in the chain have mixed OPTOUT state.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">named</strong></span> does not support changing the OPTOUT
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User state of an individual NSEC3 record, the entire chain needs to be
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater changed if the OPTOUT state of an individual NSEC3 needs to be
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews changed.</p>
dbd021853bb1cd6ab128e8da8865f5965030aedcTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater anchor management. Using this feature allows
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">named</strong></span> to keep track of changes to critical
4d813066e967a36c407ee641155ada0c614d4dc6Automatic Updater DNSSEC keys without any need for the operator to make changes to
0a50626faa2f8941f55bf435d3965d490bb5d026Tinderbox User configuration files.</p>
d98b4b724343547314bde32a54966c8f124a5f03Mark Andrews<div class="titlepage"><div><div><h3 class="title">
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<a name="id2580794"></a>Validating Resolver</h3></div></div></div>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<p>To configure a validating resolver to use RFC 5011 to
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User maintain a trust anchor, configure the trust anchor using a
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">managed-keys</strong></span> statement. Information about
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User this can be found in
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<div class="titlepage"><div><div><h3 class="title">
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<a name="id2580817"></a>Authoritative Server</h3></div></div></div>
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User<p>To set up an authoritative zone for RFC 5011 trust anchor
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User maintenance, generate two (or more) key signing keys (KSKs) for
e8e87ede5c36b95806c77bcd34894ad9c4b39a78Tinderbox User the zone. Sign the zone with one of them; this is the "active"
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews KSK. All KSKs which do not sign the zone are "stand-by"
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>Any validating resolver which is configured to use the
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews active KSK as an RFC 5011-managed trust anchor will take note
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews of the stand-by KSKs in the zone's DNSKEY RRset, and store them
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews for future reference. The resolver will recheck the zone
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews periodically, and after 30 days, if the new key is still there,
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews then the key will be accepted by the resolver as a valid trust
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews anchor for the zone. Any time after this 30-day acceptance
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews timer has completed, the active KSK can be revoked, and the
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews zone can be "rolled over" to the newly accepted key.</p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>The easiest way to place a stand-by key in a zone is to
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews use the "smart signing" features of
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <span><strong class="command">dnssec-keygen</strong></span> and
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews date in the past, but an activation date which is unset or in
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews the future, "
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews record in the zone, but will not sign with it:</p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>To revoke a key, the new command
d98b4b724343547314bde32a54966c8f124a5f03Mark Andrews <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews REVOKED bit to the key flags and re-generates the
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <code class="filename">K*.private</code> files.</p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>After revoking the active key, the zone must be signed
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews with both the revoked KSK and the new active KSK. (Smart
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews signing takes care of this automatically.)</p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>Once a key has been revoked and used to sign the DNSKEY
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews RRset in which it appears, that key will never again be
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews accepted as a valid trust anchor by the resolver. However,
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews validation can proceed using the new active key (which had been
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews accepted by the resolver when it was a stand-by key).</p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<p>See RFC 5011 for more details on key rollover
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews scenarios.</p>
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User<p>When a key has been revoked, its key ID changes,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews increasing by 128, and wrapping around at 65535. So, for
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews "<code class="filename">Kexample.com.+005+10128</code>".</p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<p>If two keys have IDs exactly 128 apart, and one is
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews revoked, then the two key IDs will collide, causing several
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews problems. To prevent this,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews another key is present which may collide. This checking will
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews only occur if the new keys are written to the same directory
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews which holds all other keys in use for that zone.</p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<p>Older versions of BIND 9 did not have this precaution.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Exercise caution if using key revocation on keys that were
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews generated by previous releases, or if using keys stored in
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews multiple directories or on multiple machines.</p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<p>It is expected that a future release of BIND 9 will
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews address this problem in a different way, by storing revoked
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews keys with their original unrevoked key IDs.</p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews PKCS#11 (Public Key Cryptography Standard #11) defines a
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews platform-independent API for the control of hardware security
bbd726b86a5b0f97a192b6027958dc7b763dc48bTinderbox User modules (HSMs) and other cryptographic support devices.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater BIND 9 is known to work with three HSMs: The AEP Keyper, which has
7a2a1b8b14fc804ac80612d7b98064095e445be5Automatic Updater been tested with Debian Linux, Solaris x86 and Windows Server 2003;
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews cryptographic acceleration board, tested with Solaris x86. In
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews addition, BIND can be used with SoftHSM, a software-based HSM
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews simulator produced by the OpenDNSSEC project.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews PKCS#11 makes use of a "provider library": a dynamically loadable
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews library which provides a low-level PKCS#11 interface to drive the HSM
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews hardware. The PKCS#11 provider library comes from the HSM vendor, and
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews it is specific to the HSM to be controlled.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews There are two available mechanisms for PKCS#11 support in BIND 9:
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews OpenSSL-based PKCS#11 and native PKCS#11. When using the first
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews mechanism, BIND uses a modified version of OpenSSL, which loads
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews the provider library and operates the HSM indirectly; any
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews cryptographic operations not supported by the HSM can be carried
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews out by OpenSSL instead. The second mechanism enables BIND to bypass
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews OpenSSL completely; BIND loads the provider library itself, and uses
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews the PKCS#11 API to drive the HSM directly.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews<div class="titlepage"><div><div><h3 class="title">
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews<a name="id2666656"></a>Prerequisites</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User See the documentation provided by your HSM vendor for
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User information about installing, initializing, testing and
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User troubleshooting the HSM.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<div class="titlepage"><div><div><h3 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2666665"></a>Native PKCS#11</h3></div></div></div>
4d813066e967a36c407ee641155ada0c614d4dc6Automatic Updater Native PKCS#11 mode will only work with an HSM capable of carrying
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater need. The HSM's provider library must have a complete implementation
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of the PKCS#11 API, so that all these functions are accessible. As of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this writing, only the Thales nShield HSM and the latest development
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User version of SoftHSM can be used in this fashion. For other HSMs,
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User supporting native PKCS#11, it is expected that OpenSSL-based
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User PKCS#11 will eventually be deprecated.)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User To build BIND with native PKCS#11, configure as follows:
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code>cd bind9</code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater$ <strong class="userinput"><code>/configure --enable-native-pkcs11 \
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater This will cause all BIND tools, including <span><strong class="command">named</strong></span>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater and the <span><strong class="command">dnssec-*</strong></span> and <span><strong class="command">pkcs11-*</strong></span>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater tools, to use the PKCS#11 provider library specified in
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <em class="replaceable"><code>provider-library-path</code></em> for cryptography.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater (The provider library path can be overridden using the
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <code class="option">-E</code> in <span><strong class="command">named</strong></span> and the
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <span><strong class="command">dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater the <span><strong class="command">pkcs11-*</strong></span> tools.)
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater<a name="id2611792"></a>OpenSSL-based PKCS#11</h3></div></div></div>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater OpenSSL-based PKCS#11 mode uses a modified version of the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User OpenSSL library; stock OpenSSL does not fully support PKCS#11.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User ISC provides a patch to OpenSSL to correct this. This patch is
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater based on work originally done by the OpenSolaris project; it has been
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater modified by ISC to provide new features such as PIN management and
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater key-by-reference.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater There are two "flavors" of PKCS#11 support provided by
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the patched OpenSSL, one of which must be chosen at
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews configuration time. The correct choice depends on the HSM
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User Use 'crypto-accelerator' with HSMs that have hardware
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User cryptographic acceleration features, such as the SCA 6000
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User board. This causes OpenSSL to run all supported
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User cryptographic operations in the HSM.
059cd1994d4ac5c1b967ce777d2c7409dc829a42Tinderbox User Use 'sign-only' with HSMs that are designed to
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User function primarily as secure key storage devices, but lack
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User hardware acceleration. These devices are highly secure, but
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User are not necessarily any faster at cryptography than the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User system CPU — often, they are slower. It is therefore
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater most efficient to use them only for those cryptographic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater functions that require access to the secured private key,
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User such as zone signing, and to use the system CPU for all
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater other computationally-intensive operations. The AEP Keyper
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User is an example of such a device.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The modified OpenSSL code is included in the BIND 9 release,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in the form of a context diff against the latest versions of
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater separate diffs for each version. In the examples to follow,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater we use OpenSSL 0.9.8, but the same methods work with OpenSSL
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 1.0.0 and 1.0.1.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews The latest OpenSSL versions as of this writing (January 2014)
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews are 0.9.8y, 1.0.0l, and 1.0.1f.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User ISC will provide updated patches as new versions of OpenSSL
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User are released. The version number in the following examples
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews is expected to change.
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews Before building BIND 9 with PKCS#11 support, it will be
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews necessary to build OpenSSL with the patch in place, and configure
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User it with the path to your HSM's PKCS#11 provider library.
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews<div class="titlepage"><div><div><h4 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2612102"></a>Patching OpenSSL</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8y.tar.gz</a></code></strong>
ace530234c82bbfcd03bbfd4ba6c6a04293d497fMark Andrews$ <strong class="userinput"><code>tar zxf openssl-0.9.8y.tar.gz</code></strong>
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater<p>Apply the patch from the BIND 9 release:</p>
8f536463f9fdfa7da6a8310e4f4895373beb2961Mark Andrews$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8y \
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User < bind9/bin/pkcs11/openssl-0.9.8y-patch</code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ace530234c82bbfcd03bbfd4ba6c6a04293d497fMark Andrews Note that the patch file may not be compatible with the
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews "patch" utility on all operating systems. You may need to
dcd42a39d311b44877161ffd1e27fa62700c0171Mark Andrews install GNU patch.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When building OpenSSL, place it in a non-standard
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater location so that it does not interfere with OpenSSL libraries
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater elsewhere on the system. In the following examples, we choose
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to install into "/opt/pkcs11/usr". We will use this location
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater when we configure BIND 9.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Later, when building BIND 9, the location of the custom-built
3f68e9c0e5a6ce475d15eef04bfed9b08a22afa9Tinderbox User OpenSSL library will need to be specified via configure.
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews<a name="id2612161"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The AEP Keyper is a highly secure key storage device,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington but does not provide hardware cryptographic acceleration. It
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can carry out cryptographic operations, but it is probably
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington slower than your system's CPU. Therefore, we choose the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 'sign-only' flavor when building OpenSSL.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater The Keyper-specific PKCS#11 provider library is
63654fea53d6a58a65112234bc8d0c322e0c81b5Automatic Updater delivered with the Keyper software. In this example, we place
64d59a0480180940d855a3431ac5ff617b53e997Tinderbox User$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This library is only available for Linux as a 32-bit
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater binary. If we are compiling on a 64-bit Linux system, it is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater necessary to force a 32-bit build, by specifying -m32 in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater build options.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Finally, the Keyper library requires threads, so we
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews must specify -pthread.
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User$ <strong class="userinput"><code>/Configure linux-generic32 -m32 -pthread \
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User --pk11-flavor=sign-only \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater After configuring, run "<span><strong class="command">make</strong></span>"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater test</strong></span>" fails with "pthread_atfork() not found", you forgot to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater add the -pthread above.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<div class="titlepage"><div><div><h4 class="title">
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<a name="id2612231"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The SCA-6000 PKCS#11 provider is installed as a system
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews library, libpkcs11. It is a true crypto accelerator, up to 4
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews times faster than any CPU, so the flavor shall be
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews 'crypto-accelerator'.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User In this example, we are building on Solaris x86 on an
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User AMD64 system.
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews --pk11-flavor=crypto-accelerator \
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater After configuring, run
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater <span><strong class="command">make</strong></span> and
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater <span><strong class="command">make test</strong></span>.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<div class="titlepage"><div><div><h4 class="title">
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews<a name="id2612281"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SoftHSM is a software library provided by the OpenDNSSEC
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User project (http://www.opendnssec.org) which provides a PKCS#11
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User interface to a virtual HSM, implemented in the form of encrypted
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User data on the local filesystem. SoftHSM can be configured to use
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User either OpenSSL or the Botan library for encryption, and SQLite3
183b6c7fca54001820078f324d102fc33e64bbc6Automatic Updater for data storage. Though less secure than a true HSM, it can
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater provide more secure key storage than traditional key files,
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater and can allow you to experiment with PKCS#11 when an HSM is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User not available.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The SoftHSM cryptographic store must be installed and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater initialized before using it with OpenSSL, and the SOFTHSM_CONF
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater environment variable must always point to the SoftHSM configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> make </code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code> make install </code></strong>
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User SoftHSM can perform all cryptographic operations, but
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User since it only uses your system CPU, there is no advantage to using
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User it for anything but signing. Therefore, we choose the 'sign-only'
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User flavor when building OpenSSL.
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater --pk11-flavor=sign-only \
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater After configuring, run "<span><strong class="command">make</strong></span>"
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater and "<span><strong class="command">make test</strong></span>".
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater Once you have built OpenSSL, run
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User that PKCS#11 support was compiled in correctly. The output
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater should be one of the following lines, depending on the flavor
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater (pkcs11) PKCS #11 engine support (sign only)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User (pkcs11) PKCS #11 engine support (crypto accelerator)
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater attempt to initialize the PKCS#11 engine. If it is able to
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater do so successfully, it will report
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User “<span class="quote"><code class="literal">[ available ]</code></span>”.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If the output is correct, run
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User "<span><strong class="command">make install</strong></span>" which will install the
de73ef7ecdb9e009155993a6fa8dee5cd1bde319Mark Andrews modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="titlepage"><div><div><h4 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2639125"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User To link with the PKCS#11 provider, threads must be
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User enabled in the BIND 9 build.
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater The PKCS#11 library for the AEP Keyper is currently
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User only available as a 32-bit binary. If we are building on a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User 64-bit host, we must force a 32-bit build by adding "-m32" to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the CC options on the "configure" command line.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code>cd /bind9</code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code>/configure CC="gcc -m32" --enable-threads \
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2639157"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User To link with the PKCS#11 provider, threads must be
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User enabled in the BIND 9 build.
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater$ <strong class="userinput"><code>cd /bind9</code></strong>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \
6c910bd5e4a85a56e3a61fdf7b237a45bb2553eeTinderbox User --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater If configure complains about OpenSSL not working, you
b4846627b60aff904d523a433b44482b3b1825a7Tinderbox User may have a 32/64-bit architecture mismatch. Or, you may have
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews incorrectly specified the path to OpenSSL (it should be the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews same as the --prefix argument to the OpenSSL
dfd613f037c1385db661f17e086d34ea57fea9b0Automatic Updater<div class="titlepage"><div><div><h4 class="title">
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater<a name="id2639193"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater$ <strong class="userinput"><code>cd /bind9</code></strong>
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater$ <strong class="userinput"><code>/configure --enable-threads \
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt After configuring, run
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt "<span><strong class="command">make</strong></span>",
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater "<span><strong class="command">make test</strong></span>" and
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater "<span><strong class="command">make install</strong></span>".
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater (Note: If "make test" fails in the "pkcs11" system test, you may
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater have forgotten to set the SOFTHSM_CONF environment variable.)
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="id2639242"></a>PKCS#11 Tools</h3></div></div></div>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater BIND 9 includes a minimal set of tools to operate the
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater HSM, including
ace6bfc72265153cb6123f7bb9e2751031f27150Tinderbox User <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater within the HSM,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">pkcs11-list</strong></span> to list objects currently
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span><strong class="command">pkcs11-destroy</strong></span> to remove objects, and
a8a1d4629ed697be4b0c0bb96b3c59d494450eedAutomatic Updater <span><strong class="command">pkcs11-tokens</strong></span> to list available tokens.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson In UNIX/Linux builds, these tools are built only if BIND
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson 9 is configured with the --with-pkcs11 option. (Note: If
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater --with-pkcs11 is set to "yes", rather than to the path of the
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater PKCS#11 provider, then the tools will be built but the
8bc3d252395842452a6d2c775cf8445f6349e331Tinderbox User provider will be left undefined. Use the -m option or the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews PKCS11_PROVIDER environment variable to specify the path to the
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2639415"></a>Using the HSM</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User For OpenSSL-based PKCS#11, we must first set up the runtime
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater environment so the OpenSSL and PKCS#11 libraries can be loaded:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
467a823e57af687ebd486dfd73ea32f9d2a145beTinderbox User This causes <span><strong class="command">named</strong></span> and other binaries to load
7d704e522860496310bb29c28e76064868401a9cMark Andrews the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews rather than from the default location. This step is not necessary
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater when using native PKCS#11.
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews Some HSMs require other environment variables to be set.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater For example, when operating an AEP Keyper, it is necessary to
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater specify the location of the "machine" file, which stores
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User information about the Keyper for use by the provider
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User library. If the machine file is in
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Such environment variables must be set whenever running
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews any tool that uses the HSM, including
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">pkcs11-keygen</strong></span>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">pkcs11-list</strong></span>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">pkcs11-destroy</strong></span>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">dnssec-keyfromlabel</strong></span>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>, and
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater <span><strong class="command">named</strong></span>.
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User We can now create and use keys in the HSM. In this case,
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User we will create a 2048 bit key and give it the label
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User$ <strong class="userinput"><code>pkcs11-list</code></strong>
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox Userobject[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox Userobject[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User Before using this key to sign a zone, we must create a
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User does this. In this case, we will be using the HSM key
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User "sample-ksk" as the key-signing key for "example.net":
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User The resulting K*.key and K*.private files can now be used
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User to sign the zone. Unlike normal K* files, which contain both
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User public and private key data, these files will contain only the
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User public key data, plus an identifier for the private key which
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User remains stored within the HSM. Signing with the private key takes
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User place inside the HSM.
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User If you wish to generate a second key in the HSM for use
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User as a zone-signing key, follow the same procedure above, using a
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User different keylabel, a smaller key size, and omitting "-f KSK"
b8cc0c5d896c361525708a2be2e5af7df76c96d7Tinderbox User from the dnssec-keyfromlabel arguments:
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User string which identifies the key. With native PKCS#11, the label is
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User a PKCS#11 URI string which may include other details about the key
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User and the HSM, including its PIN. See
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User <a href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Alternatively, you may prefer to generate a conventional
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews on-disk key, using dnssec-keygen:
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews This provides less security than an HSM key, but since
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews HSMs can be slow or cumbersome to use for security reasons, it
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews may be more efficient to reserve HSM keys for use in the less
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews frequent key-signing operation. The zone-signing key can be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews rolled more frequently, if you wish, to compensate for a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews reduction in key security. (Note: When using native PKCS#11,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews there is no speed advantage to using on-disk keys, as cryptographic
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews operations will be done by the HSM regardless.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Now you can sign the zone. (Note: If not using the -S
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews option to <span><strong class="command">dnssec-signzone</strong></span>, it will be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews necessary to add the contents of both <code class="filename">K*.key</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews files to the zone master file before signing it.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsVerifying the zone using the following algorithms:
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsNSEC3RSASHA1.
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsZone signing complete:
4f087942583014b241adca1bc78c6db89ed96e94Mark AndrewsAlgorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2639701"></a>Specifying the engine on the command line</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When using OpenSSL-based PKCS#11, the "engine" to be used by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews OpenSSL can be specified in <span><strong class="command">named</strong></span> and all of
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the BIND <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <engine>" command line option. If BIND 9 is built with
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the --with-pkcs11 option, this option defaults to "pkcs11".
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Specifying the engine will generally not be necessary unless
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for some reason you wish to use a different OpenSSL
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If you wish to disable use of the "pkcs11" engine —
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for troubleshooting purposes, or because the HSM is unavailable
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews — set the engine to the empty string. For example:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews without the --with-pkcs11 option.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews When built with native PKCS#11 mode, the "engine" option has a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews different meaning: it specifies the path to the PKCS#11 provider
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews library. This may be useful when testing a new provider library.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2639749"></a>Running named with automatic zone re-signing</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If you want <span><strong class="command">named</strong></span> to dynamically re-sign zones
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews using HSM keys, and/or to to sign new records inserted via nsupdate,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews then named must have access to the HSM PIN. In OpenSSL-based PKCS#11,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews this is accomplished by placing the PIN into the openssl.cnf file
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (in the above examples,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The location of the openssl.cnf file can be overridden by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews setting the OPENSSL_CONF environment variable before running
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews openssl_conf = openssl_def
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ openssl_def ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews engines = engine_section
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [ engine_section ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews pkcs11 = pkcs11_section
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ pkcs11_section ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews This will also allow the dnssec-* tools to access the HSM
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews without PIN entry. (The pkcs11-* tools access the HSM directly,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews not via OpenSSL, so a PIN will still be required to use
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In native PKCS#11 mode, the PIN can be provided in a file specified
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews as an attribute of the key's label. For example, if a key had the label
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</code></strong>,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews then the PIN would be read from the file
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Placing the HSM's PIN in a text file in this manner may reduce the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews security advantage of using an HSM. Be sure this is what you want to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews do before configuring the system in this way.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zone data to be retrieved directly from an external database. There is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews no required format or schema. DLZ drivers exist for several different
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews database backends including PostgreSQL, MySQL, and LDAP and can be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews written for any other.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Historically, DLZ drivers had to be statically linked with the named
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews binary and were turned on via a configure option at compile time (for
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Currently, the drivers provided in the BIND 9 tarball in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">contrib/dlz/drivers</code> are still linked this
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In BIND 9.8 and higher, it is possible to link some DLZ modules
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews generic wrapper around a shared object implementing the DLZ API. The
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews "dlopen" driver is linked into named by default, so configure options
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews are no longer necessary when using these dynamically linkable drivers,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews but are still needed for the older drivers in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">contrib/dlz/drivers</code>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When the DLZ module provides data to named, it does so in text format.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The response is converted to DNS wire format by named. This
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews conversion, and the lack of any internal caching, places significant
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater limits on the query performance of DLZ modules. Consequently, DLZ is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews not recommended for use on high-volume servers. However, it can be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used in a hidden master configuration, with slaves retrieving zone
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews updates via AXFR. (Note, however, that DLZ has no built-in support for
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DNS notify; slaves are not automatically informed of changes to the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zones in the database.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2639813"></a>Configuring DLZ</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews A DLZ database is configured with a <span><strong class="command">dlz</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement in <code class="filename">named.conf</code>:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dlz example {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews database "dlopen driver.so <code class="option">args</code>";
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews This specifies a DLZ module to search when answering queries; the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews module is implemented in <code class="filename">driver.so</code> and is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews loaded at runtime by the dlopen DLZ driver. Multiple
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">dlz</strong></span> statements can be specified; when
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews answering a query, all DLZ modules with <code class="option">search</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews set to <code class="literal">yes</code> will be queried to find out if
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews they contain an answer for the query name; the best available
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews answer will be returned to the client.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <code class="option">search</code> option in the above example can be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews omitted, because <code class="literal">yes</code> is the default value.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If <code class="option">search</code> is set to <code class="literal">no</code>, then
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews match when a query is received. Instead, zones in this DLZ must be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews separately specified in a zone statement. This allows you to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews configure a zone normally using standard zone option semantics,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews but specify a different database back-end for storage of the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zone's data. For example, to implement NXDOMAIN redirection using
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a DLZ module for back-end storage of redirection rules:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User database "dlopen driver.so <code class="option">args</code>";
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews type redirect;
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<a name="id2612443"></a>Sample DLZ Driver</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews For guidance in implementation of DLZ modules, the directory
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <code class="filename">contrib/dlz/example</code> contains a basic
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews dynamically-linkable DLZ module--i.e., one which can be
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews loaded at runtime by the "dlopen" DLZ driver.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The example sets up a single zone, whose name is passed
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to the module as an argument in the <span><strong class="command">dlz</strong></span>
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater In the above example, the module is configured to create a zone
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater "example.nil", which can answer queries and AXFR requests, and
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater accept DDNS updates. At runtime, prior to any updates, the zone
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater contains an SOA, NS, and a single A record at the apex:
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater 123 900 600 86400 3600
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater example.nil. 1800 IN A 10.53.0.1
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater The sample driver is capable of retrieving information about the
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater querying client, and altering its response on the basis of this
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews information. To demonstrate this feature, the example driver
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson responds to queries for "source-addr.<code class="option">zonename</code>>/TXT"
309b912841e8b97bf0b0df0d96c3eaf16990c080Automatic Updater with the source address of the query. Note, however, that this
66d24a46538c7c2d29fdb5611ab1173e83685b1dTinderbox User record will *not* be included in AXFR or ANY responses. Normally,
66d24a46538c7c2d29fdb5611ab1173e83685b1dTinderbox User this feature would be used to alter responses in some other fashion,
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson e.g., by providing different address records for a particular name
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson depending on the network from which the query arrived.
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews Documentation of the DLZ module API can be found in
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <code class="filename">contrib/dlz/example/README</code>. This directory also
94df856897945fe58f130ba78765c57308bc5400Automatic Updater contains the header file <code class="filename">dlz_minimal.h</code>, which
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews defines the API and should be included by any dynamically-linkable
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<a name="id2571588"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater <acronym class="acronym">BIND</acronym> 9 fully supports all currently
da93950363b307b718d156514b95b9df93a63776Mark Andrews defined forms of IPv6 name to address and address to name
da93950363b307b718d156514b95b9df93a63776Mark Andrews lookups. It will also use IPv6 addresses to make queries when
35bc7055d1b9b816e68a4180d46a49963e45c233Automatic Updater running on an IPv6 capable system.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater only AAAA records. RFC 3363 deprecated the use of A6 records,
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater and client-side support for A6 records was accordingly removed
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater from <acronym class="acronym">BIND</acronym> 9.
fbcaee30a27f47fe337152c27e7d90489dc8fd63Tinderbox User However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User load zone files containing A6 records correctly, answer queries
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater for A6 records, and accept zone transfer for a zone containing A6
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
f8e61212a1b83e60f521577cc522e8bc1509c8cfAutomatic Updater the traditional "nibble" format used in the
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <span class="emphasis"><em>ip6.int</em></span> domain.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Older versions of <acronym class="acronym">BIND</acronym> 9
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater supported the "binary label" (also known as "bitstring") format,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater but support of binary labels has been completely removed per
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater the binary label format at all any more, and will return an
f8e61212a1b83e60f521577cc522e8bc1509c8cfAutomatic Updater error if given.
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater name server will not load a zone file containing binary labels.
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater For an overview of the format and structure of IPv6 addresses,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<a name="id2571854"></a>Address Lookups Using AAAA Records</h3></div></div></div>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater The IPv6 AAAA record is a parallel to the IPv4 A record,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater and, unlike the deprecated A6 record, specifies the entire
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater IPv6 address in a single record. For example,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updaterhost 3600 IN AAAA 2001:db8::1
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Use of IPv4-in-IPv6 mapped addresses is not recommended.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater If a host has an IPv4 address, use an A record, not
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<a name="id2571876"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater When looking up an address in nibble format, the address
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater components are simply reversed, just as in IPv4, and
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <code class="literal">ip6.arpa.</code> is appended to the
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater resulting name.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater For example, the following would provide reverse name lookup for
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater a host with address
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<table width="100%" summary="Navigation footer">
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<p style="text-align: center;">BIND 9.11.0pre-alpha</p>