2 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: Bv9ARM.ch04.html,v 1.40.18.46 2008/05/24 01:31:11 tbox Exp $ -->
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 4. Advanced DNS Features</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
26 <link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
49 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
50 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
51 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
52 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570600">Split DNS</a></span></dt>
53 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570618">Example split DNS setup</a></span></dt></dl></dd>
54 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570985">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
57 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571127">Copying the Shared Secret to Both Machines</a></span></dt>
58 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571138">Informing the Servers of the Key's Existence</a></span></dt>
59 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571177">Instructing the Server to Use the Key</a></span></dt>
60 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">TSIG Key Based Access Control</a></span></dt>
61 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571416">Errors</a></span></dt>
63 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571430">TKEY</a></span></dt>
64 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571547">SIG(0)</a></span></dt>
65 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
67 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571684">Generating Keys</a></span></dt>
68 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571753">Signing the Zone</a></span></dt>
69 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571832">Configuring Servers</a></span></dt>
71 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571975">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
73 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572173">Address Lookups Using AAAA Records</a></span></dt>
74 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572195">Address to Name Lookups Using Nibble Format</a></span></dt>
78 <div class="sect1" lang="en">
79 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
80 <a name="notify"></a>Notify</h2></div></div></div>
82 <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
83 servers to notify their slave servers of changes to a zone's data. In
84 response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
85 slave will check to see that its version of the zone is the
86 current version and, if not, initiate a zone transfer.
89 For more information about <acronym class="acronym">DNS</acronym>
90 <span><strong class="command">NOTIFY</strong></span>, see the description of the
91 <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
92 the description of the zone option <span><strong class="command">also-notify</strong></span> in
93 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
94 protocol is specified in RFC 1996.
96 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
97 <h3 class="title">Note</h3>
98 As a slave zone can also be a master to other slaves, named,
99 by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
100 it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
101 cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
105 <div class="sect1" lang="en">
106 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
107 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
109 Dynamic Update is a method for adding, replacing or deleting
110 records in a master server by sending it a special form of DNS
111 messages. The format and meaning of these messages is specified
115 Dynamic update is enabled by
116 including an <span><strong class="command">allow-update</strong></span> or
117 <span><strong class="command">update-policy</strong></span> clause in the
118 <span><strong class="command">zone</strong></span> statement.
121 Updating of secure zones (zones using DNSSEC) follows
122 RFC 3007: RRSIG and NSEC records affected by updates are automatically
123 regenerated by the server using an online zone key.
124 Update authorization is based
125 on transaction signatures and an explicit server policy.
127 <div class="sect2" lang="en">
128 <div class="titlepage"><div><div><h3 class="title">
129 <a name="journal"></a>The journal file</h3></div></div></div>
131 All changes made to a zone using dynamic update are stored
132 in the zone's journal file. This file is automatically created
133 by the server when the first dynamic update takes place.
134 The name of the journal file is formed by appending the extension
135 <code class="filename">.jnl</code> to the name of the
137 file unless specifically overridden. The journal file is in a
138 binary format and should not be edited manually.
141 The server will also occasionally write ("dump")
142 the complete contents of the updated zone to its zone file.
143 This is not done immediately after
144 each dynamic update, because that would be too slow when a large
145 zone is updated frequently. Instead, the dump is delayed by
146 up to 15 minutes, allowing additional updates to take place.
149 When a server is restarted after a shutdown or crash, it will replay
150 the journal file to incorporate into the zone any updates that
152 place after the last zone dump.
155 Changes that result from incoming incremental zone transfers are
157 journalled in a similar way.
160 The zone files of dynamic zones cannot normally be edited by
161 hand because they are not guaranteed to contain the most recent
162 dynamic changes — those are only in the journal file.
163 The only way to ensure that the zone file of a dynamic zone
164 is up to date is to run <span><strong class="command">rndc stop</strong></span>.
167 If you have to make changes to a dynamic zone
168 manually, the following procedure will work: Disable dynamic updates
170 <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
171 This will also remove the zone's <code class="filename">.jnl</code> file
172 and update the master file. Edit the zone file. Run
173 <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
174 to reload the changed zone and re-enable dynamic updates.
178 <div class="sect1" lang="en">
179 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
180 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
182 The incremental zone transfer (IXFR) protocol is a way for
183 slave servers to transfer only changed data, instead of having to
184 transfer the entire zone. The IXFR protocol is specified in RFC
185 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
188 When acting as a master, <acronym class="acronym">BIND</acronym> 9
189 supports IXFR for those zones
190 where the necessary change history information is available. These
191 include master zones maintained by dynamic update and slave zones
192 whose data was obtained by IXFR. For manually maintained master
193 zones, and for slave zones obtained by performing a full zone
194 transfer (AXFR), IXFR is supported only if the option
195 <span><strong class="command">ixfr-from-differences</strong></span> is set
196 to <strong class="userinput"><code>yes</code></strong>.
199 When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
200 attempt to use IXFR unless
201 it is explicitly disabled. For more information about disabling
202 IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
203 of the <span><strong class="command">server</strong></span> statement.
206 <div class="sect1" lang="en">
207 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
208 <a name="id2570600"></a>Split DNS</h2></div></div></div>
210 Setting up different views, or visibility, of the DNS space to
211 internal and external resolvers is usually referred to as a
212 <span class="emphasis"><em>Split DNS</em></span> setup. There are several
213 reasons an organization would want to set up its DNS this way.
216 One common reason for setting up a DNS system this way is
217 to hide "internal" DNS information from "external" clients on the
218 Internet. There is some debate as to whether or not this is actually
220 Internal DNS information leaks out in many ways (via email headers,
221 for example) and most savvy "attackers" can find the information
222 they need using other means.
223 However, since listing addresses of internal servers that
224 external clients cannot possibly reach can result in
225 connection delays and other annoyances, an organization may
226 choose to use a Split DNS to present a consistent view of itself
227 to the outside world.
230 Another common reason for setting up a Split DNS system is
231 to allow internal networks that are behind filters or in RFC 1918
232 space (reserved IP space, as documented in RFC 1918) to resolve DNS
233 on the Internet. Split DNS can also be used to allow mail from outside
234 back in to the internal network.
236 <div class="sect2" lang="en">
237 <div class="titlepage"><div><div><h3 class="title">
238 <a name="id2570618"></a>Example split DNS setup</h3></div></div></div>
240 Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
241 (<code class="literal">example.com</code>)
242 has several corporate sites that have an internal network with
244 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
245 or "outside" section of a network, that is available to the public.
248 <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
249 to be able to resolve external hostnames and to exchange mail with
250 people on the outside. The company also wants its internal resolvers
251 to have access to certain internal-only zones that are not available
252 at all outside of the internal network.
255 In order to accomplish this, the company will set up two sets
256 of name servers. One set will be on the inside network (in the
258 IP space) and the other set will be on bastion hosts, which are
260 hosts that can talk to both sides of its network, in the DMZ.
263 The internal servers will be configured to forward all queries,
264 except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
265 and <code class="filename">site2.example.com</code>, to the servers
267 DMZ. These internal servers will have complete sets of information
268 for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
269 and <code class="filename">site2.internal</code>.
272 To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
273 the internal name servers must be configured to disallow all queries
274 to these domains from any external hosts, including the bastion
278 The external servers, which are on the bastion hosts, will
279 be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
280 This could include things such as the host records for public servers
281 (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
282 and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
285 In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
286 should have special MX records that contain wildcard (`*') records
287 pointing to the bastion hosts. This is needed because external mail
288 servers do not have any other way of looking up how to deliver mail
289 to those internal hosts. With the wildcard records, the mail will
290 be delivered to the bastion host, which can then forward it on to
294 Here's an example of a wildcard MX record:
296 <pre class="programlisting">* IN MX 10 external1.example.com.</pre>
298 Now that they accept mail on behalf of anything in the internal
299 network, the bastion hosts will need to know how to deliver mail
300 to internal hosts. In order for this to work properly, the resolvers
302 the bastion hosts will need to be configured to point to the internal
303 name servers for DNS resolution.
306 Queries for internal hostnames will be answered by the internal
307 servers, and queries for external hostnames will be forwarded back
308 out to the DNS servers on the bastion hosts.
311 In order for all this to work properly, internal clients will
312 need to be configured to query <span class="emphasis"><em>only</em></span> the internal
313 name servers for DNS queries. This could also be enforced via
315 filtering on the network.
318 If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
319 internal clients will now be able to:
321 <div class="itemizedlist"><ul type="disc">
323 Look up any hostnames in the <code class="literal">site1</code>
325 <code class="literal">site2.example.com</code> zones.
328 Look up any hostnames in the <code class="literal">site1.internal</code> and
329 <code class="literal">site2.internal</code> domains.
331 <li>Look up any hostnames on the Internet.</li>
332 <li>Exchange mail with both internal and external people.</li>
335 Hosts on the Internet will be able to:
337 <div class="itemizedlist"><ul type="disc">
339 Look up any hostnames in the <code class="literal">site1</code>
341 <code class="literal">site2.example.com</code> zones.
344 Exchange mail with anyone in the <code class="literal">site1</code> and
345 <code class="literal">site2.example.com</code> zones.
349 Here is an example configuration for the setup we just
350 described above. Note that this is only configuration information;
351 for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
354 Internal DNS server config:
356 <pre class="programlisting">
358 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
360 acl externals { <code class="varname">bastion-ips-go-here</code>; };
366 forwarders { // forward to external servers
367 <code class="varname">bastion-ips-go-here</code>;
369 allow-transfer { none; }; // sample allow-transfer (no one)
370 allow-query { internals; externals; }; // restrict query access
371 allow-recursion { internals; }; // restrict recursion
376 zone "site1.example.com" { // sample master zone
378 file "m/site1.example.com";
379 forwarders { }; // do normal iterative
380 // resolution (do not forward)
381 allow-query { internals; externals; };
382 allow-transfer { internals; };
385 zone "site2.example.com" { // sample slave zone
387 file "s/site2.example.com";
388 masters { 172.16.72.3; };
390 allow-query { internals; externals; };
391 allow-transfer { internals; };
394 zone "site1.internal" {
396 file "m/site1.internal";
398 allow-query { internals; };
399 allow-transfer { internals; }
402 zone "site2.internal" {
404 file "s/site2.internal";
405 masters { 172.16.72.3; };
407 allow-query { internals };
408 allow-transfer { internals; }
412 External (bastion host) DNS server config:
414 <pre class="programlisting">
415 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
417 acl externals { bastion-ips-go-here; };
422 allow-transfer { none; }; // sample allow-transfer (no one)
423 allow-query { any; }; // default query access
424 allow-query-cache { internals; externals; }; // restrict cache access
425 allow-recursion { internals; externals; }; // restrict recursion
430 zone "site1.example.com" { // sample slave zone
432 file "m/site1.foo.com";
433 allow-transfer { internals; externals; };
436 zone "site2.example.com" {
438 file "s/site2.foo.com";
439 masters { another_bastion_host_maybe; };
440 allow-transfer { internals; externals; }
444 In the <code class="filename">resolv.conf</code> (or equivalent) on
447 <pre class="programlisting">
449 nameserver 172.16.72.2
450 nameserver 172.16.72.3
451 nameserver 172.16.72.4
455 <div class="sect1" lang="en">
456 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
457 <a name="tsig"></a>TSIG</h2></div></div></div>
459 This is a short guide to setting up Transaction SIGnatures
460 (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
461 to the configuration file as well as what changes are required for
462 different features, including the process of creating transaction
463 keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
466 <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
467 to server communication.
468 This includes zone transfer, notify, and recursive query messages.
469 Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
473 TSIG can also be useful for dynamic update. A primary
474 server for a dynamic zone should control access to the dynamic
475 update service, but IP-based access control is insufficient.
476 The cryptographic access control provided by TSIG
477 is far superior. The <span><strong class="command">nsupdate</strong></span>
478 program supports TSIG via the <code class="option">-k</code> and
479 <code class="option">-y</code> command line options or inline by use
480 of the <span><strong class="command">key</strong></span>.
482 <div class="sect2" lang="en">
483 <div class="titlepage"><div><div><h3 class="title">
484 <a name="id2570985"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
486 A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
487 An arbitrary key name is chosen: "host1-host2.". The key name must
488 be the same on both hosts.
490 <div class="sect3" lang="en">
491 <div class="titlepage"><div><div><h4 class="title">
492 <a name="id2571070"></a>Automatic Generation</h4></div></div></div>
494 The following command will generate a 128-bit (16 byte) HMAC-MD5
495 key as described above. Longer keys are better, but shorter keys
496 are easier to read. Note that the maximum key length is 512 bits;
497 keys longer than that will be digested with MD5 to produce a
501 <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
504 The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
505 Nothing directly uses this file, but the base-64 encoded string
506 following "<code class="literal">Key:</code>"
507 can be extracted from the file and used as a shared secret:
509 <pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
511 The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
512 be used as the shared secret.
515 <div class="sect3" lang="en">
516 <div class="titlepage"><div><div><h4 class="title">
517 <a name="id2571109"></a>Manual Generation</h4></div></div></div>
519 The shared secret is simply a random sequence of bits, encoded
520 in base-64. Most ASCII strings are valid base-64 strings (assuming
521 the length is a multiple of 4 and only valid characters are used),
522 so the shared secret can be manually generated.
525 Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
526 a similar program to generate base-64 encoded data.
530 <div class="sect2" lang="en">
531 <div class="titlepage"><div><div><h3 class="title">
532 <a name="id2571127"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
534 This is beyond the scope of DNS. A secure transport mechanism
535 should be used. This could be secure FTP, ssh, telephone, etc.
538 <div class="sect2" lang="en">
539 <div class="titlepage"><div><div><h3 class="title">
540 <a name="id2571138"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
542 Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
544 both servers. The following is added to each server's <code class="filename">named.conf</code> file:
546 <pre class="programlisting">
549 secret "La/E5CjG9O+os1jq0a2jdA==";
553 The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
554 The secret is the one generated above. Since this is a secret, it
555 is recommended that either <code class="filename">named.conf</code> be non-world
556 readable, or the key directive be added to a non-world readable
557 file that is included by
558 <code class="filename">named.conf</code>.
561 At this point, the key is recognized. This means that if the
562 server receives a message signed by this key, it can verify the
563 signature. If the signature is successfully verified, the
564 response is signed by the same key.
567 <div class="sect2" lang="en">
568 <div class="titlepage"><div><div><h3 class="title">
569 <a name="id2571177"></a>Instructing the Server to Use the Key</h3></div></div></div>
571 Since keys are shared between two hosts only, the server must
572 be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
573 for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
576 <pre class="programlisting">
578 keys { host1-host2. ;};
582 Multiple keys may be present, but only the first is used.
583 This directive does not contain any secrets, so it may be in a
588 If <span class="emphasis"><em>host1</em></span> sends a message that is a request
589 to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
590 expect any responses to signed messages to be signed with the same
594 A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
595 configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
596 sign request messages to <span class="emphasis"><em>host1</em></span>.
599 <div class="sect2" lang="en">
600 <div class="titlepage"><div><div><h3 class="title">
601 <a name="id2571303"></a>TSIG Key Based Access Control</h3></div></div></div>
603 <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
604 to be specified in ACL
606 <span><strong class="command">allow-{ query | transfer | update }</strong></span>
608 This has been extended to allow TSIG keys also. The above key would
609 be denoted <span><strong class="command">key host1-host2.</strong></span>
612 An example of an allow-update directive would be:
614 <pre class="programlisting">
615 allow-update { key host1-host2. ;};
618 This allows dynamic updates to succeed only if the request
619 was signed by a key named
620 "<span><strong class="command">host1-host2.</strong></span>".
623 You may want to read about the more
624 powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
627 <div class="sect2" lang="en">
628 <div class="titlepage"><div><div><h3 class="title">
629 <a name="id2571416"></a>Errors</h3></div></div></div>
631 The processing of TSIG signed messages can result in
632 several errors. If a signed message is sent to a non-TSIG aware
633 server, a FORMERR (format error) will be returned, since the server will not
634 understand the record. This is a result of misconfiguration,
635 since the server must be explicitly configured to send a TSIG
636 signed message to a specific server.
639 If a TSIG aware server receives a message signed by an
640 unknown key, the response will be unsigned with the TSIG
641 extended error code set to BADKEY. If a TSIG aware server
642 receives a message with a signature that does not validate, the
643 response will be unsigned with the TSIG extended error code set
644 to BADSIG. If a TSIG aware server receives a message with a time
645 outside of the allowed range, the response will be signed with
646 the TSIG extended error code set to BADTIME, and the time values
647 will be adjusted so that the response can be successfully
648 verified. In any of these cases, the message's rcode (response code) is set to
649 NOTAUTH (not authenticated).
653 <div class="sect1" lang="en">
654 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
655 <a name="id2571430"></a>TKEY</h2></div></div></div>
656 <p><span><strong class="command">TKEY</strong></span>
657 is a mechanism for automatically generating a shared secret
658 between two hosts. There are several "modes" of
659 <span><strong class="command">TKEY</strong></span> that specify how the key is generated
660 or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
661 these modes, the Diffie-Hellman key exchange. Both hosts are
662 required to have a Diffie-Hellman KEY record (although this
663 record is not required to be present in a zone). The
664 <span><strong class="command">TKEY</strong></span> process must use signed messages,
665 signed either by TSIG or SIG(0). The result of
666 <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
667 sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
668 used to delete shared secrets that it had previously
672 The <span><strong class="command">TKEY</strong></span> process is initiated by a
674 or server by sending a signed <span><strong class="command">TKEY</strong></span>
676 (including any appropriate KEYs) to a TKEY-aware server. The
677 server response, if it indicates success, will contain a
678 <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
680 this exchange, both participants have enough information to
681 determine the shared secret; the exact process depends on the
682 <span><strong class="command">TKEY</strong></span> mode. When using the
684 <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
686 and the shared secret is derived by both participants.
689 <div class="sect1" lang="en">
690 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
691 <a name="id2571547"></a>SIG(0)</h2></div></div></div>
693 <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
694 transaction signatures as specified in RFC 2535 and RFC2931.
696 uses public/private keys to authenticate messages. Access control
697 is performed in the same manner as TSIG keys; privileges can be
698 granted or denied based on the key name.
701 When a SIG(0) signed message is received, it will only be
702 verified if the key is known and trusted by the server; the server
703 will not attempt to locate and/or validate the key.
706 SIG(0) signing of multiple-message TCP streams is not
710 The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
711 generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
714 <div class="sect1" lang="en">
715 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
716 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
718 Cryptographic authentication of DNS information is possible
719 through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
720 defined in RFC 4033, RFC 4034, and RFC 4035.
721 This section describes the creation and use of DNSSEC signed zones.
724 In order to set up a DNSSEC secure zone, there are a series
725 of steps which must be followed. <acronym class="acronym">BIND</acronym>
728 that are used in this process, which are explained in more detail
729 below. In all cases, the <code class="option">-h</code> option prints a
730 full list of parameters. Note that the DNSSEC tools require the
731 keyset files to be in the working directory or the
732 directory specified by the <code class="option">-d</code> option, and
733 that the tools shipped with BIND 9.2.x and earlier are not compatible
734 with the current ones.
737 There must also be communication with the administrators of
738 the parent and/or child zone to transmit keys. A zone's security
739 status must be indicated by the parent zone for a DNSSEC capable
740 resolver to trust its data. This is done through the presence
741 or absence of a <code class="literal">DS</code> record at the
746 For other servers to trust data in this zone, they must
747 either be statically configured with this zone's zone key or the
748 zone key of another zone above this one in the DNS tree.
750 <div class="sect2" lang="en">
751 <div class="titlepage"><div><div><h3 class="title">
752 <a name="id2571684"></a>Generating Keys</h3></div></div></div>
754 The <span><strong class="command">dnssec-keygen</strong></span> program is used to
758 A secure zone must contain one or more zone keys. The
759 zone keys will sign all other records in the zone, as well as
760 the zone keys of any secure delegated zones. Zone keys must
761 have the same name as the zone, a name type of
762 <span><strong class="command">ZONE</strong></span>, and must be usable for
764 It is recommended that zone keys use a cryptographic algorithm
765 designated as "mandatory to implement" by the IETF; currently
766 the only one is RSASHA1.
769 The following command will generate a 768-bit RSASHA1 key for
770 the <code class="filename">child.example</code> zone:
773 <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
776 Two output files will be produced:
777 <code class="filename">Kchild.example.+005+12345.key</code> and
778 <code class="filename">Kchild.example.+005+12345.private</code>
780 12345 is an example of a key tag). The key filenames contain
781 the key name (<code class="filename">child.example.</code>),
783 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
785 The private key (in the <code class="filename">.private</code>
787 used to generate signatures, and the public key (in the
788 <code class="filename">.key</code> file) is used for signature
792 To generate another key with the same properties (but with
793 a different key tag), repeat the above command.
796 The public keys should be inserted into the zone file by
797 including the <code class="filename">.key</code> files using
798 <span><strong class="command">$INCLUDE</strong></span> statements.
801 <div class="sect2" lang="en">
802 <div class="titlepage"><div><div><h3 class="title">
803 <a name="id2571753"></a>Signing the Zone</h3></div></div></div>
805 The <span><strong class="command">dnssec-signzone</strong></span> program is used
810 Any <code class="filename">keyset</code> files corresponding
811 to secure subzones should be present. The zone signer will
812 generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
813 records for the zone, as well as <code class="literal">DS</code>
815 the child zones if <code class="literal">'-d'</code> is specified.
816 If <code class="literal">'-d'</code> is not specified, then
818 the secure child zones need to be added manually.
821 The following command signs the zone, assuming it is in a
822 file called <code class="filename">zone.child.example</code>. By
823 default, all zone keys which have an available private key are
824 used to generate signatures.
827 <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
830 One output file is produced:
831 <code class="filename">zone.child.example.signed</code>. This
833 should be referenced by <code class="filename">named.conf</code>
835 input file for the zone.
837 <p><span><strong class="command">dnssec-signzone</strong></span>
838 will also produce a keyset and dsset files and optionally a
839 dlvset file. These are used to provide the parent zone
840 administrators with the <code class="literal">DNSKEYs</code> (or their
841 corresponding <code class="literal">DS</code> records) that are the
842 secure entry point to the zone.
845 <div class="sect2" lang="en">
846 <div class="titlepage"><div><div><h3 class="title">
847 <a name="id2571832"></a>Configuring Servers</h3></div></div></div>
849 To enable <span><strong class="command">named</strong></span> to respond appropriately
850 to DNS requests from DNSSEC aware clients,
851 <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
854 To enable <span><strong class="command">named</strong></span> to validate answers from
855 other servers both <span><strong class="command">dnssec-enable</strong></span> and
856 <span><strong class="command">dnssec-validation</strong></span> must be set and some
857 <span><strong class="command">trusted-keys</strong></span> must be configured
858 into <code class="filename">named.conf</code>.
861 <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
862 for zones that are used to form the first link in the
863 cryptographic chain of trust. All keys listed in
864 <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
865 are deemed to exist and only the listed keys will be used
866 to validated the DNSKEY RRset that they are from.
869 <span><strong class="command">trusted-keys</strong></span> are described in more detail
870 later in this document.
873 Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
874 9 does not verify signatures on load, so zone keys for
875 authoritative zones do not need to be specified in the
879 After DNSSEC gets established, a typical DNSSEC configuration
880 will look something like the following. It has a one or
881 more public keys for the root. This allows answers from
882 outside the organization to be validated. It will also
883 have several keys for parts of the namespace the organization
884 controls. These are here to ensure that named is immune
885 to compromises in the DNSSEC components of the security
888 <pre class="programlisting">
892 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
893 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
894 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
895 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
896 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
897 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
898 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
900 /* Key for our organization's forward zone */
901 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
902 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
903 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
904 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
905 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
906 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
907 SCThlHf3xiYleDbt/o1OTQ09A0=";
909 /* Key for our reverse zone. */
910 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
911 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
912 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
913 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
914 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
915 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
916 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
917 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
923 dnssec-validation yes;
926 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
927 <h3 class="title">Note</h3>
928 None of the keys listed in this example are valid. In particular,
929 the root key is not valid.
933 <div class="sect1" lang="en">
934 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
935 <a name="id2571975"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
937 <acronym class="acronym">BIND</acronym> 9 fully supports all currently
938 defined forms of IPv6
939 name to address and address to name lookups. It will also use
940 IPv6 addresses to make queries when running on an IPv6 capable
944 For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
945 only AAAA records. RFC 3363 deprecated the use of A6 records,
946 and client-side support for A6 records was accordingly removed
947 from <acronym class="acronym">BIND</acronym> 9.
948 However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
949 load zone files containing A6 records correctly, answer queries
950 for A6 records, and accept zone transfer for a zone containing A6
954 For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
955 the traditional "nibble" format used in the
956 <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
957 <span class="emphasis"><em>ip6.int</em></span> domain.
958 Older versions of <acronym class="acronym">BIND</acronym> 9
959 supported the "binary label" (also known as "bitstring") format,
960 but support of binary labels has been completely removed per
962 Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
963 the binary label format at all any more, and will return an
965 In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
966 name server will not load a zone file containing binary labels.
969 For an overview of the format and structure of IPv6 addresses,
970 see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
972 <div class="sect2" lang="en">
973 <div class="titlepage"><div><div><h3 class="title">
974 <a name="id2572173"></a>Address Lookups Using AAAA Records</h3></div></div></div>
976 The IPv6 AAAA record is a parallel to the IPv4 A record,
977 and, unlike the deprecated A6 record, specifies the entire
978 IPv6 address in a single record. For example,
980 <pre class="programlisting">
982 host 3600 IN AAAA 2001:db8::1
985 Use of IPv4-in-IPv6 mapped addresses is not recommended.
986 If a host has an IPv4 address, use an A record, not
987 a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
991 <div class="sect2" lang="en">
992 <div class="titlepage"><div><div><h3 class="title">
993 <a name="id2572195"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
995 When looking up an address in nibble format, the address
996 components are simply reversed, just as in IPv4, and
997 <code class="literal">ip6.arpa.</code> is appended to the
999 For example, the following would provide reverse name lookup for
1001 <code class="literal">2001:db8::1</code>.
1003 <pre class="programlisting">
1004 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1005 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
1010 <div class="navfooter">
1012 <table width="100%" summary="Navigation footer">
1014 <td width="40%" align="left">
1015 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
1016 <td width="20%" align="center"> </td>
1017 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
1021 <td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
1022 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1023 <td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>