Bv9ARM.ch04.html revision c978c6cb6e0c38d8378b6cd1f6b5aac3cf91e36a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - Copyright (C) 2000-2003 Internet Software Consortium.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - Permission to use, copy, modify, and/or distribute this software for any
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - purpose with or without fee is hereby granted, provided that the above
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - copyright notice and this permission notice appear in all copies.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu - PERFORMANCE OF THIS SOFTWARE.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<!-- $Id: Bv9ARM.ch04.html,v 1.140 2011/08/31 01:14:42 tbox Exp $ -->
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570876">Split DNS</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570894">Example split DNS setup</a></span></dt></dl></dd>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571532">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571606">Copying the Shared Secret to Both Machines</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571617">Informing the Servers of the Key's Existence</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571653">Instructing the Server to Use the Key</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571779">TSIG Key Based Access Control</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571828">Errors</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571842">TKEY</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571959">SIG(0)</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572027">Generating Keys</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572174">Signing the Zone</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572256">Configuring Servers</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607619">Validating Resolver</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607641">Authoritative Server</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609462">Prerequisites</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2580993">Building BIND 9 with PKCS#11</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607712">PKCS #11 Tools</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607742">Using the HSM</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609921">Specifying the engine on the command line</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609966">Running named with automatic zone re-signing</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572544">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572674">Address Lookups Using AAAA Records</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572695">Address to Name Lookups Using Nibble Format</a></span></dt>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu servers to notify their slave servers of changes to a zone's data. In
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu slave will check to see that its version of the zone is the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu current version and, if not, initiate a zone transfer.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu For more information about <acronym class="acronym">DNS</acronym>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">NOTIFY</strong></span>, see the description of the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the description of the zone option <span><strong class="command">also-notify</strong></span> in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu protocol is specified in RFC 1996.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zones that it loads.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Dynamic Update is a method for adding, replacing or deleting
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu records in a master server by sending it a special form of DNS
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu messages. The format and meaning of these messages is specified
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu in RFC 2136.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Dynamic update is enabled by including an
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu clause in the <span><strong class="command">zone</strong></span> statement.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If the zone's <span><strong class="command">update-policy</strong></span> is set to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>local</code></strong>, updates to the zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will be permitted for the key <code class="varname">local-ddns</code>,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu which will be generated by <span><strong class="command">named</strong></span> at startup.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Dynamic updates using Kerberos signed requests can be made
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Kerberos signed requests will be matched against the update
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu policies for the zone, using the Kerberos principal as the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu signer for the request.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Updating of secure zones (zones using DNSSEC) follows RFC
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 3007: RRSIG, NSEC and NSEC3 records affected by updates are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu automatically regenerated by the server using an online
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zone key. Update authorization is based on transaction
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu signatures and an explicit server policy.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="journal"></a>The journal file</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu All changes made to a zone using dynamic update are stored
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu in the zone's journal file. This file is automatically created
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu by the server when the first dynamic update takes place.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The name of the journal file is formed by appending the extension
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">.jnl</code> to the name of the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu corresponding zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu file unless specifically overridden. The journal file is in a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu binary format and should not be edited manually.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The server will also occasionally write ("dump")
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the complete contents of the updated zone to its zone file.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This is not done immediately after
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu each dynamic update, because that would be too slow when a large
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zone is updated frequently. Instead, the dump is delayed by
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu up to 15 minutes, allowing additional updates to take place.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu During the dump process, transient files will be created
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu with the extensions <code class="filename">.jnw</code> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">.jbk</code>; under ordinary circumstances, these
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will be removed when the dump is complete, and can be safely
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When a server is restarted after a shutdown or crash, it will replay
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the journal file to incorporate into the zone any updates that
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu place after the last zone dump.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Changes that result from incoming incremental zone transfers are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu journalled in a similar way.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The zone files of dynamic zones cannot normally be edited by
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu hand because they are not guaranteed to contain the most recent
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu dynamic changes — those are only in the journal file.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The only way to ensure that the zone file of a dynamic zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is up to date is to run <span><strong class="command">rndc stop</strong></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If you have to make changes to a dynamic zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu manually, the following procedure will work: Disable dynamic updates
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to the zone using
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This will also remove the zone's <code class="filename">.jnl</code> file
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and update the master file. Edit the zone file. Run
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to reload the changed zone and re-enable dynamic updates.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The incremental zone transfer (IXFR) protocol is a way for
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu slave servers to transfer only changed data, instead of having to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu transfer the entire zone. The IXFR protocol is specified in RFC
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When acting as a master, <acronym class="acronym">BIND</acronym> 9
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu supports IXFR for those zones
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu where the necessary change history information is available. These
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu include master zones maintained by dynamic update and slave zones
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu whose data was obtained by IXFR. For manually maintained master
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zones, and for slave zones obtained by performing a full zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu transfer (AXFR), IXFR is supported only if the option
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">ixfr-from-differences</strong></span> is set
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to <strong class="userinput"><code>yes</code></strong>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu attempt to use IXFR unless
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu it is explicitly disabled. For more information about disabling
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu of the <span><strong class="command">server</strong></span> statement.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2570876"></a>Split DNS</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Setting up different views, or visibility, of the DNS space to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu internal and external resolvers is usually referred to as a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span class="emphasis"><em>Split DNS</em></span> setup. There are several
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu reasons an organization would want to set up its DNS this way.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu One common reason for setting up a DNS system this way is
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to hide "internal" DNS information from "external" clients on the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Internet. There is some debate as to whether or not this is actually
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Internal DNS information leaks out in many ways (via email headers,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu for example) and most savvy "attackers" can find the information
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu they need using other means.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu However, since listing addresses of internal servers that
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu external clients cannot possibly reach can result in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu connection delays and other annoyances, an organization may
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu choose to use a Split DNS to present a consistent view of itself
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to the outside world.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Another common reason for setting up a Split DNS system is
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to allow internal networks that are behind filters or in RFC 1918
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu space (reserved IP space, as documented in RFC 1918) to resolve DNS
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu on the Internet. Split DNS can also be used to allow mail from outside
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu back in to the internal network.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2570894"></a>Example split DNS setup</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu has several corporate sites that have an internal network with
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Internet Protocol (IP) space and an external demilitarized zone (DMZ),
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu or "outside" section of a network, that is available to the public.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to be able to resolve external hostnames and to exchange mail with
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu people on the outside. The company also wants its internal resolvers
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to have access to certain internal-only zones that are not available
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu at all outside of the internal network.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu In order to accomplish this, the company will set up two sets
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu of name servers. One set will be on the inside network (in the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu IP space) and the other set will be on bastion hosts, which are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu hosts that can talk to both sides of its network, in the DMZ.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The internal servers will be configured to forward all queries,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and <code class="filename">site2.example.com</code>, to the servers
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu DMZ. These internal servers will have complete sets of information
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the internal name servers must be configured to disallow all queries
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to these domains from any external hosts, including the bastion
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The external servers, which are on the bastion hosts, will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This could include things such as the host records for public servers
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu should have special MX records that contain wildcard (`*') records
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu pointing to the bastion hosts. This is needed because external mail
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu servers do not have any other way of looking up how to deliver mail
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to those internal hosts. With the wildcard records, the mail will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be delivered to the bastion host, which can then forward it on to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu internal hosts.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Here's an example of a wildcard MX record:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Now that they accept mail on behalf of anything in the internal
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu network, the bastion hosts will need to know how to deliver mail
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to internal hosts. In order for this to work properly, the resolvers
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the bastion hosts will need to be configured to point to the internal
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu name servers for DNS resolution.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Queries for internal hostnames will be answered by the internal
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu servers, and queries for external hostnames will be forwarded back
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu out to the DNS servers on the bastion hosts.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu In order for all this to work properly, internal clients will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu need to be configured to query <span class="emphasis"><em>only</em></span> the internal
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu name servers for DNS queries. This could also be enforced via
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu filtering on the network.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu internal clients will now be able to:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Look up any hostnames in the <code class="literal">site1</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="literal">site2.example.com</code> zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Look up any hostnames in the <code class="literal">site1.internal</code> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="literal">site2.internal</code> domains.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<li>Exchange mail with both internal and external people.</li>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Hosts on the Internet will be able to:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Look up any hostnames in the <code class="literal">site1</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="literal">site2.example.com</code> zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Exchange mail with anyone in the <code class="literal">site1</code> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="literal">site2.example.com</code> zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Here is an example configuration for the setup we just
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu described above. Note that this is only configuration information;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Internal DNS server config:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liuacl externals { <code class="varname">bastion-ips-go-here</code>; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forward only;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // forward to external servers
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forwarders {
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // sample allow-transfer (no one)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { none; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // restrict query access
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // restrict recursion
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-recursion { internals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu// sample master zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu type master;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // do normal iterative resolution (do not forward)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forwarders { };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu// sample slave zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu masters { 172.16.72.3; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forwarders { };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu type master;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forwarders { };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { internals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; }
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu masters { 172.16.72.3; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forwarders { };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { internals };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; }
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu External (bastion host) DNS server config:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liuacl externals { bastion-ips-go-here; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // sample allow-transfer (no one)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { none; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // default query access
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query { any; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // restrict cache access
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-query-cache { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu // restrict recursion
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-recursion { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu// sample slave zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu type master;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; externals; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu masters { another_bastion_host_maybe; };
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu allow-transfer { internals; externals; }
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu In the <code class="filename">resolv.conf</code> (or equivalent) on
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the bastion host(s):
a31148363f598def767ac48c5d82e1572e44b935Gerry Liunameserver 172.16.72.2
a31148363f598def767ac48c5d82e1572e44b935Gerry Liunameserver 172.16.72.3
a31148363f598def767ac48c5d82e1572e44b935Gerry Liunameserver 172.16.72.4
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This is a short guide to setting up Transaction SIGnatures
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to the configuration file as well as what changes are required for
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu different features, including the process of creating transaction
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to server communication.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This includes zone transfer, notify, and recursive query messages.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu TSIG can also be useful for dynamic update. A primary
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu server for a dynamic zone should control access to the dynamic
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu update service, but IP-based access control is insufficient.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The cryptographic access control provided by TSIG
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is far superior. The <span><strong class="command">nsupdate</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu program supports TSIG via the <code class="option">-k</code> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="option">-y</code> command line options or inline by use
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu of the <span><strong class="command">key</strong></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571532"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu An arbitrary key name is chosen: "host1-host2.". The key name must
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be the same on both hosts.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h4 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571549"></a>Automatic Generation</h4></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The following command will generate a 128-bit (16 byte) HMAC-SHA256
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu key as described above. Longer keys are better, but shorter keys
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu are easier to read. Note that the maximum key length is the digest
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu length, here 256 bits.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Nothing directly uses this file, but the base-64 encoded string
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu can be extracted from the file and used as a shared secret:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be used as the shared secret.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h4 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571588"></a>Manual Generation</h4></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The shared secret is simply a random sequence of bits, encoded
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu in base-64. Most ASCII strings are valid base-64 strings (assuming
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the length is a multiple of 4 and only valid characters are used),
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu so the shared secret can be manually generated.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu a similar program to generate base-64 encoded data.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571606"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This is beyond the scope of DNS. A secure transport mechanism
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu should be used. This could be secure FTP, ssh, telephone, etc.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571617"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu both servers. The following is added to each server's <code class="filename">named.conf</code> file:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liukey host1-host2. {
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu algorithm hmac-sha256;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The secret is the one generated above. Since this is a secret, it
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is recommended that either <code class="filename">named.conf</code> be
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu non-world readable, or the key directive be added to a non-world
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu readable file that is included by <code class="filename">named.conf</code>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu At this point, the key is recognized. This means that if the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu server receives a message signed by this key, it can verify the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu signature. If the signature is successfully verified, the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu response is signed by the same key.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571653"></a>Instructing the Server to Use the Key</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Since keys are shared between two hosts only, the server must
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
a31148363f598def767ac48c5d82e1572e44b935Gerry Liuserver 10.1.2.3 {
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu keys { host1-host2. ;};
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Multiple keys may be present, but only the first is used.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This directive does not contain any secrets, so it may be in a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu world-readable
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If <span class="emphasis"><em>host1</em></span> sends a message that is a request
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu expect any responses to signed messages to be signed with the same
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu sign request messages to <span class="emphasis"><em>host1</em></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571779"></a>TSIG Key Based Access Control</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to be specified in ACL
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu definitions and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">allow-{ query | transfer | update }</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This has been extended to allow TSIG keys also. The above key would
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu be denoted <span><strong class="command">key host1-host2.</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu An example of an <span><strong class="command">allow-update</strong></span> directive would be:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liuallow-update { key host1-host2. ;};
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This allows dynamic updates to succeed only if the request
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the more flexible <span><strong class="command">update-policy</strong></span> statement.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571828"></a>Errors</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The processing of TSIG signed messages can result in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu several errors. If a signed message is sent to a non-TSIG aware
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu server, a FORMERR (format error) will be returned, since the server will not
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu understand the record. This is a result of misconfiguration,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu since the server must be explicitly configured to send a TSIG
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu signed message to a specific server.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If a TSIG aware server receives a message signed by an
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu unknown key, the response will be unsigned with the TSIG
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu extended error code set to BADKEY. If a TSIG aware server
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu receives a message with a signature that does not validate, the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu response will be unsigned with the TSIG extended error code set
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to BADSIG. If a TSIG aware server receives a message with a time
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu outside of the allowed range, the response will be signed with
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the TSIG extended error code set to BADTIME, and the time values
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will be adjusted so that the response can be successfully
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu verified. In any of these cases, the message's rcode (response code) is set to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu NOTAUTH (not authenticated).
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571842"></a>TKEY</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<p><span><strong class="command">TKEY</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is a mechanism for automatically generating a shared secret
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu between two hosts. There are several "modes" of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> that specify how the key is generated
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu these modes, the Diffie-Hellman key exchange. Both hosts are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu required to have a Diffie-Hellman KEY record (although this
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu record is not required to be present in a zone). The
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> process must use signed messages,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu signed either by TSIG or SIG(0). The result of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu used to delete shared secrets that it had previously
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The <span><strong class="command">TKEY</strong></span> process is initiated by a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu or server by sending a signed <span><strong class="command">TKEY</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu (including any appropriate KEYs) to a TKEY-aware server. The
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu server response, if it indicates success, will contain a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu this exchange, both participants have enough information to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu determine the shared secret; the exact process depends on the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> mode. When using the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Diffie-Hellman
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and the shared secret is derived by both participants.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2571959"></a>SIG(0)</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu transaction signatures as specified in RFC 2535 and RFC 2931.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu uses public/private keys to authenticate messages. Access control
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is performed in the same manner as TSIG keys; privileges can be
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu granted or denied based on the key name.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When a SIG(0) signed message is received, it will only be
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu verified if the key is known and trusted by the server; the server
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will not attempt to locate and/or validate the key.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu SIG(0) signing of multiple-message TCP streams is not
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Cryptographic authentication of DNS information is possible
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu defined in RFC 4033, RFC 4034, and RFC 4035.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This section describes the creation and use of DNSSEC signed zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu In order to set up a DNSSEC secure zone, there are a series
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu of steps which must be followed. <acronym class="acronym">BIND</acronym>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu with several tools
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu that are used in this process, which are explained in more detail
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu below. In all cases, the <code class="option">-h</code> option prints a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu full list of parameters. Note that the DNSSEC tools require the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu keyset files to be in the working directory or the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu directory specified by the <code class="option">-d</code> option, and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu that the tools shipped with BIND 9.2.x and earlier are not compatible
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu with the current ones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu There must also be communication with the administrators of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the parent and/or child zone to transmit keys. A zone's security
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu status must be indicated by the parent zone for a DNSSEC capable
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu resolver to trust its data. This is done through the presence
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu or absence of a <code class="literal">DS</code> record at the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu For other servers to trust data in this zone, they must
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu either be statically configured with this zone's zone key or the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zone key of another zone above this one in the DNS tree.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2572027"></a>Generating Keys</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The <span><strong class="command">dnssec-keygen</strong></span> program is used to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu generate keys.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu A secure zone must contain one or more zone keys. The
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zone keys will sign all other records in the zone, as well as
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the zone keys of any secure delegated zones. Zone keys must
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu have the same name as the zone, a name type of
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">ZONE</strong></span>, and must be usable for
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu authentication.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu It is recommended that zone keys use a cryptographic algorithm
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu designated as "mandatory to implement" by the IETF; currently
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the only one is RSASHA1.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The following command will generate a 768-bit RSASHA1 key for
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the <code class="filename">child.example</code> zone:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Two output files will be produced:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">Kchild.example.+005+12345.key</code> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">Kchild.example.+005+12345.private</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 12345 is an example of a key tag). The key filenames contain
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the key name (<code class="filename">child.example.</code>),
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu algorithm (3
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The private key (in the <code class="filename">.private</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu used to generate signatures, and the public key (in the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">.key</code> file) is used for signature
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu verification.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu To generate another key with the same properties (but with
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu a different key tag), repeat the above command.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to get a key pair from a crypto hardware and build the key
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The public keys should be inserted into the zone file by
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu including the <code class="filename">.key</code> files using
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">$INCLUDE</strong></span> statements.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2572174"></a>Signing the Zone</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The <span><strong class="command">dnssec-signzone</strong></span> program is used
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to sign a zone.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Any <code class="filename">keyset</code> files corresponding to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu secure subzones should be present. The zone signer will
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu and <code class="literal">RRSIG</code> records for the zone, as
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu well as <code class="literal">DS</code> for the child zones if
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is not specified, then DS RRsets for the secure child
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu zones need to be added manually.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The following command signs the zone, assuming it is in a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu file called <code class="filename">zone.child.example</code>. By
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu default, all zone keys which have an available private key are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu used to generate signatures.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu One output file is produced:
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">zone.child.example.signed</code>. This
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu should be referenced by <code class="filename">named.conf</code>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu input file for the zone.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<p><span><strong class="command">dnssec-signzone</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will also produce a keyset and dsset files and optionally a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu dlvset file. These are used to provide the parent zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu administrators with the <code class="literal">DNSKEYs</code> (or their
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu corresponding <code class="literal">DS</code> records) that are the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu secure entry point to the zone.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h3 class="title">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="id2572256"></a>Configuring Servers</h3></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu To enable <span><strong class="command">named</strong></span> to respond appropriately
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to DNS requests from DNSSEC aware clients,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu (This is the default setting.)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu To enable <span><strong class="command">named</strong></span> to validate answers from
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu other servers, the <span><strong class="command">dnssec-enable</strong></span> option
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu must be set to <strong class="userinput"><code>yes</code></strong>, and the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">dnssec-validation</strong></span> options must be set to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If <span><strong class="command">dnssec-validation</strong></span> is set to
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>auto</code></strong>, then a default
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu trust anchor for the DNS root zone will be used.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If it is set to <strong class="userinput"><code>yes</code></strong>, however,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu then at least one trust anchor must be configured
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu with a <span><strong class="command">trusted-keys</strong></span> or
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">managed-keys</strong></span> statement in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <code class="filename">named.conf</code>, or DNSSEC validation
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will not occur. The default setting is
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <strong class="userinput"><code>yes</code></strong>.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu for zones that are used to form the first link in the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu cryptographic chain of trust. All keys listed in
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu are deemed to exist and only the listed keys will be used
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu to validated the DNSKEY RRset that they are from.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">managed-keys</strong></span> are trusted keys which are
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu automatically kept up to date via RFC 5011 trust anchor
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu maintenance.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">trusted-keys</strong></span> and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">managed-keys</strong></span> are described in more detail
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu later in this document.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 9 does not verify signatures on load, so zone keys for
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu authoritative zones do not need to be specified in the
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu configuration file.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu After DNSSEC gets established, a typical DNSSEC configuration
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu will look something like the following. It has one or
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu more public keys for the root. This allows answers from
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu outside the organization to be validated. It will also
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu have several keys for parts of the namespace the organization
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu controls. These are here to ensure that <span><strong class="command">named</strong></span>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is immune to compromises in the DNSSEC components of the security
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu of parent zones.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liumanaged-keys {
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu /* Root Key */
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu dgxbcDTClU0CRBdiieyLMNzXG3";
a31148363f598def767ac48c5d82e1572e44b935Gerry Liutrusted-keys {
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu /* Key for our organization's forward zone */
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu /* Key for our reverse zone. */
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu xOdNax071L18QqZnQQQAVVr+i
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu LhGTnNGp3HoWQLUIzKrJVZ3zg
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu gy3WwNT6kZo6c0tszYqbtvchm
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu siaOdS0yOI6BgPsw+YZdzlYMa
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu IJGf4M4dyoKIhzdZyQ2bYQrjy
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Q4LB0lC7aOnsMyYKHHYeRvPxj
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu IQXmdqgOJGq+vsevG06zW+1xg
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu 59VvjSPsZJHeDCUyWYrvPZesZ
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu DIRvhDD52SKvbheeTJUm6Ehkz
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu dnssec-enable yes;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu dnssec-validation yes;
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu None of the keys listed in this example are valid. In particular,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the root key is not valid.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When DNSSEC validation is enabled and properly configured,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu the resolver will reject any answers from signed, secure zones
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu which fail to validate, and will return SERVFAIL to the client.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu Responses may fail to validate for any of several reasons,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu including missing, expired, or invalid signatures, a key which
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu does not match the DS RRset in the parent zone, or an insecure
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu response from a zone which, according to its parent, should have
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu been secure.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu When the validator receives a response from an unsigned zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu that has a signed parent, it must confirm with the parent
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu that the zone was intentionally left unsigned. It does
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu this by verifying, via signed and validated NSEC/NSEC3 records,
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu that the parent zone contains no DS records for the child.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu If the validator <span class="emphasis"><em>can</em></span> prove that the zone
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu is insecure, then the response is accepted. However, if it
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu cannot, then it must assume an insecure response to be a
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu forgery; it rejects the response and logs an error.
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu The logged error reads "insecurity proof failed" and
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu "got insecure response; parent indicates it should be secure".
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu (Prior to BIND 9.7, the logged error was "not insecure".
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu This referred to the zone, not the response.)
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<font color="red"><xi:include></xi:include></font><div class="sect1" lang="en">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu anchor management. Using this feature allows
a31148363f598def767ac48c5d82e1572e44b935Gerry Liu <span><strong class="command">named</strong></span> to keep track of changes to critical
and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8l.tar.gz</a></code></strong>
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
by placing the PIN into the openssl.cnf file (in the above
<a name="id2572544"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
$ORIGIN example.com.