2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
19 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
20 <title>Chapter 4. Advanced DNS Features</title>
21 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
22 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
23 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
25 <link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
27 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
28 <div class="navheader">
29 <table width="100%" summary="Navigation header">
30 <tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
32 <td width="20%" align="left">
33 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
34 <th width="60%" align="center"> </th>
35 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
42 <div class="titlepage"><div><div><h1 class="title">
43 <a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h1></div></div></div>
45 <p><b>Table of Contents</b></p>
47 <dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
48 <dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
49 <dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
50 <dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
51 <dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
52 <dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
53 <dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
55 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
56 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
57 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
58 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
59 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
61 <dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
62 <dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
63 <dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
65 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
66 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
67 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
69 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
71 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
72 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
73 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
74 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
75 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
76 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
77 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
78 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
79 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
80 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
81 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
82 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
83 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
85 <dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
87 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
88 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
90 <dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
92 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.4">Prerequisites</a></span></dt>
93 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.5">Building BIND 9 with PKCS#11</a></span></dt>
94 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">PKCS #11 Tools</a></span></dt>
95 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Using the HSM</a></span></dt>
96 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">Specifying the engine on the command line</a></span></dt>
97 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">Running named with automatic zone re-signing</a></span></dt>
99 <dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
101 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Address Lookups Using AAAA Records</a></span></dt>
102 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Address to Name Lookups Using Nibble Format</a></span></dt>
106 <div class="section">
107 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
108 <a name="notify"></a>Notify</h2></div></div></div>
110 <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
111 servers to notify their slave servers of changes to a zone's data. In
112 response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
113 slave will check to see that its version of the zone is the
114 current version and, if not, initiate a zone transfer.
117 For more information about <acronym class="acronym">DNS</acronym>
118 <span class="command"><strong>NOTIFY</strong></span>, see the description of the
119 <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
120 the description of the zone option <span class="command"><strong>also-notify</strong></span> in
121 <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
122 protocol is specified in RFC 1996.
124 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
125 <h3 class="title">Note</h3>
127 As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
128 by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
129 it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
130 cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
135 <div class="section">
136 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
137 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
139 Dynamic Update is a method for adding, replacing or deleting
140 records in a master server by sending it a special form of DNS
141 messages. The format and meaning of these messages is specified
145 Dynamic update is enabled by including an
146 <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
147 clause in the <span class="command"><strong>zone</strong></span> statement.
150 If the zone's <span class="command"><strong>update-policy</strong></span> is set to
151 <strong class="userinput"><code>local</code></strong>, updates to the zone
152 will be permitted for the key <code class="varname">local-ddns</code>,
153 which will be generated by <span class="command"><strong>named</strong></span> at startup.
154 See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
157 Dynamic updates using Kerberos signed requests can be made
158 using the TKEY/GSS protocol by setting either the
159 <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
160 by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
161 and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
162 Kerberos signed requests will be matched against the update
163 policies for the zone, using the Kerberos principal as the
164 signer for the request.
167 Updating of secure zones (zones using DNSSEC) follows RFC
168 3007: RRSIG, NSEC and NSEC3 records affected by updates are
169 automatically regenerated by the server using an online
170 zone key. Update authorization is based on transaction
171 signatures and an explicit server policy.
173 <div class="section">
174 <div class="titlepage"><div><div><h3 class="title">
175 <a name="journal"></a>The journal file</h3></div></div></div>
177 All changes made to a zone using dynamic update are stored
178 in the zone's journal file. This file is automatically created
179 by the server when the first dynamic update takes place.
180 The name of the journal file is formed by appending the extension
181 <code class="filename">.jnl</code> to the name of the
183 file unless specifically overridden. The journal file is in a
184 binary format and should not be edited manually.
187 The server will also occasionally write ("dump")
188 the complete contents of the updated zone to its zone file.
189 This is not done immediately after
190 each dynamic update, because that would be too slow when a large
191 zone is updated frequently. Instead, the dump is delayed by
192 up to 15 minutes, allowing additional updates to take place.
193 During the dump process, transient files will be created
194 with the extensions <code class="filename">.jnw</code> and
195 <code class="filename">.jbk</code>; under ordinary circumstances, these
196 will be removed when the dump is complete, and can be safely
200 When a server is restarted after a shutdown or crash, it will replay
201 the journal file to incorporate into the zone any updates that
203 place after the last zone dump.
206 Changes that result from incoming incremental zone transfers are
208 journalled in a similar way.
211 The zone files of dynamic zones cannot normally be edited by
212 hand because they are not guaranteed to contain the most recent
213 dynamic changes — those are only in the journal file.
214 The only way to ensure that the zone file of a dynamic zone
215 is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
218 If you have to make changes to a dynamic zone
219 manually, the following procedure will work:
220 Disable dynamic updates to the zone using
221 <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
222 This will update the zone's master file with the changes
223 stored in its <code class="filename">.jnl</code> file.
224 Edit the zone file. Run
225 <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
226 to reload the changed zone and re-enable dynamic updates.
229 <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
230 will update the zone file with changes from the journal file
231 without stopping dynamic updates; this may be useful for viewing
232 the current zone state. To remove the <code class="filename">.jnl</code>
233 file after updating the zone file, use
234 <span class="command"><strong>rndc sync -clean</strong></span>.
238 <div class="section">
239 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
240 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
242 The incremental zone transfer (IXFR) protocol is a way for
243 slave servers to transfer only changed data, instead of having to
244 transfer the entire zone. The IXFR protocol is specified in RFC
245 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
248 When acting as a master, <acronym class="acronym">BIND</acronym> 9
249 supports IXFR for those zones
250 where the necessary change history information is available. These
251 include master zones maintained by dynamic update and slave zones
252 whose data was obtained by IXFR. For manually maintained master
253 zones, and for slave zones obtained by performing a full zone
254 transfer (AXFR), IXFR is supported only if the option
255 <span class="command"><strong>ixfr-from-differences</strong></span> is set
256 to <strong class="userinput"><code>yes</code></strong>.
259 When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
260 attempt to use IXFR unless
261 it is explicitly disabled. For more information about disabling
262 IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
263 of the <span class="command"><strong>server</strong></span> statement.
266 <div class="section">
267 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
268 <a name="split_dns"></a>Split DNS</h2></div></div></div>
270 Setting up different views, or visibility, of the DNS space to
271 internal and external resolvers is usually referred to as a
272 <span class="emphasis"><em>Split DNS</em></span> setup. There are several
273 reasons an organization would want to set up its DNS this way.
276 One common reason for setting up a DNS system this way is
277 to hide "internal" DNS information from "external" clients on the
278 Internet. There is some debate as to whether or not this is actually
280 Internal DNS information leaks out in many ways (via email headers,
281 for example) and most savvy "attackers" can find the information
282 they need using other means.
283 However, since listing addresses of internal servers that
284 external clients cannot possibly reach can result in
285 connection delays and other annoyances, an organization may
286 choose to use a Split DNS to present a consistent view of itself
287 to the outside world.
290 Another common reason for setting up a Split DNS system is
291 to allow internal networks that are behind filters or in RFC 1918
292 space (reserved IP space, as documented in RFC 1918) to resolve DNS
293 on the Internet. Split DNS can also be used to allow mail from outside
294 back in to the internal network.
296 <div class="section">
297 <div class="titlepage"><div><div><h3 class="title">
298 <a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
300 Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
301 (<code class="literal">example.com</code>)
302 has several corporate sites that have an internal network with
304 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
305 or "outside" section of a network, that is available to the public.
308 <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
309 to be able to resolve external hostnames and to exchange mail with
310 people on the outside. The company also wants its internal resolvers
311 to have access to certain internal-only zones that are not available
312 at all outside of the internal network.
315 In order to accomplish this, the company will set up two sets
316 of name servers. One set will be on the inside network (in the
318 IP space) and the other set will be on bastion hosts, which are
320 hosts that can talk to both sides of its network, in the DMZ.
323 The internal servers will be configured to forward all queries,
324 except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
325 and <code class="filename">site2.example.com</code>, to the servers
327 DMZ. These internal servers will have complete sets of information
328 for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
329 and <code class="filename">site2.internal</code>.
332 To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
333 the internal name servers must be configured to disallow all queries
334 to these domains from any external hosts, including the bastion
338 The external servers, which are on the bastion hosts, will
339 be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
340 This could include things such as the host records for public servers
341 (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
342 and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
345 In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
346 should have special MX records that contain wildcard (`*') records
347 pointing to the bastion hosts. This is needed because external mail
348 servers do not have any other way of looking up how to deliver mail
349 to those internal hosts. With the wildcard records, the mail will
350 be delivered to the bastion host, which can then forward it on to
354 Here's an example of a wildcard MX record:
356 <pre class="programlisting">* IN MX 10 external1.example.com.</pre>
358 Now that they accept mail on behalf of anything in the internal
359 network, the bastion hosts will need to know how to deliver mail
360 to internal hosts. In order for this to work properly, the resolvers
362 the bastion hosts will need to be configured to point to the internal
363 name servers for DNS resolution.
366 Queries for internal hostnames will be answered by the internal
367 servers, and queries for external hostnames will be forwarded back
368 out to the DNS servers on the bastion hosts.
371 In order for all this to work properly, internal clients will
372 need to be configured to query <span class="emphasis"><em>only</em></span> the internal
373 name servers for DNS queries. This could also be enforced via
375 filtering on the network.
378 If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
379 internal clients will now be able to:
381 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
382 <li class="listitem">
383 Look up any hostnames in the <code class="literal">site1</code>
385 <code class="literal">site2.example.com</code> zones.
387 <li class="listitem">
388 Look up any hostnames in the <code class="literal">site1.internal</code> and
389 <code class="literal">site2.internal</code> domains.
391 <li class="listitem">Look up any hostnames on the Internet.</li>
392 <li class="listitem">Exchange mail with both internal and external people.</li>
395 Hosts on the Internet will be able to:
397 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
398 <li class="listitem">
399 Look up any hostnames in the <code class="literal">site1</code>
401 <code class="literal">site2.example.com</code> zones.
403 <li class="listitem">
404 Exchange mail with anyone in the <code class="literal">site1</code> and
405 <code class="literal">site2.example.com</code> zones.
409 Here is an example configuration for the setup we just
410 described above. Note that this is only configuration information;
411 for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
414 Internal DNS server config:
416 <pre class="programlisting">
418 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
420 acl externals { <code class="varname">bastion-ips-go-here</code>; };
426 // forward to external servers
428 <code class="varname">bastion-ips-go-here</code>;
430 // sample allow-transfer (no one)
431 allow-transfer { none; };
432 // restrict query access
433 allow-query { internals; externals; };
434 // restrict recursion
435 allow-recursion { internals; };
440 // sample master zone
441 zone "site1.example.com" {
443 file "m/site1.example.com";
444 // do normal iterative resolution (do not forward)
446 allow-query { internals; externals; };
447 allow-transfer { internals; };
451 zone "site2.example.com" {
453 file "s/site2.example.com";
454 masters { 172.16.72.3; };
456 allow-query { internals; externals; };
457 allow-transfer { internals; };
460 zone "site1.internal" {
462 file "m/site1.internal";
464 allow-query { internals; };
465 allow-transfer { internals; }
468 zone "site2.internal" {
470 file "s/site2.internal";
471 masters { 172.16.72.3; };
473 allow-query { internals };
474 allow-transfer { internals; }
478 External (bastion host) DNS server config:
480 <pre class="programlisting">
481 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
483 acl externals { bastion-ips-go-here; };
488 // sample allow-transfer (no one)
489 allow-transfer { none; };
490 // default query access
491 allow-query { any; };
492 // restrict cache access
493 allow-query-cache { internals; externals; };
494 // restrict recursion
495 allow-recursion { internals; externals; };
501 zone "site1.example.com" {
503 file "m/site1.foo.com";
504 allow-transfer { internals; externals; };
507 zone "site2.example.com" {
509 file "s/site2.foo.com";
510 masters { another_bastion_host_maybe; };
511 allow-transfer { internals; externals; }
515 In the <code class="filename">resolv.conf</code> (or equivalent) on
518 <pre class="programlisting">
520 nameserver 172.16.72.2
521 nameserver 172.16.72.3
522 nameserver 172.16.72.4
526 <div class="section">
527 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
528 <a name="tsig"></a>TSIG</h2></div></div></div>
530 TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
531 messages, originally specified in RFC 2845. It allows DNS messages
532 to be cryptographically signed using a shared secret. TSIG can
533 be used in any DNS transaction, as a way to restrict access to
534 certain server functions (e.g., recursive queries) to authorized
535 clients when IP-based access control is insufficient or needs to
536 be overridden, or as a way to ensure message authenticity when it
537 is critical to the integrity of the server, such as with dynamic
538 UPDATE messages or zone transfers from a master to a slave server.
541 This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
542 It describes the configuration syntax and the process of creating
546 <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
547 communication, and some of the tools included with
548 <acronym class="acronym">BIND</acronym> support it for sending messages to
549 <span class="command"><strong>named</strong></span>:
551 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
552 <li class="listitem">
553 <a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
554 <code class="option">-k</code>, <code class="option">-l</code> and
555 <code class="option">-y</code> command line options, or via
556 the <span class="command"><strong>key</strong></span> command when running
559 <li class="listitem">
560 <a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
561 <code class="option">-k</code> and <code class="option">-y</code> command
567 <div class="section">
568 <div class="titlepage"><div><div><h3 class="title">
569 <a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
571 TSIG keys can be generated using the <span class="command"><strong>ddns-confgen</strong></span>
572 command; the output of the command is a <span class="command"><strong>key</strong></span> directive
573 suitable for inclusion in <code class="filename">named.conf</code>. The
574 key name and algorithm can be specified by command line parameters;
575 the defaults are "ddns-key" and HMAC-SHA256, respectively. By
576 default, the output of <span class="command"><strong>ddns-confgen</strong></span> also includes
577 additional configuration text for setting up dynamic DNS in
578 <span class="command"><strong>named</strong></span>; the <code class="option">-q</code> suppresses
579 this. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a> for further details.
582 Any string which is a valid DNS name can be used as a key name.
583 For example, a key to be shared between servers called
584 <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
585 be called "host1-host2.", and this key could be generated using:
587 <pre class="programlisting">
588 $ ddns-confgen -q -k host1-host2. > host1-host2.key
591 This key may then be copied to both hosts. The key name and secret
592 must be identical on both hosts.
593 (Note: copying a shared secret from one server to another is beyond
594 the scope of the DNS. A secure transport mechanism should be used:
595 secure FTP, SSL, ssh, telephone, encrypted email, etc.)
598 <div class="section">
599 <div class="titlepage"><div><div><h3 class="title">
600 <a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
602 For a key shared between servers called
603 <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
604 the following could be added to each server's
605 <code class="filename">named.conf</code> file:
607 <pre class="programlisting">
609 algorithm hmac-sha256;
610 secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
614 (This is the same key generated above using
615 <span class="command"><strong>ddns-confgen</strong></span>.)
618 Since this text contains a secret, it
619 is recommended that either <code class="filename">named.conf</code> not be
620 world-readable, or that the <span class="command"><strong>key</strong></span> directive
621 be stored in a file which is not world-readable, and which is
622 included in <code class="filename">named.conf</code> via the
623 <span class="command"><strong>include</strong></span> directive.
626 Once a key has been added to <code class="filename">named.conf</code> and the
627 server has been restarted or reconfigured, the server can recognize
628 the key. If the server receives a message signed by the
629 key, it will be able to verify the signature. If the signature
630 is valid, the response will be signed using the same key.
633 TSIG keys that are known to a server can be listed using the
634 command <span class="command"><strong>rndc tsig-list</strong></span>.
637 <div class="section">
638 <div class="titlepage"><div><div><h3 class="title">
639 <a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
641 A server sending a request to another server must be told whether
642 to use a key, and if so, which key to use.
645 For example, a key may be specified for each server in the
646 <span class="command"><strong>masters</strong></span> statement in the definition of a
647 slave zone; in this case, all SOA QUERY messages, NOTIFY
648 messages, and zone transfer requests (AXFR or IXFR) will be
649 signed using the specified key. Keys may also be specified
650 in the <span class="command"><strong>also-notify</strong></span> statement of a master
651 or slave zone, causing NOTIFY messages to be signed using
655 Keys can also be specified in a <span class="command"><strong>server</strong></span>
656 directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
657 if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
658 cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
659 to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
660 signed using the <span class="command"><strong>host1-host2.</strong></span> key:
662 <pre class="programlisting">
664 keys { host1-host2. ;};
668 Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
669 statement, but only the first one is used. As this directive does
670 not contain secrets, it can be used in a world-readable file.
673 Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
674 would <span class="emphasis"><em>not</em></span> be signed, unless a similar
675 <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
679 Whenever any server sends a TSIG-signed DNS request, it will expect
680 the response to be signed with the same key. If a response is not
681 signed, or if the signature is not valid, the response will be
685 <div class="section">
686 <div class="titlepage"><div><div><h3 class="title">
687 <a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
689 TSIG keys may be specified in ACL definitions and ACL directives
690 such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
691 and <span class="command"><strong>allow-update</strong></span>.
692 The above key would be denoted in an ACL element as
693 <span class="command"><strong>key host1-host2.</strong></span>
696 An example of an <span class="command"><strong>allow-update</strong></span> directive using
699 <pre class="programlisting">
700 allow-update { !{ !localnets; any; }; key host1-host2. ;};
703 This allows dynamic updates to succeed only if the UPDATE
704 request comes from an address in <span class="command"><strong>localnets</strong></span>,
705 <span class="emphasis"><em>and</em></span> if it is signed using the
706 <span class="command"><strong>host1-host2.</strong></span> key.
709 See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
710 the more flexible <span class="command"><strong>update-policy</strong></span> statement.
713 <div class="section">
714 <div class="titlepage"><div><div><h3 class="title">
715 <a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
717 Processing of TSIG-signed messages can result in several errors:
719 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
720 <li class="listitem">
721 If a TSIG-aware server receives a message signed by an
722 unknown key, the response will be unsigned, with the TSIG
723 extended error code set to BADKEY.
725 <li class="listitem">
726 If a TSIG-aware server receives a message from a known key
727 but with an invalid signature, the response will be unsigned,
728 with the TSIG extended error code set to BADSIG.
730 <li class="listitem">
731 If a TSIG-aware server receives a message with a time
732 outside of the allowed range, the response will be signed, with
733 the TSIG extended error code set to BADTIME, and the time values
734 will be adjusted so that the response can be successfully
739 In all of the above cases, the server will return a response code
740 of NOTAUTH (not authenticated).
744 <div class="section">
745 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
746 <a name="tkey"></a>TKEY</h2></div></div></div>
748 TKEY (Transaction KEY) is a mechanism for automatically negotiating
749 a shared secret between two hosts, originally specified in RFC 2930.
752 There are several TKEY "modes" that specify how a key is to be
753 generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
754 one of these modes: Diffie-Hellman key exchange. Both hosts are
755 required to have a KEY record with algorithm DH (though this
756 record is not required to be present in a zone).
759 The TKEY process is initiated by a client or server by sending
760 a query of type TKEY to a TKEY-aware server. The query must include
761 an appropriate KEY record in the additional section, and
762 must be signed using either TSIG or SIG(0) with a previously
763 established key. The server's response, if successful, will
764 contain a TKEY record in its answer section. After this transaction,
765 both participants will have enough information to calculate a
766 shared secret using Diffie-Hellman key exchange. The shared secret
767 can then be used by to sign subsequent transactions between the
771 TSIG keys known by the server, including TKEY-negotiated keys, can
772 be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
775 TKEY-negotiated keys can be deleted from a server using
776 <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via
777 the TKEY protocol itself, by sending an authenticated TKEY query
778 specifying the "key deletion" mode.
781 <div class="section">
782 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
783 <a name="sig0"></a>SIG(0)</h2></div></div></div>
785 <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
786 transaction signatures as specified in RFC 2535 and RFC 2931.
787 SIG(0) uses public/private keys to authenticate messages. Access control
788 is performed in the same manner as TSIG keys; privileges can be
789 granted or denied in ACL directives based on the key name.
792 When a SIG(0) signed message is received, it will only be
793 verified if the key is known and trusted by the server. The
794 server will not attempt to recursively fetch or validate the
798 SIG(0) signing of multiple-message TCP streams is not supported.
801 The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
802 generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
805 <div class="section">
806 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
807 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
809 Cryptographic authentication of DNS information is possible
810 through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
811 defined in RFC 4033, RFC 4034, and RFC 4035.
812 This section describes the creation and use of DNSSEC signed zones.
815 In order to set up a DNSSEC secure zone, there are a series
816 of steps which must be followed. <acronym class="acronym">BIND</acronym>
819 that are used in this process, which are explained in more detail
820 below. In all cases, the <code class="option">-h</code> option prints a
821 full list of parameters. Note that the DNSSEC tools require the
822 keyset files to be in the working directory or the
823 directory specified by the <code class="option">-d</code> option, and
824 that the tools shipped with BIND 9.2.x and earlier are not compatible
825 with the current ones.
828 There must also be communication with the administrators of
829 the parent and/or child zone to transmit keys. A zone's security
830 status must be indicated by the parent zone for a DNSSEC capable
831 resolver to trust its data. This is done through the presence
832 or absence of a <code class="literal">DS</code> record at the
837 For other servers to trust data in this zone, they must
838 either be statically configured with this zone's zone key or the
839 zone key of another zone above this one in the DNS tree.
841 <div class="section">
842 <div class="titlepage"><div><div><h3 class="title">
843 <a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
845 The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
849 A secure zone must contain one or more zone keys. The
850 zone keys will sign all other records in the zone, as well as
851 the zone keys of any secure delegated zones. Zone keys must
852 have the same name as the zone, a name type of
853 <span class="command"><strong>ZONE</strong></span>, and must be usable for
855 It is recommended that zone keys use a cryptographic algorithm
856 designated as "mandatory to implement" by the IETF; currently
857 the only one is RSASHA1.
860 The following command will generate a 768-bit RSASHA1 key for
861 the <code class="filename">child.example</code> zone:
864 <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
867 Two output files will be produced:
868 <code class="filename">Kchild.example.+005+12345.key</code> and
869 <code class="filename">Kchild.example.+005+12345.private</code>
871 12345 is an example of a key tag). The key filenames contain
872 the key name (<code class="filename">child.example.</code>),
874 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
876 The private key (in the <code class="filename">.private</code>
878 used to generate signatures, and the public key (in the
879 <code class="filename">.key</code> file) is used for signature
883 To generate another key with the same properties (but with
884 a different key tag), repeat the above command.
887 The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
888 to get a key pair from a crypto hardware and build the key
889 files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
892 The public keys should be inserted into the zone file by
893 including the <code class="filename">.key</code> files using
894 <span class="command"><strong>$INCLUDE</strong></span> statements.
897 <div class="section">
898 <div class="titlepage"><div><div><h3 class="title">
899 <a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
901 The <span class="command"><strong>dnssec-signzone</strong></span> program is used
905 Any <code class="filename">keyset</code> files corresponding to
906 secure subzones should be present. The zone signer will
907 generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
908 and <code class="literal">RRSIG</code> records for the zone, as
909 well as <code class="literal">DS</code> for the child zones if
910 <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
911 is not specified, then DS RRsets for the secure child
912 zones need to be added manually.
915 The following command signs the zone, assuming it is in a
916 file called <code class="filename">zone.child.example</code>. By
917 default, all zone keys which have an available private key are
918 used to generate signatures.
921 <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
924 One output file is produced:
925 <code class="filename">zone.child.example.signed</code>. This
927 should be referenced by <code class="filename">named.conf</code>
929 input file for the zone.
931 <p><span class="command"><strong>dnssec-signzone</strong></span>
932 will also produce a keyset and dsset files and optionally a
933 dlvset file. These are used to provide the parent zone
934 administrators with the <code class="literal">DNSKEYs</code> (or their
935 corresponding <code class="literal">DS</code> records) that are the
936 secure entry point to the zone.
939 <div class="section">
940 <div class="titlepage"><div><div><h3 class="title">
941 <a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
943 To enable <span class="command"><strong>named</strong></span> to respond appropriately
944 to DNS requests from DNSSEC aware clients,
945 <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
946 (This is the default setting.)
949 To enable <span class="command"><strong>named</strong></span> to validate answers from
950 other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
951 must be set to <strong class="userinput"><code>yes</code></strong>, and the
952 <span class="command"><strong>dnssec-validation</strong></span> options must be set to
953 <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
956 If <span class="command"><strong>dnssec-validation</strong></span> is set to
957 <strong class="userinput"><code>auto</code></strong>, then a default
958 trust anchor for the DNS root zone will be used.
959 If it is set to <strong class="userinput"><code>yes</code></strong>, however,
960 then at least one trust anchor must be configured
961 with a <span class="command"><strong>trusted-keys</strong></span> or
962 <span class="command"><strong>managed-keys</strong></span> statement in
963 <code class="filename">named.conf</code>, or DNSSEC validation
964 will not occur. The default setting is
965 <strong class="userinput"><code>yes</code></strong>.
968 <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
969 for zones that are used to form the first link in the
970 cryptographic chain of trust. All keys listed in
971 <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
972 are deemed to exist and only the listed keys will be used
973 to validated the DNSKEY RRset that they are from.
976 <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
977 automatically kept up to date via RFC 5011 trust anchor
981 <span class="command"><strong>trusted-keys</strong></span> and
982 <span class="command"><strong>managed-keys</strong></span> are described in more detail
983 later in this document.
986 Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
987 9 does not verify signatures on load, so zone keys for
988 authoritative zones do not need to be specified in the
992 After DNSSEC gets established, a typical DNSSEC configuration
993 will look something like the following. It has one or
994 more public keys for the root. This allows answers from
995 outside the organization to be validated. It will also
996 have several keys for parts of the namespace the organization
997 controls. These are here to ensure that <span class="command"><strong>named</strong></span>
998 is immune to compromises in the DNSSEC components of the security
1001 <pre class="programlisting">
1004 "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
1005 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
1006 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
1007 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
1008 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
1009 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
1010 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
1011 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
1012 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
1013 dgxbcDTClU0CRBdiieyLMNzXG3";
1017 /* Key for our organization's forward zone */
1018 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
1019 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
1020 GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
1021 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
1022 kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
1023 g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
1024 TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
1025 FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
1026 F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
1027 /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
1030 /* Key for our reverse zone. */
1031 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
1032 xOdNax071L18QqZnQQQAVVr+i
1033 LhGTnNGp3HoWQLUIzKrJVZ3zg
1034 gy3WwNT6kZo6c0tszYqbtvchm
1035 gQC8CzKojM/W16i6MG/eafGU3
1036 siaOdS0yOI6BgPsw+YZdzlYMa
1037 IJGf4M4dyoKIhzdZyQ2bYQrjy
1038 Q4LB0lC7aOnsMyYKHHYeRvPxj
1039 IQXmdqgOJGq+vsevG06zW+1xg
1040 YJh9rCIfnm1GX/KMgxLPG2vXT
1041 D/RnLX+D3T3UL7HJYHJhAZD5L
1042 59VvjSPsZJHeDCUyWYrvPZesZ
1043 DIRvhDD52SKvbheeTJUm6Ehkz
1044 ytNN2SN96QRk8j/iI8ib";
1050 dnssec-validation yes;
1053 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1054 <h3 class="title">Note</h3>
1056 None of the keys listed in this example are valid. In particular,
1057 the root key is not valid.
1061 When DNSSEC validation is enabled and properly configured,
1062 the resolver will reject any answers from signed, secure zones
1063 which fail to validate, and will return SERVFAIL to the client.
1066 Responses may fail to validate for any of several reasons,
1067 including missing, expired, or invalid signatures, a key which
1068 does not match the DS RRset in the parent zone, or an insecure
1069 response from a zone which, according to its parent, should have
1072 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1073 <h3 class="title">Note</h3>
1075 When the validator receives a response from an unsigned zone
1076 that has a signed parent, it must confirm with the parent
1077 that the zone was intentionally left unsigned. It does
1078 this by verifying, via signed and validated NSEC/NSEC3 records,
1079 that the parent zone contains no DS records for the child.
1082 If the validator <span class="emphasis"><em>can</em></span> prove that the zone
1083 is insecure, then the response is accepted. However, if it
1084 cannot, then it must assume an insecure response to be a
1085 forgery; it rejects the response and logs an error.
1088 The logged error reads "insecurity proof failed" and
1089 "got insecure response; parent indicates it should be secure".
1090 (Prior to BIND 9.7, the logged error was "not insecure".
1091 This referred to the zone, not the response.)
1096 <div class="section">
1097 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1098 <a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
1099 <p>As of BIND 9.7.0 it is possible to change a dynamic zone
1100 from insecure to signed and back again. A secure zone can use
1101 either NSEC or NSEC3 chains.</p>
1102 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1103 <a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
1104 <p>Changing a zone from insecure to secure can be done in two
1105 ways: using a dynamic DNS update, or the
1106 <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
1107 <p>For either method, you need to configure
1108 <span class="command"><strong>named</strong></span> so that it can see the
1109 <code class="filename">K*</code> files which contain the public and private
1110 parts of the keys that will be used to sign the zone. These files
1111 will have been generated by
1112 <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
1113 in the key-directory, as specified in
1114 <code class="filename">named.conf</code>:</p>
1115 <pre class="programlisting">
1118 update-policy local;
1119 file "dynamic/example.net/example.net";
1120 key-directory "dynamic/example.net";
1123 <p>If one KSK and one ZSK DNSKEY key have been generated, this
1124 configuration will cause all records in the zone to be signed
1125 with the ZSK, and the DNSKEY RRset to be signed with the KSK as
1126 well. An NSEC chain will be generated as part of the initial
1127 signing process.</p>
1128 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1129 <a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div></div>
1130 <p>To insert the keys via dynamic update:</p>
1131 <pre class="screen">
1134 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
1135 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
1138 <p>While the update request will complete almost immediately,
1139 the zone will not be completely signed until
1140 <span class="command"><strong>named</strong></span> has had time to walk the zone and
1141 generate the NSEC and RRSIG records. The NSEC record at the apex
1142 will be added last, to signal that there is a complete NSEC
1144 <p>If you wish to sign using NSEC3 instead of NSEC, you should
1145 add an NSEC3PARAM record to the initial update request. If you
1146 wish the NSEC3 chain to have the OPTOUT bit set, set it in the
1147 flags field of the NSEC3PARAM record.</p>
1148 <pre class="screen">
1151 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
1152 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
1153 > update add example.net NSEC3PARAM 1 1 100 1234567890
1156 <p>Again, this update request will complete almost
1157 immediately; however, the record won't show up until
1158 <span class="command"><strong>named</strong></span> has had a chance to build/remove the
1159 relevant chain. A private type record will be created to record
1160 the state of the operation (see below for more details), and will
1161 be removed once the operation completes.</p>
1162 <p>While the initial signing and NSEC/NSEC3 chain generation
1163 is happening, other updates are possible as well.</p>
1164 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1165 <a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
1166 <p>To enable automatic signing, add the
1167 <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
1168 <code class="filename">named.conf</code>.
1169 <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
1170 <code class="constant">allow</code> or
1171 <code class="constant">maintain</code>.</p>
1173 <span class="command"><strong>auto-dnssec allow</strong></span>,
1174 <span class="command"><strong>named</strong></span> can search the key directory for keys
1175 matching the zone, insert them into the zone, and use them to
1176 sign the zone. It will do so only when it receives an
1177 <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
1180 <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
1181 functionality, but will also automatically adjust the zone's
1182 DNSKEY records on schedule according to the keys' timing metadata.
1183 (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
1184 <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
1187 <span class="command"><strong>named</strong></span> will periodically search the key directory
1188 for keys matching the zone, and if the keys' metadata indicates
1189 that any change should be made the zone, such as adding, removing,
1190 or revoking a key, then that action will be carried out. By default,
1191 the key directory is checked for changes every 60 minutes; this period
1192 can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
1193 to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
1194 <span class="command"><strong>named</strong></span> to check for key updates immediately.
1197 If keys are present in the key directory the first time the zone
1198 is loaded, the zone will be signed immediately, without waiting for an
1199 <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
1200 command. (Those commands can still be used when there are unscheduled
1201 key changes, however.)
1204 When new keys are added to a zone, the TTL is set to match that
1205 of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
1206 then the TTL will be set to the TTL specified when the key was
1207 created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
1208 any, or to the SOA TTL.
1211 If you wish the zone to be signed using NSEC3 instead of NSEC,
1212 submit an NSEC3PARAM record via dynamic update prior to the
1213 scheduled publication and activation of the keys. If you wish the
1214 NSEC3 chain to have the OPTOUT bit set, set it in the flags field
1215 of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
1216 the zone immediately, but it will be stored for later reference. When
1217 the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
1218 record will appear in the zone.
1221 <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
1222 configured to allow dynamic updates, by adding an
1223 <span class="command"><strong>allow-update</strong></span> or
1224 <span class="command"><strong>update-policy</strong></span> statement to the zone
1225 configuration. If this has not been done, the configuration will
1227 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1228 <a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div></div>
1229 <p>The state of the signing process is signaled by
1230 private-type records (with a default type value of 65534). When
1231 signing is complete, these records will have a nonzero value for
1232 the final octet (for those records which have a nonzero initial
1234 <p>The private type record format: If the first octet is
1235 non-zero then the record indicates that the zone needs to be
1236 signed with the key matching the record, or that all signatures
1237 that match the record should be removed.</p>
1240 <div class="literallayout"><p><br>
1242 algorithm (octet 1)<br>
1243 key id in network order (octet 2 and 3)<br>
1244 removal flag (octet 4)<br>
1245 complete flag (octet 5)<br>
1249 <p>Only records flagged as "complete" can be removed via
1250 dynamic update. Attempts to remove other private type records
1251 will be silently ignored.</p>
1252 <p>If the first octet is zero (this is a reserved algorithm
1253 number that should never appear in a DNSKEY record) then the
1254 record indicates changes to the NSEC3 chains are in progress. The
1255 rest of the record contains an NSEC3PARAM record. The flag field
1256 tells what operation to perform based on the flag bits.</p>
1259 <div class="literallayout"><p><br>
1268 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1269 <a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
1270 <p>As with insecure-to-secure conversions, rolling DNSSEC
1271 keys can be done in two ways: using a dynamic DNS update, or the
1272 <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
1273 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1274 <a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
1275 <p> To perform key rollovers via dynamic update, you need to add
1276 the <code class="filename">K*</code> files for the new keys so that
1277 <span class="command"><strong>named</strong></span> can find them. You can then add the new
1278 DNSKEY RRs via dynamic update.
1279 <span class="command"><strong>named</strong></span> will then cause the zone to be signed
1280 with the new keys. When the signing is complete the private type
1281 records will be updated so that the last octet is non
1283 <p>If this is for a KSK you need to inform the parent and any
1284 trust anchor repositories of the new KSK.</p>
1285 <p>You should then wait for the maximum TTL in the zone before
1286 removing the old DNSKEY. If it is a KSK that is being updated,
1287 you also need to wait for the DS RRset in the parent to be
1288 updated and its TTL to expire. This ensures that all clients will
1289 be able to verify at least one signature when you remove the old
1291 <p>The old DNSKEY can be removed via UPDATE. Take care to
1292 specify the correct key.
1293 <span class="command"><strong>named</strong></span> will clean out any signatures generated
1294 by the old key after the update completes.</p>
1295 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1296 <a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
1297 <p>When a new key reaches its activation date (as set by
1298 <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
1299 if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
1300 <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
1301 automatically carry out the key rollover. If the key's algorithm
1302 has not previously been used to sign the zone, then the zone will
1303 be fully signed as quickly as possible. However, if the new key
1304 is replacing an existing key of the same algorithm, then the
1305 zone will be re-signed incrementally, with signatures from the
1306 old key being replaced with signatures from the new key as their
1307 signature validity periods expire. By default, this rollover
1308 completes in 30 days, after which it will be safe to remove the
1309 old key from the DNSKEY RRset.</p>
1310 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1311 <a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
1312 <p>Add the new NSEC3PARAM record via dynamic update. When the
1313 new NSEC3 chain has been generated, the NSEC3PARAM flag field
1314 will be zero. At this point you can remove the old NSEC3PARAM
1315 record. The old chain will be removed after the update request
1317 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1318 <a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
1319 <p>To do this, you just need to add an NSEC3PARAM record. When
1320 the conversion is complete, the NSEC chain will have been removed
1321 and the NSEC3PARAM record will have a zero flag field. The NSEC3
1322 chain will be generated before the NSEC chain is
1324 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1325 <a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
1326 <p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
1327 remove all NSEC3PARAM records with a zero flag
1328 field. The NSEC chain will be generated before the NSEC3 chain is
1330 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1331 <a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div></div>
1332 <p>To convert a signed zone to unsigned using dynamic DNS,
1333 delete all the DNSKEY records from the zone apex using
1334 <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
1335 and associated NSEC3PARAM records will be removed automatically.
1336 This will take place after the update request completes.</p>
1337 <p> This requires the
1338 <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
1339 <strong class="userinput"><code>yes</code></strong> in
1340 <code class="filename">named.conf</code>.</p>
1341 <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
1342 zone statement is used, it should be removed or changed to
1343 <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
1345 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1346 <a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div></div>
1347 <p>In any secure zone which supports dynamic updates, named
1348 will periodically re-sign RRsets which have not been re-signed as
1349 a result of some update action. The signature lifetimes will be
1350 adjusted so as to spread the re-sign load over time rather than
1352 <div class="section"><div class="titlepage"><div><div><h3 class="title">
1353 <a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
1355 <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
1356 where all the NSEC3 records in the zone have the same OPTOUT
1358 <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
1359 records in the chain have mixed OPTOUT state.
1360 <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
1361 state of an individual NSEC3 record, the entire chain needs to be
1362 changed if the OPTOUT state of an individual NSEC3 needs to be
1365 <div class="section">
1366 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1367 <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
1368 <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
1369 anchor management. Using this feature allows
1370 <span class="command"><strong>named</strong></span> to keep track of changes to critical
1371 DNSSEC keys without any need for the operator to make changes to
1372 configuration files.</p>
1373 <div class="section">
1374 <div class="titlepage"><div><div><h3 class="title">
1375 <a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
1376 <p>To configure a validating resolver to use RFC 5011 to
1377 maintain a trust anchor, configure the trust anchor using a
1378 <span class="command"><strong>managed-keys</strong></span> statement. Information about
1379 this can be found in
1380 <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
1381 and Usage”</a>.</p>
1383 <div class="section">
1384 <div class="titlepage"><div><div><h3 class="title">
1385 <a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
1386 <p>To set up an authoritative zone for RFC 5011 trust anchor
1387 maintenance, generate two (or more) key signing keys (KSKs) for
1388 the zone. Sign the zone with one of them; this is the "active"
1389 KSK. All KSK's which do not sign the zone are "stand-by"
1391 <p>Any validating resolver which is configured to use the
1392 active KSK as an RFC 5011-managed trust anchor will take note
1393 of the stand-by KSKs in the zone's DNSKEY RRset, and store them
1394 for future reference. The resolver will recheck the zone
1395 periodically, and after 30 days, if the new key is still there,
1396 then the key will be accepted by the resolver as a valid trust
1397 anchor for the zone. Any time after this 30-day acceptance
1398 timer has completed, the active KSK can be revoked, and the
1399 zone can be "rolled over" to the newly accepted key.</p>
1400 <p>The easiest way to place a stand-by key in a zone is to
1401 use the "smart signing" features of
1402 <span class="command"><strong>dnssec-keygen</strong></span> and
1403 <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
1404 date in the past, but an activation date which is unset or in
1406 <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
1407 record in the zone, but will not sign with it:</p>
1408 <pre class="screen">
1409 $ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
1410 $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
1412 <p>To revoke a key, the new command
1413 <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
1414 REVOKED bit to the key flags and re-generates the
1415 <code class="filename">K*.key</code> and
1416 <code class="filename">K*.private</code> files.</p>
1417 <p>After revoking the active key, the zone must be signed
1418 with both the revoked KSK and the new active KSK. (Smart
1419 signing takes care of this automatically.)</p>
1420 <p>Once a key has been revoked and used to sign the DNSKEY
1421 RRset in which it appears, that key will never again be
1422 accepted as a valid trust anchor by the resolver. However,
1423 validation can proceed using the new active key (which had been
1424 accepted by the resolver when it was a stand-by key).</p>
1425 <p>See RFC 5011 for more details on key rollover
1427 <p>When a key has been revoked, its key ID changes,
1428 increasing by 128, and wrapping around at 65535. So, for
1429 example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
1430 "<code class="filename">Kexample.com.+005+10128</code>".</p>
1431 <p>If two keys have ID's exactly 128 apart, and one is
1432 revoked, then the two key ID's will collide, causing several
1433 problems. To prevent this,
1434 <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
1435 another key is present which may collide. This checking will
1436 only occur if the new keys are written to the same directory
1437 which holds all other keys in use for that zone.</p>
1438 <p>Older versions of BIND 9 did not have this precaution.
1439 Exercise caution if using key revocation on keys that were
1440 generated by previous releases, or if using keys stored in
1441 multiple directories or on multiple machines.</p>
1442 <p>It is expected that a future release of BIND 9 will
1443 address this problem in a different way, by storing revoked
1444 keys with their original unrevoked key ID's.</p>
1447 <div class="section">
1448 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1449 <a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
1450 <p>PKCS #11 (Public Key Cryptography Standard #11) defines a
1451 platform- independent API for the control of hardware security
1452 modules (HSMs) and other cryptographic support devices.</p>
1453 <p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
1454 cryptographic acceleration board, tested under Solaris x86, and
1455 the AEP Keyper network-attached key storage device, tested with
1456 Debian Linux, Solaris x86 and Windows Server 2003.</p>
1457 <div class="section">
1458 <div class="titlepage"><div><div><h3 class="title">
1459 <a name="id-1.5.12.4"></a>Prerequisites</h3></div></div></div>
1460 <p>See the HSM vendor documentation for information about
1461 installing, initializing, testing and troubleshooting the
1463 <p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
1464 does not yet fully support PKCS #11. However, a PKCS #11 engine
1465 for OpenSSL is available from the OpenSolaris project. It has
1466 been modified by ISC to work with with BIND 9, and to provide
1467 new features such as PIN management and key by
1469 <p>The patched OpenSSL depends on a "PKCS #11 provider".
1470 This is a shared library object, providing a low-level PKCS #11
1471 interface to the HSM hardware. It is dynamically loaded by
1472 OpenSSL at runtime. The PKCS #11 provider comes from the HSM
1473 vendor, and is specific to the HSM to be controlled.</p>
1474 <p>There are two "flavors" of PKCS #11 support provided by
1475 the patched OpenSSL, one of which must be chosen at
1476 configuration time. The correct choice depends on the HSM
1478 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1479 <li class="listitem"><p>Use 'crypto-accelerator' with HSMs that have hardware
1480 cryptographic acceleration features, such as the SCA 6000
1481 board. This causes OpenSSL to run all supported
1482 cryptographic operations in the HSM.</p></li>
1483 <li class="listitem"><p>Use 'sign-only' with HSMs that are designed to
1484 function primarily as secure key storage devices, but lack
1485 hardware acceleration. These devices are highly secure, but
1486 are not necessarily any faster at cryptography than the
1487 system CPU — often, they are slower. It is therefore
1488 most efficient to use them only for those cryptographic
1489 functions that require access to the secured private key,
1490 such as zone signing, and to use the system CPU for all
1491 other computationally-intensive operations. The AEP Keyper
1492 is an example of such a device.</p></li>
1495 The modified OpenSSL code is included in the BIND 9 release,
1496 in the form of a context diff against the latest versions of
1497 OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported;
1498 there are separate diffs for each version. In the examples to
1499 follow, we use OpenSSL 0.9.8, but the same methods work with
1500 OpenSSL 1.0.0 through 1.0.2.
1502 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1503 <h3 class="title">Note</h3>
1504 The OpenSSL patches as of this writing (January 2016)
1505 support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f.
1506 ISC will provide updated patches as new versions of OpenSSL
1507 are released. The version number in the following examples
1508 is expected to change.</div>
1510 Before building BIND 9 with PKCS #11 support, it will be
1511 necessary to build OpenSSL with this patch in place and inform
1512 it of the path to the HSM-specific PKCS #11 provider
1514 <p>Obtain OpenSSL 0.9.8s:</p>
1515 <pre class="screen">
1516 $ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
1518 <p>Extract the tarball:</p>
1519 <pre class="screen">
1520 $ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong>
1522 <p>Apply the patch from the BIND 9 release:</p>
1523 <pre class="screen">
1524 $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
1525 < bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong>
1527 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1528 <h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
1529 "patch" utility on all operating systems. You may need to
1530 install GNU patch.)</div>
1531 <p>When building OpenSSL, place it in a non-standard
1532 location so that it does not interfere with OpenSSL libraries
1533 elsewhere on the system. In the following examples, we choose
1534 to install into "/opt/pkcs11/usr". We will use this location
1535 when we configure BIND 9.</p>
1536 <div class="section">
1537 <div class="titlepage"><div><div><h4 class="title">
1538 <a name="id-1.5.12.4.18"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
1539 <p>The AEP Keyper is a highly secure key storage device,
1540 but does not provide hardware cryptographic acceleration. It
1541 can carry out cryptographic operations, but it is probably
1542 slower than your system's CPU. Therefore, we choose the
1543 'sign-only' flavor when building OpenSSL.</p>
1544 <p>The Keyper-specific PKCS #11 provider library is
1545 delivered with the Keyper software. In this example, we place
1546 it /opt/pkcs11/usr/lib:</p>
1547 <pre class="screen">
1548 $ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
1550 <p>This library is only available for Linux as a 32-bit
1551 binary. If we are compiling on a 64-bit Linux system, it is
1552 necessary to force a 32-bit build, by specifying -m32 in the
1554 <p>Finally, the Keyper library requires threads, so we
1555 must specify -pthread.</p>
1556 <pre class="screen">
1557 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
1558 $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
1559 --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
1560 --pk11-flavor=sign-only \
1561 --prefix=/opt/pkcs11/usr</code></strong>
1563 <p>After configuring, run "<span class="command"><strong>make</strong></span>"
1564 and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
1565 test</strong></span>" fails with "pthread_atfork() not found", you forgot to
1566 add the -pthread above.</p>
1568 <div class="section">
1569 <div class="titlepage"><div><div><h4 class="title">
1570 <a name="id-1.5.12.4.19"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
1571 <p>The SCA-6000 PKCS #11 provider is installed as a system
1572 library, libpkcs11. It is a true crypto accelerator, up to 4
1573 times faster than any CPU, so the flavor shall be
1574 'crypto-accelerator'.</p>
1575 <p>In this example, we are building on Solaris x86 on an
1577 <pre class="screen">
1578 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
1579 $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
1580 --pk11-libname=/usr/lib/64/libpkcs11.so \
1581 --pk11-flavor=crypto-accelerator \
1582 --prefix=/opt/pkcs11/usr</code></strong>
1584 <p>(For a 32-bit build, use "solaris-x86-cc" and
1585 /usr/lib/libpkcs11.so.)</p>
1586 <p>After configuring, run
1587 <span class="command"><strong>make</strong></span> and
1588 <span class="command"><strong>make test</strong></span>.</p>
1590 <div class="section">
1591 <div class="titlepage"><div><div><h4 class="title">
1592 <a name="id-1.5.12.4.20"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
1593 <p>SoftHSM is a software library provided by the OpenDNSSEC
1594 project (http://www.opendnssec.org) which provides a PKCS#11
1595 interface to a virtual HSM, implemented in the form of encrypted
1596 data on the local filesystem. It uses the Botan library for
1597 encryption and SQLite3 for data storage. Though less secure
1598 than a true HSM, it can provide more secure key storage than
1599 traditional key files, and can allow you to experiment with
1600 PKCS#11 when an HSM is not available.</p>
1601 <p>The SoftHSM cryptographic store must be installed and
1602 initialized before using it with OpenSSL, and the SOFTHSM_CONF
1603 environment variable must always point to the SoftHSM configuration
1605 <pre class="screen">
1606 $ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
1607 $ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
1608 $ <strong class="userinput"><code> make </code></strong>
1609 $ <strong class="userinput"><code> make install </code></strong>
1610 $ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
1611 $ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
1612 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
1614 <p>SoftHSM can perform all cryptographic operations, but
1615 since it only uses your system CPU, there is no need to use it
1616 for anything but signing. Therefore, we choose the 'sign-only'
1617 flavor when building OpenSSL.</p>
1618 <pre class="screen">
1619 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
1620 $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
1621 --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
1622 --pk11-flavor=sign-only \
1623 --prefix=/opt/pkcs11/usr</code></strong>
1625 <p>After configuring, run "<span class="command"><strong>make</strong></span>"
1626 and "<span class="command"><strong>make test</strong></span>".</p>
1628 <p>Once you have built OpenSSL, run
1629 "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
1630 that PKCS #11 support was compiled in correctly. The output
1631 should be one of the following lines, depending on the flavor
1633 <pre class="screen">
1634 (pkcs11) PKCS #11 engine support (sign only)
1637 <pre class="screen">
1638 (pkcs11) PKCS #11 engine support (crypto accelerator)
1641 "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
1642 attempt to initialize the PKCS #11 engine. If it is able to
1643 do so successfully, it will report
1644 <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.</p>
1645 <p>If the output is correct, run
1646 "<span class="command"><strong>make install</strong></span>" which will install the
1647 modified OpenSSL suite to
1648 <code class="filename">/opt/pkcs11/usr</code>.</p>
1650 <div class="section">
1651 <div class="titlepage"><div><div><h3 class="title">
1652 <a name="id-1.5.12.5"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
1653 <p>When building BIND 9, the location of the custom-built
1654 OpenSSL library must be specified via configure.</p>
1655 <div class="section">
1656 <div class="titlepage"><div><div><h4 class="title">
1657 <a name="id-1.5.12.5.3"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
1658 <p>To link with the PKCS #11 provider, threads must be
1659 enabled in the BIND 9 build.</p>
1660 <p>The PKCS #11 library for the AEP Keyper is currently
1661 only available as a 32-bit binary. If we are building on a
1662 64-bit host, we must force a 32-bit build by adding "-m32" to
1663 the CC options on the "configure" command line.</p>
1664 <pre class="screen">
1665 $ <strong class="userinput"><code>cd ../bind9</code></strong>
1666 $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
1667 --with-openssl=/opt/pkcs11/usr \
1668 --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
1671 <div class="section">
1672 <div class="titlepage"><div><div><h4 class="title">
1673 <a name="id-1.5.12.5.4"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
1674 <p>To link with the PKCS #11 provider, threads must be
1675 enabled in the BIND 9 build.</p>
1676 <pre class="screen">
1677 $ <strong class="userinput"><code>cd ../bind9</code></strong>
1678 $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
1679 --with-openssl=/opt/pkcs11/usr \
1680 --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
1682 <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
1683 <p>If configure complains about OpenSSL not working, you
1684 may have a 32/64-bit architecture mismatch. Or, you may have
1685 incorrectly specified the path to OpenSSL (it should be the
1686 same as the --prefix argument to the OpenSSL
1689 <div class="section">
1690 <div class="titlepage"><div><div><h4 class="title">
1691 <a name="id-1.5.12.5.5"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
1692 <pre class="screen">
1693 $ <strong class="userinput"><code>cd ../bind9</code></strong>
1694 $ <strong class="userinput"><code>./configure --enable-threads \
1695 --with-openssl=/opt/pkcs11/usr \
1696 --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
1699 <p>After configuring, run
1700 "<span class="command"><strong>make</strong></span>",
1701 "<span class="command"><strong>make test</strong></span>" and
1702 "<span class="command"><strong>make install</strong></span>".</p>
1703 <p>(Note: If "make test" fails in the "pkcs11" system test, you may
1704 have forgotten to set the SOFTHSM_CONF environment variable.)</p>
1706 <div class="section">
1707 <div class="titlepage"><div><div><h3 class="title">
1708 <a name="id-1.5.12.6"></a>PKCS #11 Tools</h3></div></div></div>
1709 <p>BIND 9 includes a minimal set of tools to operate the
1711 <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
1713 <span class="command"><strong>pkcs11-list</strong></span> to list objects currently
1715 <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects.</p>
1716 <p>In UNIX/Linux builds, these tools are built only if BIND
1717 9 is configured with the --with-pkcs11 option. (NOTE: If
1718 --with-pkcs11 is set to "yes", rather than to the path of the
1719 PKCS #11 provider, then the tools will be built but the
1720 provider will be left undefined. Use the -m option or the
1721 PKCS11_PROVIDER environment variable to specify the path to the
1724 <div class="section">
1725 <div class="titlepage"><div><div><h3 class="title">
1726 <a name="id-1.5.12.7"></a>Using the HSM</h3></div></div></div>
1727 <p>First, we must set up the runtime environment so the
1728 OpenSSL and PKCS #11 libraries can be loaded:</p>
1729 <pre class="screen">
1730 $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
1732 <p>When operating an AEP Keyper, it is also necessary to
1733 specify the location of the "machine" file, which stores
1734 information about the Keyper for use by PKCS #11 provider
1735 library. If the machine file is in
1736 <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
1738 <pre class="screen">
1739 $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
1741 <p>These environment variables must be set whenever running
1742 any tool that uses the HSM, including
1743 <span class="command"><strong>pkcs11-keygen</strong></span>,
1744 <span class="command"><strong>pkcs11-list</strong></span>,
1745 <span class="command"><strong>pkcs11-destroy</strong></span>,
1746 <span class="command"><strong>dnssec-keyfromlabel</strong></span>,
1747 <span class="command"><strong>dnssec-signzone</strong></span>,
1748 <span class="command"><strong>dnssec-keygen</strong></span>(which will use the HSM for
1749 random number generation), and
1750 <span class="command"><strong>named</strong></span>.</p>
1751 <p>We can now create and use keys in the HSM. In this case,
1752 we will create a 2048 bit key and give it the label
1754 <pre class="screen">
1755 $ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
1757 <p>To confirm that the key exists:</p>
1758 <pre class="screen">
1759 $ <strong class="userinput"><code>pkcs11-list</code></strong>
1761 object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
1762 object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
1764 <p>Before using this key to sign a zone, we must create a
1765 pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
1766 does this. In this case, we will be using the HSM key
1767 "sample-ksk" as the key-signing key for "example.net":</p>
1768 <pre class="screen">
1769 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
1771 <p>The resulting K*.key and K*.private files can now be used
1772 to sign the zone. Unlike normal K* files, which contain both
1773 public and private key data, these files will contain only the
1774 public key data, plus an identifier for the private key which
1775 remains stored within the HSM. The HSM handles signing with the
1777 <p>If you wish to generate a second key in the HSM for use
1778 as a zone-signing key, follow the same procedure above, using a
1779 different keylabel, a smaller key size, and omitting "-f KSK"
1780 from the dnssec-keyfromlabel arguments:</p>
1781 <pre class="screen">
1782 $ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
1783 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
1785 <p>Alternatively, you may prefer to generate a conventional
1786 on-disk key, using dnssec-keygen:</p>
1787 <pre class="screen">
1788 $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
1790 <p>This provides less security than an HSM key, but since
1791 HSMs can be slow or cumbersome to use for security reasons, it
1792 may be more efficient to reserve HSM keys for use in the less
1793 frequent key-signing operation. The zone-signing key can be
1794 rolled more frequently, if you wish, to compensate for a
1795 reduction in key security.</p>
1796 <p>Now you can sign the zone. (Note: If not using the -S
1798 <span class="command"><strong>dnssec-signzone</strong></span>, it will be necessary to add
1799 the contents of both
1800 <code class="filename">K*.key</code> files to the zone master file before
1802 <pre class="screen">
1803 $ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
1805 Verifying the zone using the following algorithms:
1807 Zone signing complete:
1808 Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
1812 <div class="section">
1813 <div class="titlepage"><div><div><h3 class="title">
1814 <a name="id-1.5.12.8"></a>Specifying the engine on the command line</h3></div></div></div>
1815 <p>The OpenSSL engine can be specified in
1816 <span class="command"><strong>named</strong></span> and all of the BIND
1817 <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
1818 <engine>" command line option. If BIND 9 is built with
1819 the --with-pkcs11 option, this option defaults to "pkcs11".
1820 Specifying the engine will generally not be necessary unless
1821 for some reason you wish to use a different OpenSSL
1823 <p>If you wish to disable use of the "pkcs11" engine —
1824 for troubleshooting purposes, or because the HSM is unavailable
1825 — set the engine to the empty string. For example:</p>
1826 <pre class="screen">
1827 $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
1830 <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
1831 without the --with-pkcs11 option.</p>
1833 <div class="section">
1834 <div class="titlepage"><div><div><h3 class="title">
1835 <a name="id-1.5.12.9"></a>Running named with automatic zone re-signing</h3></div></div></div>
1837 <span class="command"><strong>named</strong></span> to dynamically re-sign zones using HSM
1838 keys, and/or to to sign new records inserted via nsupdate, then
1839 named must have access to the HSM PIN. This can be accomplished
1840 by placing the PIN into the openssl.cnf file (in the above
1842 <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
1843 <p>The location of the openssl.cnf file can be overridden by
1844 setting the OPENSSL_CONF environment variable before running
1846 <p>Sample openssl.cnf:</p>
1847 <pre class="programlisting">
1848 openssl_conf = openssl_def
1850 engines = engine_section
1852 pkcs11 = pkcs11_section
1854 PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
1856 <p>This will also allow the dnssec-* tools to access the HSM
1857 without PIN entry. (The pkcs11-* tools access the HSM directly,
1858 not via OpenSSL, so a PIN will still be required to use
1860 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
1861 <h3 class="title">Warning</h3>
1862 <p>Placing the HSM's PIN in a text file in
1863 this manner may reduce the security advantage of using an
1864 HSM. Be sure this is what you want to do before configuring
1865 OpenSSL in this way.</p>
1869 <div class="section">
1870 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1871 <a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
1873 <acronym class="acronym">BIND</acronym> 9 fully supports all currently
1874 defined forms of IPv6 name to address and address to name
1875 lookups. It will also use IPv6 addresses to make queries when
1876 running on an IPv6 capable system.
1879 For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
1880 only AAAA records. RFC 3363 deprecated the use of A6 records,
1881 and client-side support for A6 records was accordingly removed
1882 from <acronym class="acronym">BIND</acronym> 9.
1883 However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
1884 load zone files containing A6 records correctly, answer queries
1885 for A6 records, and accept zone transfer for a zone containing A6
1889 For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
1890 the traditional "nibble" format used in the
1891 <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
1892 <span class="emphasis"><em>ip6.int</em></span> domain.
1893 Older versions of <acronym class="acronym">BIND</acronym> 9
1894 supported the "binary label" (also known as "bitstring") format,
1895 but support of binary labels has been completely removed per
1897 Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
1898 the binary label format at all any more, and will return an
1900 In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
1901 name server will not load a zone file containing binary labels.
1904 For an overview of the format and structure of IPv6 addresses,
1905 see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
1907 <div class="section">
1908 <div class="titlepage"><div><div><h3 class="title">
1909 <a name="id-1.5.13.6"></a>Address Lookups Using AAAA Records</h3></div></div></div>
1911 The IPv6 AAAA record is a parallel to the IPv4 A record,
1912 and, unlike the deprecated A6 record, specifies the entire
1913 IPv6 address in a single record. For example,
1915 <pre class="programlisting">
1916 $ORIGIN example.com.
1917 host 3600 IN AAAA 2001:db8::1
1920 Use of IPv4-in-IPv6 mapped addresses is not recommended.
1921 If a host has an IPv4 address, use an A record, not
1922 a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
1926 <div class="section">
1927 <div class="titlepage"><div><div><h3 class="title">
1928 <a name="id-1.5.13.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
1930 When looking up an address in nibble format, the address
1931 components are simply reversed, just as in IPv4, and
1932 <code class="literal">ip6.arpa.</code> is appended to the
1934 For example, the following would provide reverse name lookup for
1936 <code class="literal">2001:db8::1</code>.
1938 <pre class="programlisting">
1939 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1940 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
1946 <div class="navfooter">
1948 <table width="100%" summary="Navigation footer">
1950 <td width="40%" align="left">
1951 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
1952 <td width="20%" align="center"> </td>
1953 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
1957 <td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
1958 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1959 <td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
1963 <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>