Bv9ARM.ch04.html revision e31a258ca6ef845faf483fa8f04921e8841d3213
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
a02a0a8a7eb461619931f4a0e896afa247b52c54Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews - purpose with or without fee is hereby granted, provided that the above
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews - copyright notice and this permission notice appear in all copies.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
f8f37672a57524560fbdde52484e6ae3de1c3354Mark Andrews<!-- $Id$ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation header">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
bac2ed6ec3fbb5420e6ce69dd1218745d4e02b1eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
ede29aeb412c5448ab9a2028763ae08e7887ca74Mark Andrews<div class="titlepage"><div><div><h2 class="title">
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571267">Split DNS</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571285">Example split DNS setup</a></span></dt></dl></dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564004">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564077">Copying the Shared Secret to Both Machines</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564088">Informing the Servers of the Key's Existence</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564124">Instructing the Server to Use the Key</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572169">TSIG Key Based Access Control</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572218">Errors</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572232">TKEY</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572281">SIG(0)</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572486">Generating Keys</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572633">Signing the Zone</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572782">Configuring Servers</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563414">Converting from insecure to secure</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563451">Dynamic DNS update method</a></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563488">Fully automatic zone signing</a></span></dt>
c25080dc50542213058c240226c9f342186e6285Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563659">Private-type records</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571820">DNSKEY rollovers</a></span></dt>
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571833">Dynamic DNS update method</a></span></dt>
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571866">Automatic key rollovers</a></span></dt>
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571893">NSEC3PARAM rollovers via UPDATE</a></span></dt>
c25080dc50542213058c240226c9f342186e6285Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571902">Converting from NSEC to NSEC3</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571912">Converting from NSEC3 to NSEC</a></span></dt>
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Converting from secure to insecure</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571962">Periodic re-signing</a></span></dt>
c25080dc50542213058c240226c9f342186e6285Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571972">NSEC3 and OPTOUT</a></span></dt>
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572005">Validating Resolver</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608550">Authoritative Server</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611521">Prerequisites</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611886">Building BIND 9 with PKCS#11</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612080">PKCS #11 Tools</a></span></dt>
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636277">Using the HSM</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636544">Specifying the engine on the command line</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636589">Running named with automatic zone re-signing</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573002">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573064">Address Lookups Using AAAA Records</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573085">Address to Name Lookups Using Nibble Format</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="notify"></a>Notify</h2></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews servers to notify their slave servers of changes to a zone's data. In
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews slave will check to see that its version of the zone is the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews current version and, if not, initiate a zone transfer.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews For more information about <acronym class="acronym">DNS</acronym>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews <span><strong class="command">NOTIFY</strong></span>, see the description of the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the description of the zone option <span><strong class="command">also-notify</strong></span> in
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews protocol is specified in RFC 1996.
c25080dc50542213058c240226c9f342186e6285Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
c25080dc50542213058c240226c9f342186e6285Mark Andrews zones that it loads.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews Dynamic Update is a method for adding, replacing or deleting
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews records in a master server by sending it a special form of DNS
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews messages. The format and meaning of these messages is specified
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews in RFC 2136.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews Dynamic update is enabled by including an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews clause in the <span><strong class="command">zone</strong></span> statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the zone's <span><strong class="command">update-policy</strong></span> is set to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <strong class="userinput"><code>local</code></strong>, updates to the zone
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews will be permitted for the key <code class="varname">local-ddns</code>,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews which will be generated by <span><strong class="command">named</strong></span> at startup.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Dynamic updates using Kerberos signed requests can be made
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews using the TKEY/GSS protocol by setting either the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Kerberos signed requests will be matched against the update
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews policies for the zone, using the Kerberos principal as the
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews signer for the request.
5752b9e296f14034f103149f18188770c2cc5239Mark Andrews Updating of secure zones (zones using DNSSEC) follows RFC
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews 3007: RRSIG, NSEC and NSEC3 records affected by updates are
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews automatically regenerated by the server using an online
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zone key. Update authorization is based on transaction
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews signatures and an explicit server policy.
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="journal"></a>The journal file</h3></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews All changes made to a zone using dynamic update are stored
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews in the zone's journal file. This file is automatically created
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews by the server when the first dynamic update takes place.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The name of the journal file is formed by appending the extension
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <code class="filename">.jnl</code> to the name of the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews corresponding zone
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews file unless specifically overridden. The journal file is in a
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson binary format and should not be edited manually.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The server will also occasionally write ("dump")
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the complete contents of the updated zone to its zone file.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews This is not done immediately after
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews each dynamic update, because that would be too slow when a large
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews zone is updated frequently. Instead, the dump is delayed by
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews up to 15 minutes, allowing additional updates to take place.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews During the dump process, transient files will be created
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews with the extensions <code class="filename">.jnw</code> and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="filename">.jbk</code>; under ordinary circumstances, these
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews will be removed when the dump is complete, and can be safely
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When a server is restarted after a shutdown or crash, it will replay
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the journal file to incorporate into the zone any updates that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington place after the last zone dump.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Changes that result from incoming incremental zone transfers are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington journalled in a similar way.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The zone files of dynamic zones cannot normally be edited by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington hand because they are not guaranteed to contain the most recent
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington dynamic changes — those are only in the journal file.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The only way to ensure that the zone file of a dynamic zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is up to date is to run <span><strong class="command">rndc stop</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If you have to make changes to a dynamic zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington manually, the following procedure will work: Disable dynamic updates
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the zone using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This will also remove the zone's <code class="filename">.jnl</code> file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and update the master file. Edit the zone file. Run
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to reload the changed zone and re-enable dynamic updates.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The incremental zone transfer (IXFR) protocol is a way for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington slave servers to transfer only changed data, instead of having to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington transfer the entire zone. The IXFR protocol is specified in RFC
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When acting as a master, <acronym class="acronym">BIND</acronym> 9
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington supports IXFR for those zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington where the necessary change history information is available. These
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington include master zones maintained by dynamic update and slave zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington whose data was obtained by IXFR. For manually maintained master
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones, and for slave zones obtained by performing a full zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington transfer (AXFR), IXFR is supported only if the option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">ixfr-from-differences</strong></span> is set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to <strong class="userinput"><code>yes</code></strong>.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington attempt to use IXFR unless
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington it is explicitly disabled. For more information about disabling
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington of the <span><strong class="command">server</strong></span> statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<a name="id2571267"></a>Split DNS</h2></div></div></div>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Setting up different views, or visibility, of the DNS space to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews internal and external resolvers is usually referred to as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>Split DNS</em></span> setup. There are several
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews reasons an organization would want to set up its DNS this way.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington One common reason for setting up a DNS system this way is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to hide "internal" DNS information from "external" clients on the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Internet. There is some debate as to whether or not this is actually
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Internal DNS information leaks out in many ways (via email headers,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews for example) and most savvy "attackers" can find the information
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews they need using other means.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews However, since listing addresses of internal servers that
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews external clients cannot possibly reach can result in
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews connection delays and other annoyances, an organization may
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews choose to use a Split DNS to present a consistent view of itself
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews to the outside world.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Another common reason for setting up a Split DNS system is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews to allow internal networks that are behind filters or in RFC 1918
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews space (reserved IP space, as documented in RFC 1918) to resolve DNS
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews on the Internet. Split DNS can also be used to allow mail from outside
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews back in to the internal network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2571285"></a>Example split DNS setup</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington has several corporate sites that have an internal network with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Internet Protocol (IP) space and an external demilitarized zone (DMZ),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or "outside" section of a network, that is available to the public.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be able to resolve external hostnames and to exchange mail with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington people on the outside. The company also wants its internal resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to have access to certain internal-only zones that are not available
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington at all outside of the internal network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In order to accomplish this, the company will set up two sets
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of name servers. One set will be on the inside network (in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington IP space) and the other set will be on bastion hosts, which are
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews hosts that can talk to both sides of its network, in the DMZ.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The internal servers will be configured to forward all queries,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews and <code class="filename">site2.example.com</code>, to the servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DMZ. These internal servers will have complete sets of information
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <code class="filename">site2.internal</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the internal name servers must be configured to disallow all queries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to these domains from any external hosts, including the bastion
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The external servers, which are on the bastion hosts, will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This could include things such as the host records for public servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington should have special MX records that contain wildcard (`*') records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington pointing to the bastion hosts. This is needed because external mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers do not have any other way of looking up how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to those internal hosts. With the wildcard records, the mail will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be delivered to the bastion host, which can then forward it on to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Here's an example of a wildcard MX record:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Now that they accept mail on behalf of anything in the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network, the bastion hosts will need to know how to deliver mail
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to internal hosts. In order for this to work properly, the resolvers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the bastion hosts will need to be configured to point to the internal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name servers for DNS resolution.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Queries for internal hostnames will be answered by the internal
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews servers, and queries for external hostnames will be forwarded back
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews out to the DNS servers on the bastion hosts.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews In order for all this to work properly, internal clients will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews need to be configured to query <span class="emphasis"><em>only</em></span> the internal
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews name servers for DNS queries. This could also be enforced via
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews filtering on the network.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington internal clients will now be able to:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look up any hostnames in the <code class="literal">site1</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.example.com</code> zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look up any hostnames in the <code class="literal">site1.internal</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">site2.internal</code> domains.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li>Look up any hostnames on the Internet.</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li>Exchange mail with both internal and external people.</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Hosts on the Internet will be able to:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look up any hostnames in the <code class="literal">site1</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="literal">site2.example.com</code> zones.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Exchange mail with anyone in the <code class="literal">site1</code> and
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <code class="literal">site2.example.com</code> zones.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Here is an example configuration for the setup we just
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews described above. Note that this is only configuration information;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Internal DNS server config:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtonacl externals { <code class="varname">bastion-ips-go-here</code>; };
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington forward only;
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews // forward to external servers
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews forwarders {
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews <code class="varname">bastion-ips-go-here</code>;
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews // sample allow-transfer (no one)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-transfer { none; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // restrict query access
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-query { internals; externals; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // restrict recursion
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-recursion { internals; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews// sample master zone
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews type master;
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // do normal iterative resolution (do not forward)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews forwarders { };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-query { internals; externals; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-transfer { internals; };
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews// sample slave zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews masters { 172.16.72.3; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forwarders { };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-query { internals; externals; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-transfer { internals; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews type master;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews forwarders { };
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews allow-query { internals; };
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews allow-transfer { internals; }
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews masters { 172.16.72.3; };
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews forwarders { };
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews allow-query { internals };
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews allow-transfer { internals; }
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews External (bastion host) DNS server config:
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrewsacl externals { bastion-ips-go-here; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // sample allow-transfer (no one)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-transfer { none; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // default query access
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow-query { any; };
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews // restrict cache access
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-query-cache { internals; externals; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews // restrict recursion
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-recursion { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// sample slave zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews type master;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow-transfer { internals; externals; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington masters { another_bastion_host_maybe; };
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews allow-transfer { internals; externals; }
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews In the <code class="filename">resolv.conf</code> (or equivalent) on
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews the bastion host(s):
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsnameserver 172.16.72.2
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsnameserver 172.16.72.3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonnameserver 172.16.72.4
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews This is a short guide to setting up Transaction SIGnatures
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to the configuration file as well as what changes are required for
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews different features, including the process of creating transaction
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to server communication.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This includes zone transfer, notify, and recursive query messages.
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews TSIG can also be useful for dynamic update. A primary
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server for a dynamic zone should control access to the dynamic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington update service, but IP-based access control is insufficient.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The cryptographic access control provided by TSIG
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews is far superior. The <span><strong class="command">nsupdate</strong></span>
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington program supports TSIG via the <code class="option">-k</code> and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="option">-y</code> command line options or inline by use
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of the <span><strong class="command">key</strong></span>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2564004"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An arbitrary key name is chosen: "host1-host2.". The key name must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be the same on both hosts.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2564021"></a>Automatic Generation</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The following command will generate a 128-bit (16 byte) HMAC-SHA256
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews key as described above. Longer keys are better, but shorter keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are easier to read. Note that the maximum key length is the digest
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews length, here 256 bits.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Nothing directly uses this file, but the base-64 encoded string
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews can be extracted from the file and used as a shared secret:
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be used as the shared secret.
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2564059"></a>Manual Generation</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The shared secret is simply a random sequence of bits, encoded
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in base-64. Most ASCII strings are valid base-64 strings (assuming
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the length is a multiple of 4 and only valid characters are used),
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews so the shared secret can be manually generated.
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews a similar program to generate base-64 encoded data.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2564077"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is beyond the scope of DNS. A secure transport mechanism
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews should be used. This could be secure FTP, ssh, telephone, etc.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2564088"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington both servers. The following is added to each server's <code class="filename">named.conf</code> file:
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtonkey host1-host2. {
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington algorithm hmac-sha256;
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The secret is the one generated above. Since this is a secret, it
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is recommended that either <code class="filename">named.conf</code> be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews non-world readable, or the key directive be added to a non-world
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews readable file that is included by <code class="filename">named.conf</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington At this point, the key is recognized. This means that if the
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews server receives a message signed by this key, it can verify the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews signature. If the signature is successfully verified, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response is signed by the same key.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2564124"></a>Instructing the Server to Use the Key</h3></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Since keys are shared between two hosts only, the server must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsserver 10.1.2.3 {
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington keys { host1-host2. ;};
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Multiple keys may be present, but only the first is used.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This directive does not contain any secrets, so it may be in a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews world-readable
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If <span class="emphasis"><em>host1</em></span> sends a message that is a request
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington expect any responses to signed messages to be signed with the same
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
6e611cc919d69bed062e9885078412ef2ac4f007Mark Andrews configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews sign request messages to <span class="emphasis"><em>host1</em></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2572169"></a>TSIG Key Based Access Control</h3></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be specified in ACL
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews definitions and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-{ query | transfer | update }</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This has been extended to allow TSIG keys also. The above key would
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be denoted <span><strong class="command">key host1-host2.</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews An example of an <span><strong class="command">allow-update</strong></span> directive would be:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonallow-update { key host1-host2. ;};
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows dynamic updates to succeed only if the request
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the more flexible <span><strong class="command">update-policy</strong></span> statement.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2572218"></a>Errors</h3></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The processing of TSIG signed messages can result in
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington several errors. If a signed message is sent to a non-TSIG aware
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews server, a FORMERR (format error) will be returned, since the server will not
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews understand the record. This is a result of misconfiguration,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews since the server must be explicitly configured to send a TSIG
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews signed message to a specific server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If a TSIG aware server receives a message signed by an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews unknown key, the response will be unsigned with the TSIG
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews extended error code set to BADKEY. If a TSIG aware server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews receives a message with a signature that does not validate, the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews response will be unsigned with the TSIG extended error code set
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to BADSIG. If a TSIG aware server receives a message with a time
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews outside of the allowed range, the response will be signed with
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the TSIG extended error code set to BADTIME, and the time values
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews will be adjusted so that the response can be successfully
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews verified. In any of these cases, the message's rcode (response code) is set to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews NOTAUTH (not authenticated).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2572232"></a>TKEY</h2></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p><span><strong class="command">TKEY</strong></span>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews is a mechanism for automatically generating a shared secret
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington between two hosts. There are several "modes" of
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">TKEY</strong></span> that specify how the key is generated
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews these modes, the Diffie-Hellman key exchange. Both hosts are
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews required to have a Diffie-Hellman KEY record (although this
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews record is not required to be present in a zone). The
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">TKEY</strong></span> process must use signed messages,
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson signed either by TSIG or SIG(0). The result of
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson used to delete shared secrets that it had previously
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The <span><strong class="command">TKEY</strong></span> process is initiated by a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews or server by sending a signed <span><strong class="command">TKEY</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (including any appropriate KEYs) to a TKEY-aware server. The
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server response, if it indicates success, will contain a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this exchange, both participants have enough information to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington determine the shared secret; the exact process depends on the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">TKEY</strong></span> mode. When using the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Diffie-Hellman
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews and the shared secret is derived by both participants.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2572281"></a>SIG(0)</h2></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
99f467f016d9354c7548b7d24b65ac986b118a52Andreas Gustafsson transaction signatures as specified in RFC 2535 and RFC 2931.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington uses public/private keys to authenticate messages. Access control
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews is performed in the same manner as TSIG keys; privileges can be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews granted or denied based on the key name.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When a SIG(0) signed message is received, it will only be
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews verified if the key is known and trusted by the server; the server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews will not attempt to locate and/or validate the key.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SIG(0) signing of multiple-message TCP streams is not
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews Cryptographic authentication of DNS information is possible
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews defined in RFC 4033, RFC 4034, and RFC 4035.
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews This section describes the creation and use of DNSSEC signed zones.
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews In order to set up a DNSSEC secure zone, there are a series
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of steps which must be followed. <acronym class="acronym">BIND</acronym>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington with several tools
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews that are used in this process, which are explained in more detail
aa85e0c64e3e659f11d10e40eafdfe122ff684afMark Andrews below. In all cases, the <code class="option">-h</code> option prints a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews full list of parameters. Note that the DNSSEC tools require the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keyset files to be in the working directory or the
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews directory specified by the <code class="option">-d</code> option, and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews that the tools shipped with BIND 9.2.x and earlier are not compatible
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews with the current ones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington There must also be communication with the administrators of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the parent and/or child zone to transmit keys. A zone's security
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews status must be indicated by the parent zone for a DNSSEC capable
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews resolver to trust its data. This is done through the presence
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews or absence of a <code class="literal">DS</code> record at the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson For other servers to trust data in this zone, they must
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson either be statically configured with this zone's zone key or the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews zone key of another zone above this one in the DNS tree.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="id2572486"></a>Generating Keys</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The <span><strong class="command">dnssec-keygen</strong></span> program is used to
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson generate keys.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson A secure zone must contain one or more zone keys. The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone keys will sign all other records in the zone, as well as
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the zone keys of any secure delegated zones. Zone keys must
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews have the same name as the zone, a name type of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">ZONE</strong></span>, and must be usable for
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews authentication.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews It is recommended that zone keys use a cryptographic algorithm
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews designated as "mandatory to implement" by the IETF; currently
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the only one is RSASHA1.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The following command will generate a 768-bit RSASHA1 key for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the <code class="filename">child.example</code> zone:
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Two output files will be produced:
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <code class="filename">Kchild.example.+005+12345.key</code> and
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <code class="filename">Kchild.example.+005+12345.private</code>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews 12345 is an example of a key tag). The key filenames contain
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews the key name (<code class="filename">child.example.</code>),
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews algorithm (3
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews The private key (in the <code class="filename">.private</code>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews used to generate signatures, and the public key (in the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <code class="filename">.key</code> file) is used for signature
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews verification.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews To generate another key with the same properties (but with
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews a different key tag), repeat the above command.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews to get a key pair from a crypto hardware and build the key
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The public keys should be inserted into the zone file by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews including the <code class="filename">.key</code> files using
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">$INCLUDE</strong></span> statements.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2572633"></a>Signing the Zone</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">dnssec-signzone</strong></span> program is used
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to sign a zone.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Any <code class="filename">keyset</code> files corresponding to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews secure subzones should be present. The zone signer will
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and <code class="literal">RRSIG</code> records for the zone, as
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews well as <code class="literal">DS</code> for the child zones if
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is not specified, then DS RRsets for the secure child
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews zones need to be added manually.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The following command signs the zone, assuming it is in a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews file called <code class="filename">zone.child.example</code>. By
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews default, all zone keys which have an available private key are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used to generate signatures.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews One output file is produced:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">zone.child.example.signed</code>. This
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews should be referenced by <code class="filename">named.conf</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews input file for the zone.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews will also produce a keyset and dsset files and optionally a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dlvset file. These are used to provide the parent zone
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews administrators with the <code class="literal">DNSKEYs</code> (or their
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews corresponding <code class="literal">DS</code> records) that are the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews secure entry point to the zone.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2572782"></a>Configuring Servers</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To enable <span><strong class="command">named</strong></span> to respond appropriately
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to DNS requests from DNSSEC aware clients,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (This is the default setting.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To enable <span><strong class="command">named</strong></span> to validate answers from
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews other servers, the <span><strong class="command">dnssec-enable</strong></span> option
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews must be set to <strong class="userinput"><code>yes</code></strong>, and the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">dnssec-validation</strong></span> options must be set to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If <span><strong class="command">dnssec-validation</strong></span> is set to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>auto</code></strong>, then a default
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews trust anchor for the DNS root zone will be used.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If it is set to <strong class="userinput"><code>yes</code></strong>, however,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews then at least one trust anchor must be configured
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews with a <span><strong class="command">trusted-keys</strong></span> or
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">managed-keys</strong></span> statement in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">named.conf</code>, or DNSSEC validation
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews will not occur. The default setting is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>yes</code></strong>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for zones that are used to form the first link in the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews cryptographic chain of trust. All keys listed in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews are deemed to exist and only the listed keys will be used
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to validated the DNSKEY RRset that they are from.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">managed-keys</strong></span> are trusted keys which are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews automatically kept up to date via RFC 5011 trust anchor
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews maintenance.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">trusted-keys</strong></span> and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">managed-keys</strong></span> are described in more detail
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews later in this document.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 9 does not verify signatures on load, so zone keys for
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews authoritative zones do not need to be specified in the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews configuration file.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews After DNSSEC gets established, a typical DNSSEC configuration
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews will look something like the following. It has one or
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews more public keys for the root. This allows answers from
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews outside the organization to be validated. It will also
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews have several keys for parts of the namespace the organization
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews controls. These are here to ensure that <span><strong class="command">named</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is immune to compromises in the DNSSEC components of the security
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews of parent zones.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrewsmanaged-keys {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews /* Root Key */
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dgxbcDTClU0CRBdiieyLMNzXG3";
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrewstrusted-keys {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews /* Key for our organization's forward zone */
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews /* Key for our reverse zone. */
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews xOdNax071L18QqZnQQQAVVr+i
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews LhGTnNGp3HoWQLUIzKrJVZ3zg
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews gy3WwNT6kZo6c0tszYqbtvchm
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews siaOdS0yOI6BgPsw+YZdzlYMa
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IJGf4M4dyoKIhzdZyQ2bYQrjy
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Q4LB0lC7aOnsMyYKHHYeRvPxj
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IQXmdqgOJGq+vsevG06zW+1xg
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 59VvjSPsZJHeDCUyWYrvPZesZ
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DIRvhDD52SKvbheeTJUm6Ehkz
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dnssec-enable yes;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews dnssec-validation yes;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews None of the keys listed in this example are valid. In particular,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the root key is not valid.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When DNSSEC validation is enabled and properly configured,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the resolver will reject any answers from signed, secure zones
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews which fail to validate, and will return SERVFAIL to the client.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Responses may fail to validate for any of several reasons,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews including missing, expired, or invalid signatures, a key which
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews does not match the DS RRset in the parent zone, or an insecure
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews response from a zone which, according to its parent, should have
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews been secure.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When the validator receives a response from an unsigned zone
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that has a signed parent, it must confirm with the parent
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that the zone was intentionally left unsigned. It does
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews this by verifying, via signed and validated NSEC/NSEC3 records,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that the parent zone contains no DS records for the child.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If the validator <span class="emphasis"><em>can</em></span> prove that the zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is insecure, then the response is accepted. However, if it
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews cannot, then it must assume an insecure response to be a
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews forgery; it rejects the response and logs an error.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The logged error reads "insecurity proof failed" and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews "got insecure response; parent indicates it should be secure".
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews (Prior to BIND 9.7, the logged error was "not insecure".
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews This referred to the zone, not the response.)
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>As of BIND 9.7.0 it is possible to change a dynamic zone
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews from insecure to signed and back again. A secure zone can use
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews either NSEC or NSEC3 chains.</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<a name="id2563414"></a>Converting from insecure to secure</h3></div></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>Changing a zone from insecure to secure can be done in two
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews ways: using a dynamic DNS update, or the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>For either method, you need to configure
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <span><strong class="command">named</strong></span> so that it can see the
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <code class="filename">K*</code> files which contain the public and private
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews parts of the keys that will be used to sign the zone. These files
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews will have been generated by
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews in the key-directory, as specified in
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews type master;
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews update-policy local;
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>If one KSK and one ZSK DNSKEY key have been generated, this
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson configuration will cause all records in the zone to be signed
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson with the ZSK, and the DNSKEY RRset to be signed with the KSK as
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson well. An NSEC chain will be generated as part of the initial
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson signing process.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<a name="id2563451"></a>Dynamic DNS update method</h3></div></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews > ttl 3600
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews<p>While the update request will complete almost immediately,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the zone will not be completely signed until
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">named</strong></span> has had time to walk the zone and
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews generate the NSEC and RRSIG records. The NSEC record at the apex
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews will be added last, to signal that there is a complete NSEC
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<p>If you wish to sign using NSEC3 instead of NSEC, you should
da93950363b307b718d156514b95b9df93a63776Mark Andrews add an NSEC3PARAM record to the initial update request. If you
da93950363b307b718d156514b95b9df93a63776Mark Andrews wish the NSEC3 chain to have the OPTOUT bit set, set it in the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews flags field of the NSEC3PARAM record.</p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews > ttl 3600
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews > update add example.net NSEC3PARAM 1 1 100 1234567890
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>Again, this update request will complete almost
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews immediately; however, the record won't show up until
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> has had a chance to build/remove the
e107074f370ee86275bd64ab8bcaa429fec1c7e2Mark Andrews relevant chain. A private type record will be created to record
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the state of the operation (see below for more details), and will
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews be removed once the operation completes.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>While the initial signing and NSEC/NSEC3 chain generation
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews is happening, other updates are possible as well.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2563488"></a>Fully automatic zone signing</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To enable automatic signing, add the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews <span><strong class="command">auto-dnssec</strong></span> has two possible arguments:
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews <span><strong class="command">auto-dnssec allow</strong></span>,
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews <span><strong class="command">named</strong></span> can search the key directory for keys
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews matching the zone, insert them into the zone, and use them to
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews sign the zone. It will do so only when it receives an
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews <span><strong class="command">rndc sign <zonename></strong></span>.</p>
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews functionality, but will also automatically adjust the zone's
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews DNSKEY records on schedule according to the keys' timing metadata.
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
fbda97fc7f9995d4617bed6fe71516d04704c320Mark Andrews <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">named</strong></span> will periodically search the key directory
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for keys matching the zone, and if the keys' metadata indicates
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews that any change should be made the zone, such as adding, removing,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews or revoking a key, then that action will be carried out. By default,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the key directory is checked for changes every 60 minutes; this period
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to a maximum of 24 hours. The <span><strong class="command">rndc loadkeys</strong></span> forces
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">named</strong></span> to check for key updates immediately.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If keys are present in the key directory the first time the zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is loaded, the zone will be signed immediately, without waiting for an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews command. (Those commands can still be used when there are unscheduled
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews key changes, however.)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If you wish the zone to be signed using NSEC3 instead of NSEC,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews submit an NSEC3PARAM record via dynamic update prior to the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews scheduled publication and activation of the keys. If you wish the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews NSEC3 chain to have the OPTOUT bit set, set it in the flags field
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the zone immediately, but it will be stored for later reference. When
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews record will appear in the zone.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configured to allow dynamic updates, by adding an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-update</strong></span> or
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">update-policy</strong></span> statement to the zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configuration. If this has not been done, the configuration will
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2563659"></a>Private-type records</h3></div></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>The state of the signing process is signaled by
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews private-type records (with a default type value of 65534). When
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signing is complete, these records will have a nonzero value for
10d1a7ae66a4ed3e2ca9883a932c874c7dad13b7Mark Andrews the final octet (for those records which have a nonzero initial
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<p>The private type record format: If the first octet is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews non-zero then the record indicates that the zone needs to be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed with the key matching the record, or that all signatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that match the record should be removed.</p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington��algorithm�(octet�1)<br>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington��key�id�in�network�order�(octet�2�and�3)<br>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington��removal�flag�(octet�4)<br>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews��complete�flag�(octet�5)<br>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews<p>Only records flagged as "complete" can be removed via
20403510ec038ae07b2b343bcc974428d8558555Mark Andrews dynamic update. Attempts to remove other private type records
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews will be silently ignored.</p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<p>If the first octet is zero (this is a reserved algorithm
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews number that should never appear in a DNSKEY record) then the
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews record indicates changes to the NSEC3 chains are in progress. The
6c68e68fc550c947100581eb7b5340b81c062c94Andreas Gustafsson rest of the record contains an NSEC3PARAM record. The flag field
6c68e68fc550c947100581eb7b5340b81c062c94Andreas Gustafsson tells what operation to perform based on the flag bits.</p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews��0x01�OPTOUT<br>
03dad90858e09e5d06e77ed1bd37371a8a950dabBrian Wellington��0x80�CREATE<br>
ea6566e3c4ffbf116219cc15f23d9d0eeac559a1Mark Andrews��0x40�REMOVE<br>
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington��0x20�NONSEC<br>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571820"></a>DNSKEY rollovers</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>As with insecure-to-secure conversions, rolling DNSSEC
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews keys can be done in two ways: using a dynamic DNS update, or the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571833"></a>Dynamic DNS update method</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p> To perform key rollovers via dynamic update, you need to add
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the <code class="filename">K*</code> files for the new keys so that
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> can find them. You can then add the new
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews DNSKEY RRs via dynamic update.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> will then cause the zone to be signed
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews with the new keys. When the signing is complete the private type
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews records will be updated so that the last octet is non
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>If this is for a KSK you need to inform the parent and any
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews trust anchor repositories of the new KSK.</p>
aa85e0c64e3e659f11d10e40eafdfe122ff684afMark Andrews<p>You should then wait for the maximum TTL in the zone before
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews removing the old DNSKEY. If it is a KSK that is being updated,
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews you also need to wait for the DS RRset in the parent to be
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson updated and its TTL to expire. This ensures that all clients will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be able to verify at least one signature when you remove the old
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>The old DNSKEY can be removed via UPDATE. Take care to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews specify the correct key.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> will clean out any signatures generated
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews by the old key after the update completes.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571866"></a>Automatic key rollovers</h3></div></div></div></div>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>When a new key reaches its activation date (as set by
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews automatically carry out the key rollover. If the key's algorithm
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews has not previously been used to sign the zone, then the zone will
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews be fully signed as quickly as possible. However, if the new key
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews is replacing an existing key of the same algorithm, then the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews zone will be re-signed incrementally, with signatures from the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews old key being replaced with signatures from the new key as their
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews signature validity periods expire. By default, this rollover
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews completes in 30 days, after which it will be safe to remove the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews old key from the DNSKEY RRset.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571893"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>Add the new NSEC3PARAM record via dynamic update. When the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews new NSEC3 chain has been generated, the NSEC3PARAM flag field
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews will be zero. At this point you can remove the old NSEC3PARAM
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews record. The old chain will be removed after the update request
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews completes.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571902"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To do this, you just need to add an NSEC3PARAM record. When
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the conversion is complete, the NSEC chain will have been removed
e49d15b398d34b76ceb51e50bcfea9501ade07b6Mark Andrews and the NSEC3PARAM record will have a zero flag field. The NSEC3
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson chain will be generated before the NSEC chain is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews destroyed.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571912"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews remove all NSEC3PARAM records with a zero flag
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews field. The NSEC chain will be generated before the NSEC3 chain is
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews removed.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571925"></a>Converting from secure to insecure</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To convert a signed zone to unsigned using dynamic DNS,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews delete all the DNSKEY records from the zone apex using
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews and associated NSEC3PARAM records will be removed automatically.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews This will take place after the update request completes.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p> This requires the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <strong class="userinput"><code>yes</code></strong> in
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews zone statement is used, it should be removed or changed to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">allow</strong></span> instead (or it will re-sign).
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571962"></a>Periodic re-signing</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>In any secure zone which supports dynamic updates, named
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews will periodically re-sign RRsets which have not been re-signed as
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews a result of some update action. The signature lifetimes will be
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews adjusted so as to spread the re-sign load over time rather than
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews all at once.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2571972"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews where all the NSEC3 records in the zone have the same OPTOUT
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews records in the chain have mixed OPTOUT state.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> does not support changing the OPTOUT
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews state of an individual NSEC3 record, the entire chain needs to be
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews changed if the OPTOUT state of an individual NSEC3 needs to be
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews changed.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews anchor management. Using this feature allows
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">named</strong></span> to keep track of changes to critical
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews DNSSEC keys without any need for the operator to make changes to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews configuration files.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2572005"></a>Validating Resolver</h3></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To configure a validating resolver to use RFC 5011 to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews maintain a trust anchor, configure the trust anchor using a
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">managed-keys</strong></span> statement. Information about
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews this can be found in
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h3 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2608550"></a>Authoritative Server</h3></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To set up an authoritative zone for RFC 5011 trust anchor
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews maintenance, generate two (or more) key signing keys (KSKs) for
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the zone. Sign the zone with one of them; this is the "active"
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews KSK. All KSK's which do not sign the zone are "stand-by"
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>Any validating resolver which is configured to use the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews active KSK as an RFC 5011-managed trust anchor will take note
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews of the stand-by KSKs in the zone's DNSKEY RRset, and store them
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews for future reference. The resolver will recheck the zone
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews periodically, and after 30 days, if the new key is still there,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews then the key will be accepted by the resolver as a valid trust
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews anchor for the zone. Any time after this 30-day acceptance
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews timer has completed, the active KSK can be revoked, and the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews zone can be "rolled over" to the newly accepted key.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>The easiest way to place a stand-by key in a zone is to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews use the "smart signing" features of
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">dnssec-keygen</strong></span> and
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews date in the past, but an activation date which is unset or in
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the future, "
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews record in the zone, but will not sign with it:</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To revoke a key, the new command
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews REVOKED bit to the key flags and re-generates the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <code class="filename">K*.private</code> files.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>After revoking the active key, the zone must be signed
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews with both the revoked KSK and the new active KSK. (Smart
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews signing takes care of this automatically.)</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>Once a key has been revoked and used to sign the DNSKEY
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews RRset in which it appears, that key will never again be
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews accepted as a valid trust anchor by the resolver. However,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews validation can proceed using the new active key (which had been
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews accepted by the resolver when it was a stand-by key).</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>See RFC 5011 for more details on key rollover
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews scenarios.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>When a key has been revoked, its key ID changes,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews increasing by 128, and wrapping around at 65535. So, for
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews "<code class="filename">Kexample.com.+005+10128</code>".</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>If two keys have ID's exactly 128 apart, and one is
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews revoked, then the two key ID's will collide, causing several
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews problems. To prevent this,
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews another key is present which may collide. This checking will
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews only occur if the new keys are written to the same directory
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews which holds all other keys in use for that zone.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>Older versions of BIND 9 did not have this precaution.
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews Exercise caution if using key revocation on keys that were
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson generated by previous releases, or if using keys stored in
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews multiple directories or on multiple machines.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>It is expected that a future release of BIND 9 will
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews address this problem in a different way, by storing revoked
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson keys with their original unrevoked key ID's.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>PKCS #11 (Public Key Cryptography Standard #11) defines a
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews platform- independent API for the control of hardware security
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews modules (HSMs) and other cryptographic support devices.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews cryptographic acceleration board, tested under Solaris x86, and
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the AEP Keyper network-attached key storage device, tested with
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Debian Linux, Solaris x86 and Windows Server 2003.</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2611521"></a>Prerequisites</h3></div></div></div>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>See the HSM vendor documentation for information about
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews installing, initializing, testing and troubleshooting the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews does not yet fully support PKCS #11. However, a PKCS #11 engine
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews for OpenSSL is available from the OpenSolaris project. It has
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews been modified by ISC to work with with BIND 9, and to provide
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson new features such as PIN management and key by
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews reference.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>The patched OpenSSL depends on a "PKCS #11 provider".
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews This is a shared library object, providing a low-level PKCS #11
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews interface to the HSM hardware. It is dynamically loaded by
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews OpenSSL at runtime. The PKCS #11 provider comes from the HSM
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews vendor, and is specific to the HSM to be controlled.</p>
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews<p>There are two "flavors" of PKCS #11 support provided by
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews the patched OpenSSL, one of which must be chosen at
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews configuration time. The correct choice depends on the HSM
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews hardware:</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<li><p>Use 'crypto-accelerator' with HSMs that have hardware
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews cryptographic acceleration features, such as the SCA 6000
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews board. This causes OpenSSL to run all supported
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<li><p>Use 'sign-only' with HSMs that are designed to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews function primarily as secure key storage devices, but lack
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson hardware acceleration. These devices are highly secure, but
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews are not necessarily any faster at cryptography than the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews system CPU — often, they are slower. It is therefore
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews most efficient to use them only for those cryptographic
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews functions that require access to the secured private key,
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson such as zone signing, and to use the system CPU for all
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews other computationally-intensive operations. The AEP Keyper
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>The modified OpenSSL code is included in the BIND 9 release,
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews in the form of a context diff against the latest verions of
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews OpenSSL. OpenSSL 0.9.8 and 1.0.0 are both supported; there are
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews separate diffs for each version. In the examples to follow,
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0.
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews The latest OpenSSL versions at the time of the BIND release
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews are 0.9.8s and 1.0.0f.
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews ISC will provide an updated patch as new versions of OpenSSL
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews are released. The version number in the following examples
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews is expected to change.</div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Before building BIND 9 with PKCS #11 support, it will be
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson necessary to build OpenSSL with this patch in place and inform
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews it of the path to the HSM-specific PKCS #11 provider
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews library.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews$ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>Apply the patch from the BIND 9 release:</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews < bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews "patch" utility on all operating systems. You may need to
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews install GNU patch.)</div>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>When building OpenSSL, place it in a non-standard
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews location so that it does not interfere with OpenSSL libraries
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews elsewhere on the system. In the following examples, we choose
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson to install into "/opt/pkcs11/usr". We will use this location
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews when we configure BIND 9.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<div class="titlepage"><div><div><h4 class="title">
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<a name="id2609432"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>The AEP Keyper is a highly secure key storage device,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews but does not provide hardware cryptographic acceleration. It
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson can carry out cryptographic operations, but it is probably
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews slower than your system's CPU. Therefore, we choose the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews 'sign-only' flavor when building OpenSSL.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>The Keyper-specific PKCS #11 provider library is
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews delivered with the Keyper software. In this example, we place
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>This library is only available for Linux as a 32-bit
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews binary. If we are compiling on a 64-bit Linux system, it is
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews necessary to force a 32-bit build, by specifying -m32 in the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews build options.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>Finally, the Keyper library requires threads, so we
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews must specify -pthread.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews$ <strong class="userinput"><code>/Configure linux-generic32 -m32 -pthread \
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson --pk11-flavor=sign-only \
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>After configuring, run "<span><strong class="command">make</strong></span>"
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews test</strong></span>" fails with "pthread_atfork() not found", you forgot to
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson add the -pthread above.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<div class="titlepage"><div><div><h4 class="title">
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<a name="id2609501"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>The SCA-6000 PKCS #11 provider is installed as a system
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews library, libpkcs11. It is a true crypto accelerator, up to 4
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews times faster than any CPU, so the flavor shall be
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews 'crypto-accelerator'.</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>In this example, we are building on Solaris x86 on an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews AMD64 system.</p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews --pk11-flavor=crypto-accelerator \
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>(For a 32-bit build, use "solaris-x86-cc" and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>After configuring, run
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">make</strong></span> and
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <span><strong class="command">make test</strong></span>.</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2609550"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>SoftHSM is a software library provided by the OpenDNSSEC
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews project (http://www.opendnssec.org) which provides a PKCS#11
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson interface to a virtual HSM, implemented in the form of encrypted
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews data on the local filesystem. It uses the Botan library for
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews encryption and SQLite3 for data storage. Though less secure
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews than a true HSM, it can provide more secure key storage than
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews traditional key files, and can allow you to experiment with
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews PKCS#11 when an HSM is not available.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>The SoftHSM cryptographic store must be installed and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews initialized before using it with OpenSSL, and the SOFTHSM_CONF
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews environment variable must always point to the SoftHSM configuration
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews$ <strong class="userinput"><code> make </code></strong>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson$ <strong class="userinput"><code> make install </code></strong>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>SoftHSM can perform all cryptographic operations, but
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews since it only uses your system CPU, there is no need to use it
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for anything but signing. Therefore, we choose the 'sign-only'
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson flavor when building OpenSSL.</p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson --pk11-flavor=sign-only \
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<p>After configuring, run "<span><strong class="command">make</strong></span>"
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews and "<span><strong class="command">make test</strong></span>".</p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>Once you have built OpenSSL, run
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews that PKCS #11 support was compiled in correctly. The output
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews should be one of the following lines, depending on the flavor
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews selected:</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews (pkcs11) PKCS #11 engine support (sign only)
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews (pkcs11) PKCS #11 engine support (crypto accelerator)
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews attempt to initialize the PKCS #11 engine. If it is able to
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews do so successfully, it will report
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews “<span class="quote"><code class="literal">[ available ]</code></span>”.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<p>If the output is correct, run
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews "<span><strong class="command">make install</strong></span>" which will install the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews modified OpenSSL suite to
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <code class="filename">/opt/pkcs11/usr</code>.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<a name="id2611886"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<p>When building BIND 9, the location of the custom-built
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews OpenSSL library must be specified via configure.</p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<a name="id2611895"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<p>To link with the PKCS #11 provider, threads must be
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews enabled in the BIND 9 build.</p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>The PKCS #11 library for the AEP Keyper is currently
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews only available as a 32-bit binary. If we are building on a
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews 64-bit host, we must force a 32-bit build by adding "-m32" to
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews the CC options on the "configure" command line.</p>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson$ <strong class="userinput"><code>cd /bind9</code></strong>
ea6566e3c4ffbf116219cc15f23d9d0eeac559a1Mark Andrews$ <strong class="userinput"><code>/configure CC="gcc -m32" --enable-threads \
e49d15b398d34b76ceb51e50bcfea9501ade07b6Mark Andrews --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h4 class="title">
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<a name="id2611927"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>To link with the PKCS #11 provider, threads must be
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews enabled in the BIND 9 build.</p>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<p>If configure complains about OpenSSL not working, you
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews may have a 32/64-bit architecture mismatch. Or, you may have
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews incorrectly specified the path to OpenSSL (it should be the
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews same as the --prefix argument to the OpenSSL
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Configure).</p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2612032"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>cd /bind9</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>/configure --enable-threads \
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
10640b2e3efc7bc8034108136d7487f7407fbf37Andreas Gustafsson<p>After configuring, run
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews "<span><strong class="command">make</strong></span>",
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "<span><strong class="command">make test</strong></span>" and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "<span><strong class="command">make install</strong></span>".</p>
aa85e0c64e3e659f11d10e40eafdfe122ff684afMark Andrews<p>(Note: If "make test" fails in the "pkcs11" system test, you may
036b375184c14c1b12bd347c1f920278970f3f41Mark Andrews have forgotten to set the SOFTHSM_CONF environment variable.)</p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="id2612080"></a>PKCS #11 Tools</h3></div></div></div>
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews<p>BIND 9 includes a minimal set of tools to operate the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews HSM, including
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews within the HSM,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">pkcs11-list</strong></span> to list objects currently
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews available, and
6274add733f4a16dfef4455dafb71a6a4721a0dfMark Andrews <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews<p>In UNIX/Linux builds, these tools are built only if BIND
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews 9 is configured with the --with-pkcs11 option. (NOTE: If
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews --with-pkcs11 is set to "yes", rather than to the path of the
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews PKCS #11 provider, then the tools will be built but the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews provider will be left undefined. Use the -m option or the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews PKCS11_PROVIDER environment variable to specify the path to the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews provider.)</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="id2636277"></a>Using the HSM</h3></div></div></div>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<p>First, we must set up the runtime environment so the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews OpenSSL and PKCS #11 libraries can be loaded:</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>When operating an AEP Keyper, it is also necessary to
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews specify the location of the "machine" file, which stores
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington information about the Keyper for use by PKCS #11 provider
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews library. If the machine file is in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>These environment variables must be set whenever running
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews any tool that uses the HSM, including
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">pkcs11-keygen</strong></span>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">pkcs11-list</strong></span>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">pkcs11-destroy</strong></span>,
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews <span><strong class="command">dnssec-keyfromlabel</strong></span>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews random number generation), and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">named</strong></span>.</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>We can now create and use keys in the HSM. In this case,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews we will create a 2048 bit key and give it the label
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews "sample-ksk":</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>pkcs11-list</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsobject[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsobject[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>Before using this key to sign a zone, we must create a
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews does this. In this case, we will be using the HSM key
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews "sample-ksk" as the key-signing key for "example.net":</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>The resulting K*.key and K*.private files can now be used
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews to sign the zone. Unlike normal K* files, which contain both
67afb42794e0efcbb1c96108037733127544787cMark Andrews public and private key data, these files will contain only the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews public key data, plus an identifier for the private key which
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews remains stored within the HSM. The HSM handles signing with the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews private key.</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>If you wish to generate a second key in the HSM for use
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews as a zone-signing key, follow the same procedure above, using a
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews different keylabel, a smaller key size, and omitting "-f KSK"
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews from the dnssec-keyfromlabel arguments:</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews<p>Alternatively, you may prefer to generate a conventional
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews on-disk key, using dnssec-keygen:</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>This provides less security than an HSM key, but since
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews HSMs can be slow or cumbersome to use for security reasons, it
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews may be more efficient to reserve HSM keys for use in the less
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews frequent key-signing operation. The zone-signing key can be
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews rolled more frequently, if you wish, to compensate for a
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews reduction in key security.</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>Now you can sign the zone. (Note: If not using the -S
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the contents of both
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="filename">K*.key</code> files to the zone master file before
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews signing it.)</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsVerifying the zone using the following algorithms:
0756445a735e2df39bf798d8de42ae5dd030aa3bMark AndrewsNSEC3RSASHA1.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark AndrewsZone signing complete:
5752b9e296f14034f103149f18188770c2cc5239Mark AndrewsAlgorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="id2636544"></a>Specifying the engine on the command line</h3></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>The OpenSSL engine can be specified in
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">named</strong></span> and all of the BIND
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <engine>" command line option. If BIND 9 is built with
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the --with-pkcs11 option, this option defaults to "pkcs11".
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Specifying the engine will generally not be necessary unless
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews for some reason you wish to use a different OpenSSL
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews<p>If you wish to disable use of the "pkcs11" engine —
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews for troubleshooting purposes, or because the HSM is unavailable
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews — set the engine to the empty string. For example:</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>This causes
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews without the --with-pkcs11 option.</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews<a name="id2636589"></a>Running named with automatic zone re-signing</h3></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>If you want
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews keys, and/or to to sign new records inserted via nsupdate, then
1676408640d8283c9f17eec0b183e1302ea7fd70Mark Andrews named must have access to the HSM PIN. This can be accomplished
5985ae96cdb38a19ed361ebbfd867d7fd9d1bed4Mark Andrews by placing the PIN into the openssl.cnf file (in the above
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<p>The location of the openssl.cnf file can be overridden by
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews setting the OPENSSL_CONF environment variable before running
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews openssl_conf = openssl_def
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews [ openssl_def ]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews engines = engine_section
18ee329936d7b96c0a9ae8a1d16b5a0bd6c86e0bMark Andrews [ engine_section ]
18ee329936d7b96c0a9ae8a1d16b5a0bd6c86e0bMark Andrews pkcs11 = pkcs11_section
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews [ pkcs11_section ]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>This will also allow the dnssec-* tools to access the HSM
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews without PIN entry. (The pkcs11-* tools access the HSM directly,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews not via OpenSSL, so a PIN will still be required to use
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>Placing the HSM's PIN in a text file in
ea8cec4518b8222909b259790e41ce1bd70f03c3Mark Andrews this manner may reduce the security advantage of using an
ea8cec4518b8222909b259790e41ce1bd70f03c3Mark Andrews HSM. Be sure this is what you want to do before configuring
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews OpenSSL in this way.</p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2573002"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <acronym class="acronym">BIND</acronym> 9 fully supports all currently
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews defined forms of IPv6 name to address and address to name
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews lookups. It will also use IPv6 addresses to make queries when
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews running on an IPv6 capable system.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews only AAAA records. RFC 3363 deprecated the use of A6 records,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews and client-side support for A6 records was accordingly removed
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews from <acronym class="acronym">BIND</acronym> 9.
49ef9cb60f37eb190986b750db57a194c8f7321cMark Andrews However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews load zone files containing A6 records correctly, answer queries
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews for A6 records, and accept zone transfer for a zone containing A6
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the traditional "nibble" format used in the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span class="emphasis"><em>ip6.int</em></span> domain.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Older versions of <acronym class="acronym">BIND</acronym> 9
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews supported the "binary label" (also known as "bitstring") format,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews but support of binary labels has been completely removed per
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the binary label format at all any more, and will return an
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews error if given.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews name server will not load a zone file containing binary labels.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews For an overview of the format and structure of IPv6 addresses,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
50a1a0e0d22d4537ae0d130da34199bb1a1820f7Mark Andrews<a name="id2573064"></a>Address Lookups Using AAAA Records</h3></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The IPv6 AAAA record is a parallel to the IPv4 A record,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews and, unlike the deprecated A6 record, specifies the entire
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews IPv6 address in a single record. For example,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewshost 3600 IN AAAA 2001:db8::1
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Use of IPv4-in-IPv6 mapped addresses is not recommended.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews If a host has an IPv4 address, use an A record, not
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the address.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="id2573085"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews When looking up an address in nibble format, the address
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews components are simply reversed, just as in IPv4, and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="literal">ip6.arpa.</code> is appended to the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resulting name.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews For example, the following would provide reverse name lookup for
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews a host with address
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<table width="100%" summary="Navigation footer">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td>
880e7930a386d07a4f22c00a2fd4c66911754e93Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>