Bv9ARM.ch04.html revision f37eb9482057adf62de35e634bfd574e59676950
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Advanced Concepts</TITLE
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="GENERATOR"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCONTENT="Modular DocBook HTML Stylesheet Version 1.61
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweTITLE="BIND 9 Administrator Reference Manual"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovREL="PREVIOUS"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweTITLE="Nameserver Configuration"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreTITLE="The BIND 9 Lightweight Resolver"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="chapter"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovBGCOLOR="#FFFFFF"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweTEXT="#000000"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovLINK="#0000FF"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweVLINK="#840084"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovALINK="#0000FF"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="NAVHEADER"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCELLPADDING="0"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCELLSPACING="0"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweALIGN="center"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>BIND 9 Administrator Reference Manual</TH
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweVALIGN="bottom"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweALIGN="center"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweVALIGN="bottom"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweALIGN="right"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweVALIGN="bottom"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="chapter"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Chapter 4. Advanced Concepts</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Table of Contents</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch04.html#dynamic_update"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Dynamic Update</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch04.html#incremental_zone_transfers"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Incremental Zone Transfers (IXFR)</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Split DNS</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>IPv6 Support in <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="dynamic_update"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.1. Dynamic Update</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Dynamic update is the term used for the ability under
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe certain specified conditions to add, modify or delete records or
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe RRsets in the master zone files. Dynamic update is fully described
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe in RFC 2136.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Dynamic update is enabled on a zone-by-zone basis, by
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe including an <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>allow-update</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>update-policy</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> clause in the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> statement.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Updating of secure zones (zones using DNSSEC) follows
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe RFC 3007: SIG and NXT records affected by updates are automatically
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe regenerated by the server using an online zone key.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Update authorization is based
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi on transaction signatures and an explicit server policy.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="journal"
296749875bd503e7a14e25b4c57d3142cb496df1Joshua M. Clulow>4.1.1. The journal file</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>All changes made to a zone using dynamic update are stored in the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone's journal file. This file is automatically created by the
d2b9ba291ef0d1dc8807b6d46996674c723924d0Robert Mustacchi server when when the first dynamic update takes place. The name of
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the journal file is formed by appending the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe extension <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe name of the corresponding zone file. The journal file is in a
b65dd972486b1f5913d705d2a0cb9c3fb189a9e0Robert Mustacchi binary format and should not be edited manually.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The server will also occasionally write ("dump")
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the complete contents of the updated zone to its zone file.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe This is not done immediately after
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe each dynamic update, because that would be too slow when a large
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone is updated frequently. Instead, the dump is delayed by 15
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe minutes, allowing additional updates to take place.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>When a server is restarted after a shutdown or crash, it will replay
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the journal file to incorporate into the zone any updates that took
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe place after the last zone dump.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Changes that result from incoming incremental zone transfers are also
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe journalled in a similar way.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The zone files of dynamic zones cannot normally be edited by
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe hand because they are not guaranteed to contain the most recent
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe dynamic changes - those are only in the journal file.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe The only way to ensure that the zone file of a dynamic zone
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe is up to date is to run <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>rndc stop</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>If you have to make changes to a dynamic zone
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe manually, the following procedure will work: Shut down
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the server using <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>rndc stop</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> (sending a signal
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>rndc halt</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe sufficient). Wait for the server to exit,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> file, edit the zone file,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe and restart the server. Removing the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe file is necessary because the manual edits will not be
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe present in the journal, rendering it inconsistent with the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe contents of the zone file.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="incremental_zone_transfers"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.2. Incremental Zone Transfers (IXFR)</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The incremental zone transfer (IXFR) protocol is a way for
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe slave servers to transfer only changed data, instead of having to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe transfer the entire zone. The IXFR protocol is documented in RFC
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe 1995. See <A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch09.html#proposed_standards"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Proposed Standards</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>When acting as a master, <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore> 9 supports IXFR for those zones
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowewhere the necessary change history information is available. These
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweinclude master zones maintained by dynamic update and slave zones
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowewhose data was obtained by IXFR, but not manually maintained master
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowezones nor slave zones obtained by performing a full zone transfer
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>When acting as a slave, <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> 9 will attempt to use IXFR unless
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweit is explicitly disabled. For more information about disabling
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweIXFR, see the description of the <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>request-ixfr</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> statement.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN692"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.3. Split DNS</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Setting up different views, or visibility, of DNS space to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweinternal and external resolvers is usually referred to as a <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> setup. There are several reasons an organization
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowewould want to set up its DNS this way.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>One common reason for setting up a DNS system this way is
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto hide "internal" DNS information from "external" clients on the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweInternet. There is some debate as to whether or not this is actually useful.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweInternal DNS information leaks out in many ways (via email headers,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowefor example) and most savvy "attackers" can find the information
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethey need using other means.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Another common reason for setting up a Split DNS system is
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto allow internal networks that are behind filters or in RFC 1918
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowespace (reserved IP space, as documented in RFC 1918) to resolve DNS
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweon the Internet. Split DNS can also be used to allow mail from outside
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweback in to the internal network.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Here is an example of a split DNS setup:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Let's say a company named <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Example, Inc.</I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowehas several corporate sites that have an internal network with reserved
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweInternet Protocol (IP) space and an external demilitarized zone (DMZ),
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweor "outside" section of a network, that is available to the public.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Example, Inc.</I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> wants its internal clients
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto be able to resolve external hostnames and to exchange mail with
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowepeople on the outside. The company also wants its internal resolvers
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto have access to certain internal-only zones that are not available
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweat all outside of the internal network.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>In order to accomplish this, the company will set up two sets
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweof nameservers. One set will be on the inside network (in the reserved
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweIP space) and the other set will be on bastion hosts, which are "proxy"
ad0ef8fd06d1ac28108685495a9ba1244a20a5caRobert Mustacchihosts that can talk to both sides of its network, in the DMZ.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The internal servers will be configured to forward all queries,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweexcept queries for <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>, to the servers in the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweDMZ. These internal servers will have complete sets of information
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>To protect the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethe internal nameservers must be configured to disallow all queries
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto these domains from any external hosts, including the bastion
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The external servers, which are on the bastion hosts, will
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe configured to serve the "public" version of the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweThis could include things such as the host records for public servers
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweand mail exchange (MX) records (<TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>In addition, the public <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweshould have special MX records that contain wildcard (`*') records
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowepointing to the bastion hosts. This is needed because external mail
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweservers do not have any other way of looking up how to deliver mail
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto those internal hosts. With the wildcard records, the mail will
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe delivered to the bastion host, which can then forward it on to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweinternal hosts.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Here's an example of a wildcard MX record:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
d3864341aacc6a2ecc95960d23ac0e49f1f538faRobert Mustacchi>Now that they accept mail on behalf of anything in the internal
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenetwork, the bastion hosts will need to know how to deliver mail
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto internal hosts. In order for this to work properly, the resolvers on
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethe bastion hosts will need to be configured to point to the internal
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenameservers for DNS resolution.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Queries for internal hostnames will be answered by the internal
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweservers, and queries for external hostnames will be forwarded back
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweout to the DNS servers on the bastion hosts.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>In order for all this to work properly, internal clients will
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweneed to be configured to query <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> the internal
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenameservers for DNS queries. This could also be enforced via selective
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowefiltering on the network.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>If everything has been set properly, <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Example, Inc.</I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweinternal clients will now be able to:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Look up any hostnames in the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Look up any hostnames in the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> domains.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Look up any hostnames on the Internet.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Exchange mail with internal AND external people.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Hosts on the Internet will be able to:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Look up any hostnames in the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Exchange mail with anyone in the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Here is an example configuration for the setup we just
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe described above. Note that this is only configuration information;
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'Amore for information on how to configure your zone files, see <A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch03.html#sample_configuration"
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'Amore>Section 3.1</A
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'Amore>Internal DNS server config:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweacl internals { 172.16.72.0/24; 192.168.1.0/24; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweacl externals { <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="varname"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>bastion-ips-go-here</TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forward only;
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forwarders { // forward to external servers
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="varname"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>bastion-ips-go-here</TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { none; }; // sample allow-transfer (no one)
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals; externals; }; // restrict query access
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-recursion { internals; }; // restrict recursion
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowezone "site1.example.com" { // sample slave zone
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe type master;
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forwarders { }; // do normal iterative
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe // resolution (do not forward)
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals; externals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe masters { 172.16.72.3; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forwarders { };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals; externals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe type master;
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forwarders { };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi masters { 172.16.72.3; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe forwarders { };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; }
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>External (bastion host) DNS server config:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> acl internals { 172.16.72.0/24; 192.168.1.0/24; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweacl externals { bastion-ips-go-here; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { none; }; // sample allow-transfer (no one)
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { internals; externals; }; // restrict query access
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-recursion { internals; externals; }; // restrict recursion
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowezone "site1.example.com" { // sample slave zone
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe type master;
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { any; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; externals; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe masters { another_bastion_host_maybe; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-query { any; };
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe allow-transfer { internals; externals; }
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> (or equivalent) on
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethe bastion host(s):</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> search ...
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenameserver 172.16.72.2
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenameserver 172.16.72.3
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowenameserver 172.16.72.4
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4. TSIG</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>This is a short guide to setting up Transaction SIGnatures
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe(TSIG) based transaction security in <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>. It describes changes
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto the configuration file as well as what changes are required for
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowedifferent features, including the process of creating transaction
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowekeys and using transaction signatures with <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> primarily supports TSIG for server to server communication.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweThis includes zone transfer, notify, and recursive query messages.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweResolvers based on newer versions of <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> 8 have limited support
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>TSIG might be most useful for dynamic update. A primary
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe server for a dynamic zone should use access control to control
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe updates, but IP-based access control is insufficient. Key-based
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe access control is far superior, see <A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch09.html#proposed_standards"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Proposed Standards</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe program supports TSIG via the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="option"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="option"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> command line options.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN783"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.1. Generate Shared Keys for Each Pair of Hosts</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>A shared secret is generated to be shared between <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweAn arbitrary key name is chosen: "host1-host2.". The key name must
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe the same on both hosts.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect3"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect3"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN788"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.1.1. Automatic Generation</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The following command will generate a 128 bit (16 byte) HMAC-MD5
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowekey as described above. Longer keys are better, but shorter keys
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweare easier to read. Note that the maximum key length is 512 bits;
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowekeys longer than that will be digested with MD5 to produce a 128
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="userinput"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The key is in the file <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNothing directly uses this file, but the base-64 encoded string
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowefollowing "<TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowecan be extracted from the file and used as a shared secret:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The string "<TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe used as the shared secret.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect3"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect3"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN799"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.1.2. Manual Generation</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The shared secret is simply a random sequence of bits, encoded
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowein base-64. Most ASCII strings are valid base-64 strings (assuming
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethe length is a multiple of 4 and only valid characters are used),
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiso the shared secret can be manually generated.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Also, a known string can be run through <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowea similar program to generate base-64 encoded data.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN804"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.2. Copying the Shared Secret to Both Machines</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>This is beyond the scope of DNS. A secure transport mechanism
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweshould be used. This could be secure FTP, ssh, telephone, etc.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN807"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.3. Informing the Servers of the Key's Existence</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweboth servers. The following is added to each server's <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> key host1-host2. {
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe algorithm hmac-md5;
296749875bd503e7a14e25b4c57d3142cb496df1Joshua M. Clulow>The algorithm, hmac-md5, is the only one supported by <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweThe secret is the one generated above. Since this is a secret, it
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweis recommended that either <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> be non-world
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowereadable, or the key directive be added to a non-world readable
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowefile that is included by <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>At this point, the key is recognized. This means that if the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweserver receives a message signed by this key, it can verify the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowesignature. If the signature succeeds, the response is signed by
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowethe same key.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN819"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.4.4. Instructing the Server to Use the Key</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Since keys are shared between two hosts only, the server must
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe told when keys are to be used. The following is added to the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>, if the IP address of <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> server 10.1.2.3 {
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe keys { host1-host2. ;};
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Multiple keys may be present, but only the first is used.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweThis directive does not contain any secrets, so it may be in a world-readable
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> sends a message that is a request
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Loweto that address, the message will be signed with the specified key. <I
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="emphasis"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amoreexpect any responses to signed messages to be signed with the same
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>A similar statement must be present in <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amoreconfiguration file (with <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>'s address) for <I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amoresign request messages to <I
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN835"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>4.4.5. TSIG Key Based Access Control</A
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="acronym"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore> allows IP addresses and ranges to be specified in ACL
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amoredefinitions and
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="command"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>allow-{ query | transfer | update }</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> directives.
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreThis has been extended to allow TSIG keys also. The above key would
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowebe denoted <B
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>key host1-host2.</B
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>An example of an allow-update directive would be:</P
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="programlisting"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> allow-update { key host1-host2. ;};
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>This allows dynamic updates to succeed only if the request
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe was signed by a key named
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>host1-host2.</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>You may want to read about the more
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>update-policy</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> statement in <A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweHREF="Bv9ARM.ch06.html#dynamic_update_policies"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Section 6.2.22.4</A
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>4.4.6. Errors</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The processing of TSIG signed messages can result in
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe several errors. If a signed message is sent to a non-TSIG aware
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe server, a FORMERR will be returned, since the server will not
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe understand the record. This is a result of misconfiguration,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe since the server must be explicitly configured to send a TSIG
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe signed message to a specific server.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>If a TSIG aware server receives a message signed by an
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe unknown key, the response will be unsigned with the TSIG
f6ed5ca267d42d2a060f8447acdeb647ef077b6dRobert Mustacchi extended error code set to BADKEY. If a TSIG aware server
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe receives a message with a signature that does not validate, the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe response will be unsigned with the TSIG extended error code set
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe to BADSIG. If a TSIG aware server receives a message with a time
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe outside of the allowed range, the response will be signed with
1fcc078ae7c0a359a9274d2a5a90547aceb213a6Robert Mustacchi the TSIG extended error code set to BADTIME, and the time values
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov will be adjusted so that the response can be successfully
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov verified. In any of these cases, the message's rcode is set to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN852"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.5. TKEY</A
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> is a mechanism for automatically
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe generating a shared secret between two hosts. There are several
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe "modes" of <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> that specify how the key is
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe generated or assigned. <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> implements only one of these modes,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the Diffie-Hellman key exchange. Both hosts are required to have
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe a Diffie-Hellman KEY record (although this record is not required
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe to be present in a zone). The <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe must use signed messages, signed either by TSIG or SIG(0). The
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe result of <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> is a shared secret that can be
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe used to sign messages with TSIG. <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe be used to delete shared secrets that it had previously
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe generated.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> process is initiated by a client
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe or server by sending a signed <B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe (including any appropriate KEYs) to a TKEY-aware server. The
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe server response, if it indicates success, will contain a
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> record and any appropriate keys. After
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe this exchange, both participants have enough information to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe determine the shared secret; the exact process depends on the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> mode. When using the Diffie-Hellman
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> mode, Diffie-Hellman keys are exchanged,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe and the shared secret is derived by both participants.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN867"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.6. SIG(0)</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> 9 partially supports DNSSEC SIG(0) transaction
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe signatures as specified in RFC 2535. SIG(0) uses public/private
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe keys to authenticate messages. Access control is performed in the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe same manner as TSIG keys; privileges can be granted or denied
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe based on the key name.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>When a SIG(0) signed message is received, it will only be
ad0ef8fd06d1ac28108685495a9ba1244a20a5caRobert Mustacchi verified if the key is known and trusted by the server; the server
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe will not attempt to locate and/or validate the key.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>SIG(0) signing of multiple-message TCP streams is not
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe supported.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> 9 does not ship with any tools that generate SIG(0)
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe signed messages.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect1"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="DNSSEC"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.7. DNSSEC</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Cryptographic authentication of DNS information is possible
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe through the DNS Security (<I
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="emphasis"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>) extensions,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe defined in RFC 2535. This section describes the creation and use
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe of DNSSEC signed zones.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>In order to set up a DNSSEC secure zone, there are a series
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe of steps which must be followed. <SPAN
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="acronym"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe with several tools
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe that are used in this process, which are explained in more detail
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe below. In all cases, the "<TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="option"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>" option prints a
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe full list of parameters. Note that the DNSSEC tools require the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe keyset and signedkey files to be in the working directory, and
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe that the tools shipped with BIND 9.0.x are not fully compatible
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe with the current ones.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>There must also be communication with the administrators of
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the parent and/or child zone to transmit keys and signatures. A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone's security status must be indicated by the parent zone for a
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe DNSSEC capable resolver to trust its data.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>For other servers to trust data in this zone, they must
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe either be statically configured with this zone's zone key or the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone key of another zone above this one in the DNS tree.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN884"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.7.1. Generating Keys</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-keygen</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> program is used to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe generate keys.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>A secure zone must contain one or more zone keys. The
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone keys will sign all other records in the zone, as well as
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the zone keys of any secure delegated zones. Zone keys must
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe have the same name as the zone, a name type of
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>, and must be usable for authentication.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe It is recommended that zone keys be mandatory to implement a
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe cryptographic algorithm; currently the only key mandatory to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe implement an algorithm is DSA.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The following command will generate a 768 bit DSA key for
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="userinput"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>Two output files will be produced:
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe 12345 is an example of a key tag). The key file names contain
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the key name (<TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>), algorithm (3
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe The private key (in the <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>.private</TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe used to generate signatures, and the public key (in the
ead9bb4b1be81d7bbf8ed86ee41d6c1e58b069a3Yuri PankovCLASS="filename"
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert Mustacchi> file) is used for signature
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert Mustacchi verification.</P
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>To generate another key with the same properties (but with
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert Mustacchi a different key tag), repeat the above command.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The public keys should be inserted into the zone file with
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert MustacchiCLASS="command"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore> statements, including the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN904"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>4.7.2. Creating a Keyset</A
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert MustacchiCLASS="command"
bad51a906c423d0d7ab33fcc1a4e317d789e3c49Robert Mustacchi>dnssec-makekeyset</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> program is used
195b26986e3c19e916bf0991a1af7ae87d43010bRobert Mustacchi to create a key set from one or more keys.</P
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>Once the zone keys have been generated, a key set must be
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe built for transmission to the administrator of the parent zone,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe so that the parent zone can sign the keys with its own zone key
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe and correctly indicate the security status of this zone. When
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe building a key set, the list of keys to be included and the TTL
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe of the set must be specified, and the desired signature validity
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe period of the parent's signature may also be specified.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The list of keys to be inserted into the key set may also
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe included non-zone keys present at the top of the zone.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>dnssec-makekeyset</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> may also be used at other
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe names in the zone.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The following command generates a key set containing the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe above key and another key similarly generated, with a TTL of
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe 3600 and a signature validity period of 10 days starting from
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="userinput"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>One output file is produced:
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>. This file should be
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore transmitted to the parent to be signed. It includes the keys,
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore as well as signatures over the key set generated by the zone
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore keys themselves, which are used to prove ownership of the
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore private keys and encode the desired validity period.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN916"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.7.3. Signing the Child's Keyset</A
cb66c7814563eb32e20c1be88ae738ad8d63079dRobert MustacchiCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-signkey</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> program is used to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe sign one child's keyset.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> zone has any
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe delegations which are secure, for example,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> administrator should receive
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe keyset files for each secure subzone. These keys must be signed
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe by this zone's zone keys.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>The following command signs the child's key set with the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone keys:</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="userinput"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>One output file is produced:
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe should be both transmitted back to the child and retained. It
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe includes all keys (the child's keys) from the keyset file and
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe signatures generated by this zone's zone keys.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN929"
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'Amore>4.7.4. Signing the Zone</A
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="command"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-signzone</B
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore> program is used to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe sign a zone.</P
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'AmoreCLASS="filename"
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'Amore>signedkey</TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> files corresponding to
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe secure subzones should be present, as well as a
f07f0fb66492a2792d4da5e0a6f9a92b4c581ab3Garrett D'AmoreCLASS="filename"
538aa54d819fa7751ca82bcc30d4ed8c57ec2ef2Garrett D'Amore>signedkey</TT
538aa54d819fa7751ca82bcc30d4ed8c57ec2ef2Garrett D'Amore> file for this zone generated by
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the parent (if there is one). The zone signer will generate
538aa54d819fa7751ca82bcc30d4ed8c57ec2ef2Garrett D'AmoreCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="literal"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe> records for
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the zone, as well as incorporate the zone key signature from the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe parent and indicate the security status at all delegation
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore>The following command signs the zone, assuming it is in a
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore file called <TT
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe default, all zone keys which have an available private key are
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe used to generate signatures.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="userinput"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>dnssec-signzone -o child.example zone.child.example</B
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>One output file is produced:
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe should be referenced by <TT
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="filename"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe input file for the zone.</P
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweCLASS="sect2"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard LoweNAME="AEN945"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe>4.7.5. Configuring Servers</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>Unlike in <SPAN
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 8, data is not verified on load in <SPAN
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov so zone keys for authoritative zones do not need to be specified
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov in the configuration file.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>The public key for any security root must be present in
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov the configuration file's <B
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="command"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>trusted-keys</B
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov statement, as described later in this document. </P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect1"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN952"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8. IPv6 Support in <SPAN
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 9 fully supports all currently defined forms of IPv6
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov name to address and address to name lookups. It will also use
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov IPv6 addresses to make queries when running on an IPv6 capable
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>For forward lookups, <SPAN
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 9 supports both A6 and AAAA
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov records. The use of AAAA records is deprecated, but it is still
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov useful for hosts to have both AAAA and A6 records to maintain
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov backward compatibility with installations where AAAA records are
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov still used. In fact, the stub resolvers currently shipped with
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov most operating system support only AAAA lookups, because following
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov A6 chains is much harder than doing A or AAAA lookups.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>For IPv6 reverse lookups, <SPAN
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 9 supports the new
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov "bitstring" format used in the <I
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="emphasis"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov domain, as well as the older, deprecated "nibble" format used in
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="emphasis"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 9 includes a new lightweight resolver library and
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov resolver daemon which new applications may choose to use to avoid
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov the complexities of A6 chain following and bitstring labels, see <A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>Chapter 5</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>For an overview of the format and structure of IPv6 addresses,
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovHREF="Bv9ARM.ch09.html#ipv6addresses"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>Section A.3.1</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN968"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.1. Address Lookups Using AAAA Records</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>The AAAA record is a parallel to the IPv4 A record. It
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov specifies the entire address in a single record. For
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovhost 3600 IN AAAA 3ffe:8050:201:1860:42::1
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>While their use is deprecated, they are useful to support
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov older IPv6 applications. They should not be added where they
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov are not absolutely necessary.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN973"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.2. Address Lookups Using A6 Records</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>The A6 record is more flexible than the AAAA record, and
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov is therefore more complicated. The A6 record can be used to
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov form a chain of A6 records, each specifying part of the IPv6
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov address. It can also be used to specify the entire record as
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov well. For example, this record supplies the same data as the
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov AAAA record in the previous example:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovhost 3600 IN A6 0 3ffe:8050:201:1860:42::1
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect3"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect3"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN977"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.2.1. A6 Chains</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>A6 records are designed to allow network
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov renumbering. This works when an A6 record only specifies the
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov part of the address space the domain owner controls. For
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov example, a host may be at a company named "company." It has
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov two ISPs which provide IPv6 address space for it. These two
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov ISPs fully specify the IPv6 prefix they supply.</P
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi>In the company's address space:</P
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="programlisting"
820218f30a3ad84d92aa2970dcac9eb5cf69aaa9Robert Mustacchihost 3600 IN A6 64 0:0:0:0:42::1 company.example1.net.
820218f30a3ad84d92aa2970dcac9eb5cf69aaa9Robert Mustacchihost 3600 IN A6 64 0:0:0:0:42::1 company.example2.net.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>ISP1 will use:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovcompany 3600 IN A6 0 3ffe:8050:201:1860::
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>ISP2 will use:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovcompany 3600 IN A6 0 1234:5678:90ab:fffa::
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> is looked up,
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov the resolver (in the resolver daemon or caching name server)
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov will find two partial A6 records, and will use the additional
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov name to find the remainder of the data.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect3"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect3"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN988"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.2.2. A6 Records for DNS Servers</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>When an A6 record specifies the address of a name
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov server, it should use the full address rather than specifying
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore a partial address. For example:</P
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov@ 14400 IN NS ns0
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore 14400 IN NS ns1
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovns0 14400 IN A6 0 3ffe:8050:201:1860:42::1
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amorens1 14400 IN A 192.168.42.1
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>It is recommended that IPv4-in-IPv6 mapped addresses not
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore be used. If a host has an IPv4 address, use an A record, not
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov an A6, with <TT
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'AmoreCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>::ffff:192.168.42.1</TT
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN994"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.3. Address to Name Lookups Using Nibble Format</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>While the use of nibble format to look up names is
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov deprecated, it is supported for backwards compatiblity with
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov existing IPv6 applications.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>When looking up an address in nibble format, the address
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov components are simply reversed, just as in IPv4, and
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> is appended to the resulting name.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov For example, the following would provide reverse name lookup for
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov a host with address
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>3ffe:8050:201:1860:42::1</TT
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.int.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN1001"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.4. Address to Name Lookups Using Bitstring Format</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>Bitstring labels can start and end on any bit boundary,
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov rather than on a multiple of 4 bits as in the nibble
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov format. They also use <I
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="emphasis"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> rather than
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="emphasis"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>To replicate the previous example using bitstrings:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov\[x0042000000000001/64] 14400 IN PTR host.example.com.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="sect2"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovNAME="AEN1008"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>4.8.5. Using DNAME for Delegation of IPv6 Reverse Addresses</A
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>In IPV6, the same host may have many addresses from many
e232d9863a8486cf94eaa4bc06c2e9ff52bf3140Robert Mustacchi network providers. Since the trailing portion of the address
e232d9863a8486cf94eaa4bc06c2e9ff52bf3140Robert Mustacchi usually remains constant, <B
e232d9863a8486cf94eaa4bc06c2e9ff52bf3140Robert MustacchiCLASS="command"
e232d9863a8486cf94eaa4bc06c2e9ff52bf3140Robert Mustacchi reduce the number of zone files used for reverse mapping that
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov need to be maintained.</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>For example, consider a host which has two providers
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
2d08521bd15501c8370ba2153b9cca4f094979d0Garrett D'Amore therefore two IPv6 addresses. Since the host chooses its own 64
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov bit host address portion, the provider address is the only part
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov that changes:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovhost IN A6 64 ::1234:5678:1212:5675 cust1.example.net.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov IN A6 64 ::1234:5678:1212:5675 subnet5.example2.net.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovcust1 IN A6 48 0:0:0:dddd:: ipv6net.example.net.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovipv6net IN A6 0 aa:bb:cccc::
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovsubnet5 IN A6 48 0:0:0:1:: ipv6net2.example2.net.
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovipv6net2 IN A6 0 6666:5555:4::
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>This sets up forward lookups. To handle the reverse lookups,
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovthe provider <TT
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovwould have:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> would have:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="literal"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov needs only one zone file to handle both of these reverse
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov mappings:</P
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="programlisting"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="NAVFOOTER"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCELLPADDING="0"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCELLSPACING="0"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovALIGN="center"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovALIGN="right"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov>Nameserver Configuration</TD
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovALIGN="center"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovALIGN="right"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri PankovCLASS="acronym"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov> 9 Lightweight Resolver</TD