2 - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: Bv9ARM.ch04.html,v 1.125.8.9 2011-08-03 02:35:12 tbox Exp $ -->
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 4. Advanced DNS Features</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
26 <link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
49 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
50 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
51 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
52 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570885">Split DNS</a></span></dt>
53 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570903">Example split DNS setup</a></span></dt></dl></dd>
54 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571336">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
57 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571478">Copying the Shared Secret to Both Machines</a></span></dt>
58 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571489">Informing the Servers of the Key's Existence</a></span></dt>
59 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571525">Instructing the Server to Use the Key</a></span></dt>
60 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571651">TSIG Key Based Access Control</a></span></dt>
61 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571700">Errors</a></span></dt>
63 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571714">TKEY</a></span></dt>
64 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2563980">SIG(0)</a></span></dt>
65 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
67 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564117">Generating Keys</a></span></dt>
68 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572183">Signing the Zone</a></span></dt>
69 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572264">Configuring Servers</a></span></dt>
71 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
73 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563484">Converting from insecure to secure</a></span></dt>
74 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563522">Dynamic DNS update method</a></span></dt>
75 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563626">Fully automatic zone signing</a></span></dt>
76 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563777">Private-type records</a></span></dt>
77 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563814">DNSKEY rollovers</a></span></dt>
78 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563827">Dynamic DNS update method</a></span></dt>
79 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563860">Automatic key rollovers</a></span></dt>
80 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563886">NSEC3PARAM rollovers via UPDATE</a></span></dt>
81 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Converting from NSEC to NSEC3</a></span></dt>
82 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563906">Converting from NSEC3 to NSEC</a></span></dt>
83 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563918">Converting from secure to insecure</a></span></dt>
84 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563956">Periodic re-signing</a></span></dt>
85 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571816">NSEC3 and OPTOUT</a></span></dt>
87 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
89 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571869">Validating Resolver</a></span></dt>
90 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571892">Authoritative Server</a></span></dt>
92 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
94 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609757">Prerequisites</a></span></dt>
95 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607912">Building BIND 9 with PKCS#11</a></span></dt>
96 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608144">PKCS #11 Tools</a></span></dt>
97 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608174">Using the HSM</a></span></dt>
98 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610353">Specifying the engine on the command line</a></span></dt>
99 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610467">Running named with automatic zone re-signing</a></span></dt>
101 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572484">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
103 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572819">Address Lookups Using AAAA Records</a></span></dt>
104 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572840">Address to Name Lookups Using Nibble Format</a></span></dt>
108 <div class="sect1" lang="en">
109 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
110 <a name="notify"></a>Notify</h2></div></div></div>
112 <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
113 servers to notify their slave servers of changes to a zone's data. In
114 response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
115 slave will check to see that its version of the zone is the
116 current version and, if not, initiate a zone transfer.
119 For more information about <acronym class="acronym">DNS</acronym>
120 <span><strong class="command">NOTIFY</strong></span>, see the description of the
121 <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
122 the description of the zone option <span><strong class="command">also-notify</strong></span> in
123 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span>
124 protocol is specified in RFC 1996.
126 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
127 <h3 class="title">Note</h3>
128 As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
129 by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
130 it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
131 cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
135 <div class="sect1" lang="en">
136 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
137 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
139 Dynamic Update is a method for adding, replacing or deleting
140 records in a master server by sending it a special form of DNS
141 messages. The format and meaning of these messages is specified
145 Dynamic update is enabled by including an
146 <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
147 clause in the <span><strong class="command">zone</strong></span> statement.
150 If the zone's <span><strong class="command">update-policy</strong></span> is set to
151 <strong class="userinput"><code>local</code></strong>, updates to the zone
152 will be permitted for the key <code class="varname">local-ddns</code>,
153 which will be generated by <span><strong class="command">named</strong></span> at startup.
154 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
157 Dynamic updates using Kerberos signed requests can be made
158 using the TKEY/GSS protocol by setting either the
159 <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
160 by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
161 and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
162 Kerberos signed requests will be matched against the update
163 policies for the zone, using the Kerberos principal as the
164 signer for the request.
167 Updating of secure zones (zones using DNSSEC) follows RFC
168 3007: RRSIG, NSEC and NSEC3 records affected by updates are
169 automatically regenerated by the server using an online
170 zone key. Update authorization is based on transaction
171 signatures and an explicit server policy.
173 <div class="sect2" lang="en">
174 <div class="titlepage"><div><div><h3 class="title">
175 <a name="journal"></a>The journal file</h3></div></div></div>
177 All changes made to a zone using dynamic update are stored
178 in the zone's journal file. This file is automatically created
179 by the server when the first dynamic update takes place.
180 The name of the journal file is formed by appending the extension
181 <code class="filename">.jnl</code> to the name of the
183 file unless specifically overridden. The journal file is in a
184 binary format and should not be edited manually.
187 The server will also occasionally write ("dump")
188 the complete contents of the updated zone to its zone file.
189 This is not done immediately after
190 each dynamic update, because that would be too slow when a large
191 zone is updated frequently. Instead, the dump is delayed by
192 up to 15 minutes, allowing additional updates to take place.
193 During the dump process, transient files will be created
194 with the extensions <code class="filename">.jnw</code> and
195 <code class="filename">.jbk</code>; under ordinary circumstances, these
196 will be removed when the dump is complete, and can be safely
200 When a server is restarted after a shutdown or crash, it will replay
201 the journal file to incorporate into the zone any updates that
203 place after the last zone dump.
206 Changes that result from incoming incremental zone transfers are
208 journalled in a similar way.
211 The zone files of dynamic zones cannot normally be edited by
212 hand because they are not guaranteed to contain the most recent
213 dynamic changes — those are only in the journal file.
214 The only way to ensure that the zone file of a dynamic zone
215 is up to date is to run <span><strong class="command">rndc stop</strong></span>.
218 If you have to make changes to a dynamic zone
219 manually, the following procedure will work: Disable dynamic updates
221 <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
222 This will also remove the zone's <code class="filename">.jnl</code> file
223 and update the master file. Edit the zone file. Run
224 <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
225 to reload the changed zone and re-enable dynamic updates.
229 <div class="sect1" lang="en">
230 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
231 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
233 The incremental zone transfer (IXFR) protocol is a way for
234 slave servers to transfer only changed data, instead of having to
235 transfer the entire zone. The IXFR protocol is specified in RFC
236 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
239 When acting as a master, <acronym class="acronym">BIND</acronym> 9
240 supports IXFR for those zones
241 where the necessary change history information is available. These
242 include master zones maintained by dynamic update and slave zones
243 whose data was obtained by IXFR. For manually maintained master
244 zones, and for slave zones obtained by performing a full zone
245 transfer (AXFR), IXFR is supported only if the option
246 <span><strong class="command">ixfr-from-differences</strong></span> is set
247 to <strong class="userinput"><code>yes</code></strong>.
250 When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
251 attempt to use IXFR unless
252 it is explicitly disabled. For more information about disabling
253 IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
254 of the <span><strong class="command">server</strong></span> statement.
257 <div class="sect1" lang="en">
258 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
259 <a name="id2570885"></a>Split DNS</h2></div></div></div>
261 Setting up different views, or visibility, of the DNS space to
262 internal and external resolvers is usually referred to as a
263 <span class="emphasis"><em>Split DNS</em></span> setup. There are several
264 reasons an organization would want to set up its DNS this way.
267 One common reason for setting up a DNS system this way is
268 to hide "internal" DNS information from "external" clients on the
269 Internet. There is some debate as to whether or not this is actually
271 Internal DNS information leaks out in many ways (via email headers,
272 for example) and most savvy "attackers" can find the information
273 they need using other means.
274 However, since listing addresses of internal servers that
275 external clients cannot possibly reach can result in
276 connection delays and other annoyances, an organization may
277 choose to use a Split DNS to present a consistent view of itself
278 to the outside world.
281 Another common reason for setting up a Split DNS system is
282 to allow internal networks that are behind filters or in RFC 1918
283 space (reserved IP space, as documented in RFC 1918) to resolve DNS
284 on the Internet. Split DNS can also be used to allow mail from outside
285 back in to the internal network.
287 <div class="sect2" lang="en">
288 <div class="titlepage"><div><div><h3 class="title">
289 <a name="id2570903"></a>Example split DNS setup</h3></div></div></div>
291 Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
292 (<code class="literal">example.com</code>)
293 has several corporate sites that have an internal network with
295 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
296 or "outside" section of a network, that is available to the public.
299 <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
300 to be able to resolve external hostnames and to exchange mail with
301 people on the outside. The company also wants its internal resolvers
302 to have access to certain internal-only zones that are not available
303 at all outside of the internal network.
306 In order to accomplish this, the company will set up two sets
307 of name servers. One set will be on the inside network (in the
309 IP space) and the other set will be on bastion hosts, which are
311 hosts that can talk to both sides of its network, in the DMZ.
314 The internal servers will be configured to forward all queries,
315 except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
316 and <code class="filename">site2.example.com</code>, to the servers
318 DMZ. These internal servers will have complete sets of information
319 for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
320 and <code class="filename">site2.internal</code>.
323 To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
324 the internal name servers must be configured to disallow all queries
325 to these domains from any external hosts, including the bastion
329 The external servers, which are on the bastion hosts, will
330 be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
331 This could include things such as the host records for public servers
332 (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
333 and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
336 In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
337 should have special MX records that contain wildcard (`*') records
338 pointing to the bastion hosts. This is needed because external mail
339 servers do not have any other way of looking up how to deliver mail
340 to those internal hosts. With the wildcard records, the mail will
341 be delivered to the bastion host, which can then forward it on to
345 Here's an example of a wildcard MX record:
347 <pre class="programlisting">* IN MX 10 external1.example.com.</pre>
349 Now that they accept mail on behalf of anything in the internal
350 network, the bastion hosts will need to know how to deliver mail
351 to internal hosts. In order for this to work properly, the resolvers
353 the bastion hosts will need to be configured to point to the internal
354 name servers for DNS resolution.
357 Queries for internal hostnames will be answered by the internal
358 servers, and queries for external hostnames will be forwarded back
359 out to the DNS servers on the bastion hosts.
362 In order for all this to work properly, internal clients will
363 need to be configured to query <span class="emphasis"><em>only</em></span> the internal
364 name servers for DNS queries. This could also be enforced via
366 filtering on the network.
369 If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
370 internal clients will now be able to:
372 <div class="itemizedlist"><ul type="disc">
374 Look up any hostnames in the <code class="literal">site1</code>
376 <code class="literal">site2.example.com</code> zones.
379 Look up any hostnames in the <code class="literal">site1.internal</code> and
380 <code class="literal">site2.internal</code> domains.
382 <li>Look up any hostnames on the Internet.</li>
383 <li>Exchange mail with both internal and external people.</li>
386 Hosts on the Internet will be able to:
388 <div class="itemizedlist"><ul type="disc">
390 Look up any hostnames in the <code class="literal">site1</code>
392 <code class="literal">site2.example.com</code> zones.
395 Exchange mail with anyone in the <code class="literal">site1</code> and
396 <code class="literal">site2.example.com</code> zones.
400 Here is an example configuration for the setup we just
401 described above. Note that this is only configuration information;
402 for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
405 Internal DNS server config:
407 <pre class="programlisting">
409 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
411 acl externals { <code class="varname">bastion-ips-go-here</code>; };
417 // forward to external servers
419 <code class="varname">bastion-ips-go-here</code>;
421 // sample allow-transfer (no one)
422 allow-transfer { none; };
423 // restrict query access
424 allow-query { internals; externals; };
425 // restrict recursion
426 allow-recursion { internals; };
431 // sample master zone
432 zone "site1.example.com" {
434 file "m/site1.example.com";
435 // do normal iterative resolution (do not forward)
437 allow-query { internals; externals; };
438 allow-transfer { internals; };
442 zone "site2.example.com" {
444 file "s/site2.example.com";
445 masters { 172.16.72.3; };
447 allow-query { internals; externals; };
448 allow-transfer { internals; };
451 zone "site1.internal" {
453 file "m/site1.internal";
455 allow-query { internals; };
456 allow-transfer { internals; }
459 zone "site2.internal" {
461 file "s/site2.internal";
462 masters { 172.16.72.3; };
464 allow-query { internals };
465 allow-transfer { internals; }
469 External (bastion host) DNS server config:
471 <pre class="programlisting">
472 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
474 acl externals { bastion-ips-go-here; };
479 // sample allow-transfer (no one)
480 allow-transfer { none; };
481 // default query access
482 allow-query { any; };
483 // restrict cache access
484 allow-query-cache { internals; externals; };
485 // restrict recursion
486 allow-recursion { internals; externals; };
492 zone "site1.example.com" {
494 file "m/site1.foo.com";
495 allow-transfer { internals; externals; };
498 zone "site2.example.com" {
500 file "s/site2.foo.com";
501 masters { another_bastion_host_maybe; };
502 allow-transfer { internals; externals; }
506 In the <code class="filename">resolv.conf</code> (or equivalent) on
509 <pre class="programlisting">
511 nameserver 172.16.72.2
512 nameserver 172.16.72.3
513 nameserver 172.16.72.4
517 <div class="sect1" lang="en">
518 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
519 <a name="tsig"></a>TSIG</h2></div></div></div>
521 This is a short guide to setting up Transaction SIGnatures
522 (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
523 to the configuration file as well as what changes are required for
524 different features, including the process of creating transaction
525 keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
528 <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
529 to server communication.
530 This includes zone transfer, notify, and recursive query messages.
531 Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
535 TSIG can also be useful for dynamic update. A primary
536 server for a dynamic zone should control access to the dynamic
537 update service, but IP-based access control is insufficient.
538 The cryptographic access control provided by TSIG
539 is far superior. The <span><strong class="command">nsupdate</strong></span>
540 program supports TSIG via the <code class="option">-k</code> and
541 <code class="option">-y</code> command line options or inline by use
542 of the <span><strong class="command">key</strong></span>.
544 <div class="sect2" lang="en">
545 <div class="titlepage"><div><div><h3 class="title">
546 <a name="id2571336"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
548 A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
549 An arbitrary key name is chosen: "host1-host2.". The key name must
550 be the same on both hosts.
552 <div class="sect3" lang="en">
553 <div class="titlepage"><div><div><h4 class="title">
554 <a name="id2571353"></a>Automatic Generation</h4></div></div></div>
556 The following command will generate a 128-bit (16 byte) HMAC-SHA256
557 key as described above. Longer keys are better, but shorter keys
558 are easier to read. Note that the maximum key length is the digest
559 length, here 256 bits.
562 <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
565 The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
566 Nothing directly uses this file, but the base-64 encoded string
567 following "<code class="literal">Key:</code>"
568 can be extracted from the file and used as a shared secret:
570 <pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
572 The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
573 be used as the shared secret.
576 <div class="sect3" lang="en">
577 <div class="titlepage"><div><div><h4 class="title">
578 <a name="id2571392"></a>Manual Generation</h4></div></div></div>
580 The shared secret is simply a random sequence of bits, encoded
581 in base-64. Most ASCII strings are valid base-64 strings (assuming
582 the length is a multiple of 4 and only valid characters are used),
583 so the shared secret can be manually generated.
586 Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
587 a similar program to generate base-64 encoded data.
591 <div class="sect2" lang="en">
592 <div class="titlepage"><div><div><h3 class="title">
593 <a name="id2571478"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
595 This is beyond the scope of DNS. A secure transport mechanism
596 should be used. This could be secure FTP, ssh, telephone, etc.
599 <div class="sect2" lang="en">
600 <div class="titlepage"><div><div><h3 class="title">
601 <a name="id2571489"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
603 Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
605 both servers. The following is added to each server's <code class="filename">named.conf</code> file:
607 <pre class="programlisting">
609 algorithm hmac-sha256;
610 secret "La/E5CjG9O+os1jq0a2jdA==";
614 The secret is the one generated above. Since this is a secret, it
615 is recommended that either <code class="filename">named.conf</code> be
616 non-world readable, or the key directive be added to a non-world
617 readable file that is included by <code class="filename">named.conf</code>.
620 At this point, the key is recognized. This means that if the
621 server receives a message signed by this key, it can verify the
622 signature. If the signature is successfully verified, the
623 response is signed by the same key.
626 <div class="sect2" lang="en">
627 <div class="titlepage"><div><div><h3 class="title">
628 <a name="id2571525"></a>Instructing the Server to Use the Key</h3></div></div></div>
630 Since keys are shared between two hosts only, the server must
631 be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
632 for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
635 <pre class="programlisting">
637 keys { host1-host2. ;};
641 Multiple keys may be present, but only the first is used.
642 This directive does not contain any secrets, so it may be in a
647 If <span class="emphasis"><em>host1</em></span> sends a message that is a request
648 to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
649 expect any responses to signed messages to be signed with the same
653 A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
654 configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
655 sign request messages to <span class="emphasis"><em>host1</em></span>.
658 <div class="sect2" lang="en">
659 <div class="titlepage"><div><div><h3 class="title">
660 <a name="id2571651"></a>TSIG Key Based Access Control</h3></div></div></div>
662 <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
663 to be specified in ACL
665 <span><strong class="command">allow-{ query | transfer | update }</strong></span>
667 This has been extended to allow TSIG keys also. The above key would
668 be denoted <span><strong class="command">key host1-host2.</strong></span>
671 An example of an <span><strong class="command">allow-update</strong></span> directive would be:
673 <pre class="programlisting">
674 allow-update { key host1-host2. ;};
677 This allows dynamic updates to succeed only if the request
678 was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
681 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
682 the more flexible <span><strong class="command">update-policy</strong></span> statement.
685 <div class="sect2" lang="en">
686 <div class="titlepage"><div><div><h3 class="title">
687 <a name="id2571700"></a>Errors</h3></div></div></div>
689 The processing of TSIG signed messages can result in
690 several errors. If a signed message is sent to a non-TSIG aware
691 server, a FORMERR (format error) will be returned, since the server will not
692 understand the record. This is a result of misconfiguration,
693 since the server must be explicitly configured to send a TSIG
694 signed message to a specific server.
697 If a TSIG aware server receives a message signed by an
698 unknown key, the response will be unsigned with the TSIG
699 extended error code set to BADKEY. If a TSIG aware server
700 receives a message with a signature that does not validate, the
701 response will be unsigned with the TSIG extended error code set
702 to BADSIG. If a TSIG aware server receives a message with a time
703 outside of the allowed range, the response will be signed with
704 the TSIG extended error code set to BADTIME, and the time values
705 will be adjusted so that the response can be successfully
706 verified. In any of these cases, the message's rcode (response code) is set to
707 NOTAUTH (not authenticated).
711 <div class="sect1" lang="en">
712 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
713 <a name="id2571714"></a>TKEY</h2></div></div></div>
714 <p><span><strong class="command">TKEY</strong></span>
715 is a mechanism for automatically generating a shared secret
716 between two hosts. There are several "modes" of
717 <span><strong class="command">TKEY</strong></span> that specify how the key is generated
718 or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
719 these modes, the Diffie-Hellman key exchange. Both hosts are
720 required to have a Diffie-Hellman KEY record (although this
721 record is not required to be present in a zone). The
722 <span><strong class="command">TKEY</strong></span> process must use signed messages,
723 signed either by TSIG or SIG(0). The result of
724 <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
725 sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
726 used to delete shared secrets that it had previously
730 The <span><strong class="command">TKEY</strong></span> process is initiated by a
732 or server by sending a signed <span><strong class="command">TKEY</strong></span>
734 (including any appropriate KEYs) to a TKEY-aware server. The
735 server response, if it indicates success, will contain a
736 <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
738 this exchange, both participants have enough information to
739 determine the shared secret; the exact process depends on the
740 <span><strong class="command">TKEY</strong></span> mode. When using the
742 <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
744 and the shared secret is derived by both participants.
747 <div class="sect1" lang="en">
748 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
749 <a name="id2563980"></a>SIG(0)</h2></div></div></div>
751 <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
752 transaction signatures as specified in RFC 2535 and RFC 2931.
754 uses public/private keys to authenticate messages. Access control
755 is performed in the same manner as TSIG keys; privileges can be
756 granted or denied based on the key name.
759 When a SIG(0) signed message is received, it will only be
760 verified if the key is known and trusted by the server; the server
761 will not attempt to locate and/or validate the key.
764 SIG(0) signing of multiple-message TCP streams is not
768 The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
769 generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
772 <div class="sect1" lang="en">
773 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
774 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
776 Cryptographic authentication of DNS information is possible
777 through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
778 defined in RFC 4033, RFC 4034, and RFC 4035.
779 This section describes the creation and use of DNSSEC signed zones.
782 In order to set up a DNSSEC secure zone, there are a series
783 of steps which must be followed. <acronym class="acronym">BIND</acronym>
786 that are used in this process, which are explained in more detail
787 below. In all cases, the <code class="option">-h</code> option prints a
788 full list of parameters. Note that the DNSSEC tools require the
789 keyset files to be in the working directory or the
790 directory specified by the <code class="option">-d</code> option, and
791 that the tools shipped with BIND 9.2.x and earlier are not compatible
792 with the current ones.
795 There must also be communication with the administrators of
796 the parent and/or child zone to transmit keys. A zone's security
797 status must be indicated by the parent zone for a DNSSEC capable
798 resolver to trust its data. This is done through the presence
799 or absence of a <code class="literal">DS</code> record at the
804 For other servers to trust data in this zone, they must
805 either be statically configured with this zone's zone key or the
806 zone key of another zone above this one in the DNS tree.
808 <div class="sect2" lang="en">
809 <div class="titlepage"><div><div><h3 class="title">
810 <a name="id2564117"></a>Generating Keys</h3></div></div></div>
812 The <span><strong class="command">dnssec-keygen</strong></span> program is used to
816 A secure zone must contain one or more zone keys. The
817 zone keys will sign all other records in the zone, as well as
818 the zone keys of any secure delegated zones. Zone keys must
819 have the same name as the zone, a name type of
820 <span><strong class="command">ZONE</strong></span>, and must be usable for
822 It is recommended that zone keys use a cryptographic algorithm
823 designated as "mandatory to implement" by the IETF; currently
824 the only one is RSASHA1.
827 The following command will generate a 768-bit RSASHA1 key for
828 the <code class="filename">child.example</code> zone:
831 <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
834 Two output files will be produced:
835 <code class="filename">Kchild.example.+005+12345.key</code> and
836 <code class="filename">Kchild.example.+005+12345.private</code>
838 12345 is an example of a key tag). The key filenames contain
839 the key name (<code class="filename">child.example.</code>),
841 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
843 The private key (in the <code class="filename">.private</code>
845 used to generate signatures, and the public key (in the
846 <code class="filename">.key</code> file) is used for signature
850 To generate another key with the same properties (but with
851 a different key tag), repeat the above command.
854 The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
855 to get a key pair from a crypto hardware and build the key
856 files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
859 The public keys should be inserted into the zone file by
860 including the <code class="filename">.key</code> files using
861 <span><strong class="command">$INCLUDE</strong></span> statements.
864 <div class="sect2" lang="en">
865 <div class="titlepage"><div><div><h3 class="title">
866 <a name="id2572183"></a>Signing the Zone</h3></div></div></div>
868 The <span><strong class="command">dnssec-signzone</strong></span> program is used
872 Any <code class="filename">keyset</code> files corresponding to
873 secure subzones should be present. The zone signer will
874 generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
875 and <code class="literal">RRSIG</code> records for the zone, as
876 well as <code class="literal">DS</code> for the child zones if
877 <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
878 is not specified, then DS RRsets for the secure child
879 zones need to be added manually.
882 The following command signs the zone, assuming it is in a
883 file called <code class="filename">zone.child.example</code>. By
884 default, all zone keys which have an available private key are
885 used to generate signatures.
888 <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
891 One output file is produced:
892 <code class="filename">zone.child.example.signed</code>. This
894 should be referenced by <code class="filename">named.conf</code>
896 input file for the zone.
898 <p><span><strong class="command">dnssec-signzone</strong></span>
899 will also produce a keyset and dsset files and optionally a
900 dlvset file. These are used to provide the parent zone
901 administrators with the <code class="literal">DNSKEYs</code> (or their
902 corresponding <code class="literal">DS</code> records) that are the
903 secure entry point to the zone.
906 <div class="sect2" lang="en">
907 <div class="titlepage"><div><div><h3 class="title">
908 <a name="id2572264"></a>Configuring Servers</h3></div></div></div>
910 To enable <span><strong class="command">named</strong></span> to respond appropriately
911 to DNS requests from DNSSEC aware clients,
912 <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
913 (This is the default setting.)
916 To enable <span><strong class="command">named</strong></span> to validate answers from
917 other servers, the <span><strong class="command">dnssec-enable</strong></span> option
918 must be set to <strong class="userinput"><code>yes</code></strong>, and the
919 <span><strong class="command">dnssec-validation</strong></span> options must be set to
920 <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
923 If <span><strong class="command">dnssec-validation</strong></span> is set to
924 <strong class="userinput"><code>auto</code></strong>, then a default
925 trust anchor for the DNS root zone will be used.
926 If it is set to <strong class="userinput"><code>yes</code></strong>, however,
927 then at least one trust anchor must be configured
928 with a <span><strong class="command">trusted-keys</strong></span> or
929 <span><strong class="command">managed-keys</strong></span> statement in
930 <code class="filename">named.conf</code>, or DNSSEC validation
931 will not occur. The default setting is
932 <strong class="userinput"><code>yes</code></strong>.
935 <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
936 for zones that are used to form the first link in the
937 cryptographic chain of trust. All keys listed in
938 <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
939 are deemed to exist and only the listed keys will be used
940 to validated the DNSKEY RRset that they are from.
943 <span><strong class="command">managed-keys</strong></span> are trusted keys which are
944 automatically kept up to date via RFC 5011 trust anchor
948 <span><strong class="command">trusted-keys</strong></span> and
949 <span><strong class="command">managed-keys</strong></span> are described in more detail
950 later in this document.
953 Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
954 9 does not verify signatures on load, so zone keys for
955 authoritative zones do not need to be specified in the
959 After DNSSEC gets established, a typical DNSSEC configuration
960 will look something like the following. It has one or
961 more public keys for the root. This allows answers from
962 outside the organization to be validated. It will also
963 have several keys for parts of the namespace the organization
964 controls. These are here to ensure that <span><strong class="command">named</strong></span>
965 is immune to compromises in the DNSSEC components of the security
968 <pre class="programlisting">
971 "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
972 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
973 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
974 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
975 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
976 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
977 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
978 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
979 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
980 dgxbcDTClU0CRBdiieyLMNzXG3";
984 /* Key for our organization's forward zone */
985 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
986 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
987 GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
988 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
989 kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
990 g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
991 TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
992 FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
993 F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
994 /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
997 /* Key for our reverse zone. */
998 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
999 xOdNax071L18QqZnQQQAVVr+i
1000 LhGTnNGp3HoWQLUIzKrJVZ3zg
1001 gy3WwNT6kZo6c0tszYqbtvchm
1002 gQC8CzKojM/W16i6MG/eafGU3
1003 siaOdS0yOI6BgPsw+YZdzlYMa
1004 IJGf4M4dyoKIhzdZyQ2bYQrjy
1005 Q4LB0lC7aOnsMyYKHHYeRvPxj
1006 IQXmdqgOJGq+vsevG06zW+1xg
1007 YJh9rCIfnm1GX/KMgxLPG2vXT
1008 D/RnLX+D3T3UL7HJYHJhAZD5L
1009 59VvjSPsZJHeDCUyWYrvPZesZ
1010 DIRvhDD52SKvbheeTJUm6Ehkz
1011 ytNN2SN96QRk8j/iI8ib";
1017 dnssec-validation yes;
1020 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1021 <h3 class="title">Note</h3>
1022 None of the keys listed in this example are valid. In particular,
1023 the root key is not valid.
1026 When DNSSEC validation is enabled and properly configured,
1027 the resolver will reject any answers from signed, secure zones
1028 which fail to validate, and will return SERVFAIL to the client.
1031 Responses may fail to validate for any of several reasons,
1032 including missing, expired, or invalid signatures, a key which
1033 does not match the DS RRset in the parent zone, or an insecure
1034 response from a zone which, according to its parent, should have
1037 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1038 <h3 class="title">Note</h3>
1040 When the validator receives a response from an unsigned zone
1041 that has a signed parent, it must confirm with the parent
1042 that the zone was intentionally left unsigned. It does
1043 this by verifying, via signed and validated NSEC/NSEC3 records,
1044 that the parent zone contains no DS records for the child.
1047 If the validator <span class="emphasis"><em>can</em></span> prove that the zone
1048 is insecure, then the response is accepted. However, if it
1049 cannot, then it must assume an insecure response to be a
1050 forgery; it rejects the response and logs an error.
1053 The logged error reads "insecurity proof failed" and
1054 "got insecure response; parent indicates it should be secure".
1055 (Prior to BIND 9.7, the logged error was "not insecure".
1056 This referred to the zone, not the response.)
1061 <div class="sect1" lang="en">
1062 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1063 <a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
1064 <p>As of BIND 9.7.0 it is possible to change a dynamic zone
1065 from insecure to signed and back again. A secure zone can use
1066 either NSEC or NSEC3 chains.</p>
1067 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1068 <a name="id2563484"></a>Converting from insecure to secure</h3></div></div></div></div>
1069 <p>Changing a zone from insecure to secure can be done in two
1070 ways: using a dynamic DNS update, or the
1071 <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
1072 <p>For either method, you need to configure
1073 <span><strong class="command">named</strong></span> so that it can see the
1074 <code class="filename">K*</code> files which contain the public and private
1075 parts of the keys that will be used to sign the zone. These files
1076 will have been generated by
1077 <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
1078 in the key-directory, as specified in
1079 <code class="filename">named.conf</code>:</p>
1080 <pre class="programlisting">
1083 update-policy local;
1084 file "dynamic/example.net/example.net";
1085 key-directory "dynamic/example.net";
1088 <p>If one KSK and one ZSK DNSKEY key have been generated, this
1089 configuration will cause all records in the zone to be signed
1090 with the ZSK, and the DNSKEY RRset to be signed with the KSK as
1091 well. An NSEC chain will be generated as part of the initial
1092 signing process.</p>
1093 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1094 <a name="id2563522"></a>Dynamic DNS update method</h3></div></div></div></div>
1095 <p>To insert the keys via dynamic update:</p>
1096 <pre class="screen">
1099 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
1100 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
1103 <p>While the update request will complete almost immediately,
1104 the zone will not be completely signed until
1105 <span><strong class="command">named</strong></span> has had time to walk the zone and
1106 generate the NSEC and RRSIG records. The NSEC record at the apex
1107 will be added last, to signal that there is a complete NSEC
1109 <p>If you wish to sign using NSEC3 instead of NSEC, you should
1110 add an NSEC3PARAM record to the initial update request. If you
1111 wish the NSEC3 chain to have the OPTOUT bit set, set it in the
1112 flags field of the NSEC3PARAM record.</p>
1113 <pre class="screen">
1116 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
1117 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
1118 > update add example.net NSEC3PARAM 1 1 100 1234567890
1121 <p>Again, this update request will complete almost
1122 immediately; however, the record won't show up until
1123 <span><strong class="command">named</strong></span> has had a chance to build/remove the
1124 relevant chain. A private type record will be created to record
1125 the state of the operation (see below for more details), and will
1126 be removed once the operation completes.</p>
1127 <p>While the initial signing and NSEC/NSEC3 chain generation
1128 is happening, other updates are possible as well.</p>
1129 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1130 <a name="id2563626"></a>Fully automatic zone signing</h3></div></div></div></div>
1131 <p>To enable automatic signing, add the
1132 <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in
1133 <code class="filename">named.conf</code>.
1134 <span><strong class="command">auto-dnssec</strong></span> has two possible arguments:
1135 <code class="constant">allow</code> or
1136 <code class="constant">maintain</code>.</p>
1138 <span><strong class="command">auto-dnssec allow</strong></span>,
1139 <span><strong class="command">named</strong></span> can search the key directory for keys
1140 matching the zone, insert them into the zone, and use them to
1141 sign the zone. It will do so only when it receives an
1142 <span><strong class="command">rndc sign <zonename></strong></span> or
1143 <span><strong class="command">rndc loadkeys <zonename></strong></span> command.</p>
1146 <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
1147 functionality, but will also automatically adjust the zone's
1148 DNSKEY records on schedule according to the keys' timing metadata.
1149 (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
1150 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
1151 If keys are present in the key directory the first time the zone
1152 is loaded, it will be signed immediately, without waiting for an
1153 <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
1154 command. (Those commands can still be used when there are unscheduled
1155 key changes, however.)
1158 <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
1159 configured to allow dynamic updates, by adding an
1160 <span><strong class="command">allow-update</strong></span> or
1161 <span><strong class="command">update-policy</strong></span> statement to the zone
1162 configuration. If this has not been done, the configuration will
1164 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1165 <a name="id2563777"></a>Private-type records</h3></div></div></div></div>
1166 <p>The state of the signing process is signaled by
1167 private-type records (with a default type value of 65534). When
1168 signing is complete, these records will have a nonzero value for
1169 the final octet (for those records which have a nonzero initial
1171 <p>The private type record format: If the first octet is
1172 non-zero then the record indicates that the zone needs to be
1173 signed with the key matching the record, or that all signatures
1174 that match the record should be removed.</p>
1177 <div class="literallayout"><p><br>
1179 algorithm (octet 1)<br>
1180 key id in network order (octet 2 and 3)<br>
1181 removal flag (octet 4)<br>
1182 complete flag (octet 5)<br>
1186 <p>Only records flagged as "complete" can be removed via
1187 dynamic update. Attempts to remove other private type records
1188 will be silently ignored.</p>
1189 <p>If the first octet is zero (this is a reserved algorithm
1190 number that should never appear in a DNSKEY record) then the
1191 record indicates changes to the NSEC3 chains are in progress. The
1192 rest of the record contains an NSEC3PARAM record. The flag field
1193 tells what operation to perform based on the flag bits.</p>
1196 <div class="literallayout"><p><br>
1205 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1206 <a name="id2563814"></a>DNSKEY rollovers</h3></div></div></div></div>
1207 <p>As with insecure-to-secure conversions, rolling DNSSEC
1208 keys can be done in two ways: using a dynamic DNS update, or the
1209 <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
1210 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1211 <a name="id2563827"></a>Dynamic DNS update method</h3></div></div></div></div>
1212 <p> To perform key rollovers via dynamic update, you need to add
1213 the <code class="filename">K*</code> files for the new keys so that
1214 <span><strong class="command">named</strong></span> can find them. You can then add the new
1215 DNSKEY RRs via dynamic update.
1216 <span><strong class="command">named</strong></span> will then cause the zone to be signed
1217 with the new keys. When the signing is complete the private type
1218 records will be updated so that the last octet is non
1220 <p>If this is for a KSK you need to inform the parent and any
1221 trust anchor repositories of the new KSK.</p>
1222 <p>You should then wait for the maximum TTL in the zone before
1223 removing the old DNSKEY. If it is a KSK that is being updated,
1224 you also need to wait for the DS RRset in the parent to be
1225 updated and its TTL to expire. This ensures that all clients will
1226 be able to verify at least one signature when you remove the old
1228 <p>The old DNSKEY can be removed via UPDATE. Take care to
1229 specify the correct key.
1230 <span><strong class="command">named</strong></span> will clean out any signatures generated
1231 by the old key after the update completes.</p>
1232 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1233 <a name="id2563860"></a>Automatic key rollovers</h3></div></div></div></div>
1234 <p>When a new key reaches its activation date (as set by
1235 <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
1236 if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
1237 <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
1238 automatically carry out the key rollover. If the key's algorithm
1239 has not previously been used to sign the zone, then the zone will
1240 be fully signed as quickly as possible. However, if the new key
1241 is replacing an existing key of the same algorithm, then the
1242 zone will be re-signed incrementally, with signatures from the
1243 old key being replaced with signatures from the new key as their
1244 signature validity periods expire. By default, this rollover
1245 completes in 30 days, after which it will be safe to remove the
1246 old key from the DNSKEY RRset.</p>
1247 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1248 <a name="id2563886"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
1249 <p>Add the new NSEC3PARAM record via dynamic update. When the
1250 new NSEC3 chain has been generated, the NSEC3PARAM flag field
1251 will be zero. At this point you can remove the old NSEC3PARAM
1252 record. The old chain will be removed after the update request
1254 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1255 <a name="id2563896"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
1256 <p>To do this, you just need to add an NSEC3PARAM record. When
1257 the conversion is complete, the NSEC chain will have been removed
1258 and the NSEC3PARAM record will have a zero flag field. The NSEC3
1259 chain will be generated before the NSEC chain is
1261 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1262 <a name="id2563906"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
1263 <p>To do this, use <span><strong class="command">nsupdate</strong></span> to
1264 remove all NSEC3PARAM records with a zero flag
1265 field. The NSEC chain will be generated before the NSEC3 chain is
1267 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1268 <a name="id2563918"></a>Converting from secure to insecure</h3></div></div></div></div>
1269 <p>To convert a signed zone to unsigned using dynamic DNS,
1270 delete all the DNSKEY records from the zone apex using
1271 <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
1272 and associated NSEC3PARAM records will be removed automatically.
1273 This will take place after the update request completes.</p>
1274 <p> This requires the
1275 <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to
1276 <strong class="userinput"><code>yes</code></strong> in
1277 <code class="filename">named.conf</code>.</p>
1278 <p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
1279 zone statement is used, it should be removed or changed to
1280 <span><strong class="command">allow</strong></span> instead (or it will re-sign).
1282 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1283 <a name="id2563956"></a>Periodic re-signing</h3></div></div></div></div>
1284 <p>In any secure zone which supports dynamic updates, named
1285 will periodically re-sign RRsets which have not been re-signed as
1286 a result of some update action. The signature lifetimes will be
1287 adjusted so as to spread the re-sign load over time rather than
1289 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
1290 <a name="id2571816"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
1292 <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
1293 where all the NSEC3 records in the zone have the same OPTOUT
1295 <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
1296 records in the chain have mixed OPTOUT state.
1297 <span><strong class="command">named</strong></span> does not support changing the OPTOUT
1298 state of an individual NSEC3 record, the entire chain needs to be
1299 changed if the OPTOUT state of an individual NSEC3 needs to be
1302 <div class="sect1" lang="en">
1303 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1304 <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
1305 <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
1306 anchor management. Using this feature allows
1307 <span><strong class="command">named</strong></span> to keep track of changes to critical
1308 DNSSEC keys without any need for the operator to make changes to
1309 configuration files.</p>
1310 <div class="sect2" lang="en">
1311 <div class="titlepage"><div><div><h3 class="title">
1312 <a name="id2571869"></a>Validating Resolver</h3></div></div></div>
1313 <p>To configure a validating resolver to use RFC 5011 to
1314 maintain a trust anchor, configure the trust anchor using a
1315 <span><strong class="command">managed-keys</strong></span> statement. Information about
1316 this can be found in
1317 <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
1318 and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition
1319 and Usage”</a>.</p>
1321 <div class="sect2" lang="en">
1322 <div class="titlepage"><div><div><h3 class="title">
1323 <a name="id2571892"></a>Authoritative Server</h3></div></div></div>
1324 <p>To set up an authoritative zone for RFC 5011 trust anchor
1325 maintenance, generate two (or more) key signing keys (KSKs) for
1326 the zone. Sign the zone with one of them; this is the "active"
1327 KSK. All KSK's which do not sign the zone are "stand-by"
1329 <p>Any validating resolver which is configured to use the
1330 active KSK as an RFC 5011-managed trust anchor will take note
1331 of the stand-by KSKs in the zone's DNSKEY RRset, and store them
1332 for future reference. The resolver will recheck the zone
1333 periodically, and after 30 days, if the new key is still there,
1334 then the key will be accepted by the resolver as a valid trust
1335 anchor for the zone. Any time after this 30-day acceptance
1336 timer has completed, the active KSK can be revoked, and the
1337 zone can be "rolled over" to the newly accepted key.</p>
1338 <p>The easiest way to place a stand-by key in a zone is to
1339 use the "smart signing" features of
1340 <span><strong class="command">dnssec-keygen</strong></span> and
1341 <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
1342 date in the past, but an activation date which is unset or in
1344 <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
1345 record in the zone, but will not sign with it:</p>
1346 <pre class="screen">
1347 $ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
1348 $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
1350 <p>To revoke a key, the new command
1351 <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
1352 REVOKED bit to the key flags and re-generates the
1353 <code class="filename">K*.key</code> and
1354 <code class="filename">K*.private</code> files.</p>
1355 <p>After revoking the active key, the zone must be signed
1356 with both the revoked KSK and the new active KSK. (Smart
1357 signing takes care of this automatically.)</p>
1358 <p>Once a key has been revoked and used to sign the DNSKEY
1359 RRset in which it appears, that key will never again be
1360 accepted as a valid trust anchor by the resolver. However,
1361 validation can proceed using the new active key (which had been
1362 accepted by the resolver when it was a stand-by key).</p>
1363 <p>See RFC 5011 for more details on key rollover
1365 <p>When a key has been revoked, its key ID changes,
1366 increasing by 128, and wrapping around at 65535. So, for
1367 example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
1368 "<code class="filename">Kexample.com.+005+10128</code>".</p>
1369 <p>If two keys have ID's exactly 128 apart, and one is
1370 revoked, then the two key ID's will collide, causing several
1371 problems. To prevent this,
1372 <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
1373 another key is present which may collide. This checking will
1374 only occur if the new keys are written to the same directory
1375 which holds all other keys in use for that zone.</p>
1376 <p>Older versions of BIND 9 did not have this precaution.
1377 Exercise caution if using key revocation on keys that were
1378 generated by previous releases, or if using keys stored in
1379 multiple directories or on multiple machines.</p>
1380 <p>It is expected that a future release of BIND 9 will
1381 address this problem in a different way, by storing revoked
1382 keys with their original unrevoked key ID's.</p>
1385 <div class="sect1" lang="en">
1386 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1387 <a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
1388 <p>PKCS #11 (Public Key Cryptography Standard #11) defines a
1389 platform- independent API for the control of hardware security
1390 modules (HSMs) and other cryptographic support devices.</p>
1391 <p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
1392 cryptographic acceleration board, tested under Solaris x86, and
1393 the AEP Keyper network-attached key storage device, tested with
1394 Debian Linux, Solaris x86 and Windows Server 2003.</p>
1395 <div class="sect2" lang="en">
1396 <div class="titlepage"><div><div><h3 class="title">
1397 <a name="id2609757"></a>Prerequisites</h3></div></div></div>
1398 <p>See the HSM vendor documentation for information about
1399 installing, initializing, testing and troubleshooting the
1401 <p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
1402 does not yet fully support PKCS #11. However, a PKCS #11 engine
1403 for OpenSSL is available from the OpenSolaris project. It has
1404 been modified by ISC to work with with BIND 9, and to provide
1405 new features such as PIN management and key by
1407 <p>The patched OpenSSL depends on a "PKCS #11 provider".
1408 This is a shared library object, providing a low-level PKCS #11
1409 interface to the HSM hardware. It is dynamically loaded by
1410 OpenSSL at runtime. The PKCS #11 provider comes from the HSM
1411 vendor, and and is specific to the HSM to be controlled.</p>
1412 <p>There are two "flavors" of PKCS #11 support provided by
1413 the patched OpenSSL, one of which must be chosen at
1414 configuration time. The correct choice depends on the HSM
1416 <div class="itemizedlist"><ul type="disc">
1417 <li><p>Use 'crypto-accelerator' with HSMs that have hardware
1418 cryptographic acceleration features, such as the SCA 6000
1419 board. This causes OpenSSL to run all supported
1420 cryptographic operations in the HSM.</p></li>
1421 <li><p>Use 'sign-only' with HSMs that are designed to
1422 function primarily as secure key storage devices, but lack
1423 hardware acceleration. These devices are highly secure, but
1424 are not necessarily any faster at cryptography than the
1425 system CPU — often, they are slower. It is therefore
1426 most efficient to use them only for those cryptographic
1427 functions that require access to the secured private key,
1428 such as zone signing, and to use the system CPU for all
1429 other computationally-intensive operations. The AEP Keyper
1430 is an example of such a device.</p></li>
1432 <p>The modified OpenSSL code is included in the BIND 9.7.0
1433 release, in the form of a context diff against the latest OpenSSL.
1435 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1436 <h3 class="title">Note</h3>
1437 The latest OpenSSL version at the time of the BIND release
1439 ISC will provide an updated patch as new versions of OpenSSL
1440 are released. The version number in the following examples
1441 is expected to change.</div>
1443 Before building BIND 9 with PKCS #11 support, it will be
1444 necessary to build OpenSSL with this patch in place and inform
1445 it of the path to the HSM-specific PKCS #11 provider
1447 <p>Obtain OpenSSL 0.9.8l:</p>
1448 <pre class="screen">
1449 $ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8l.tar.gz</a></code></strong>
1451 <p>Extract the tarball:</p>
1452 <pre class="screen">
1453 $ <strong class="userinput"><code>tar zxf openssl-0.9.8l.tar.gz</code></strong>
1455 <p>Apply the patch from the BIND 9 release:</p>
1456 <pre class="screen">
1457 $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8l \
1458 < bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch</code></strong>
1460 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1461 <h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
1462 "patch" utility on all operating systems. You may need to
1463 install GNU patch.)</div>
1464 <p>When building OpenSSL, place it in a non-standard
1465 location so that it does not interfere with OpenSSL libraries
1466 elsewhere on the system. In the following examples, we choose
1467 to install into "/opt/pkcs11/usr". We will use this location
1468 when we configure BIND 9.</p>
1469 <div class="sect3" lang="en">
1470 <div class="titlepage"><div><div><h4 class="title">
1471 <a name="id2607669"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
1472 <p>The AEP Keyper is a highly secure key storage device,
1473 but does not provide hardware cryptographic acceleration. It
1474 can carry out cryptographic operations, but it is probably
1475 slower than your system's CPU. Therefore, we choose the
1476 'sign-only' flavor when building OpenSSL.</p>
1477 <p>The Keyper-specific PKCS #11 provider library is
1478 delivered with the Keyper software. In this example, we place
1479 it /opt/pkcs11/usr/lib:</p>
1480 <pre class="screen">
1481 $ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
1483 <p>This library is only available for Linux as a 32-bit
1484 binary. If we are compiling on a 64-bit Linux system, it is
1485 necessary to force a 32-bit build, by specifying -m32 in the
1487 <p>Finally, the Keyper library requires threads, so we
1488 must specify -pthread.</p>
1489 <pre class="screen">
1490 $ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong>
1491 $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
1492 --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
1493 --pk11-flavor=sign-only \
1494 --prefix=/opt/pkcs11/usr</code></strong>
1496 <p>After configuring, run "<span><strong class="command">make</strong></span>"
1497 and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
1498 test</strong></span>" fails with "pthread_atfork() not found", you forgot to
1499 add the -pthread above.</p>
1501 <div class="sect3" lang="en">
1502 <div class="titlepage"><div><div><h4 class="title">
1503 <a name="id2607806"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
1504 <p>The SCA-6000 PKCS #11 provider is installed as a system
1505 library, libpkcs11. It is a true crypto accelerator, up to 4
1506 times faster than any CPU, so the flavor shall be
1507 'crypto-accelerator'.</p>
1508 <p>In this example, we are building on Solaris x86 on an
1510 <pre class="screen">
1511 $ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong>
1512 $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
1513 --pk11-libname=/usr/lib/64/libpkcs11.so \
1514 --pk11-flavor=crypto-accelerator \
1515 --prefix=/opt/pkcs11/usr</code></strong>
1517 <p>(For a 32-bit build, use "solaris-x86-cc" and
1518 /usr/lib/libpkcs11.so.)</p>
1519 <p>After configuring, run
1520 <span><strong class="command">make</strong></span> and
1521 <span><strong class="command">make test</strong></span>.</p>
1522 <p>Once you have built OpenSSL, run
1523 "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
1524 that PKCS #11 support was compiled in correctly. The output
1525 should be one of the following lines, depending on the flavor
1527 <pre class="screen">
1528 (pkcs11) PKCS #11 engine support (sign only)
1531 <pre class="screen">
1532 (pkcs11) PKCS #11 engine support (crypto accelerator)
1535 "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
1536 attempt to initialize the PKCS #11 engine. If it is able to
1537 do so successfully, it will report
1538 “<span class="quote"><code class="literal">[ available ]</code></span>”.</p>
1539 <p>If the output is correct, run
1540 "<span><strong class="command">make install</strong></span>" which will install the
1541 modified OpenSSL suite to
1542 <code class="filename">/opt/pkcs11/usr</code>.</p>
1545 <div class="sect2" lang="en">
1546 <div class="titlepage"><div><div><h3 class="title">
1547 <a name="id2607912"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
1548 <p>When building BIND 9, the location of the custom-built
1549 OpenSSL library must be specified via configure.</p>
1550 <div class="sect3" lang="en">
1551 <div class="titlepage"><div><div><h4 class="title">
1552 <a name="id2607921"></a>Configuring BIND 9 for Linux</h4></div></div></div>
1553 <p>To link with the PKCS #11 provider, threads must be
1554 enabled in the BIND 9 build.</p>
1555 <p>The PKCS #11 library for the AEP Keyper is currently
1556 only available as a 32-bit binary. If we are building on a
1557 64-bit host, we must force a 32-bit build by adding "-m32" to
1558 the CC options on the "configure" command line.</p>
1559 <pre class="screen">
1560 $ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong>
1561 $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
1562 --with-openssl=/opt/pkcs11/usr \
1563 --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
1566 <div class="sect3" lang="en">
1567 <div class="titlepage"><div><div><h4 class="title">
1568 <a name="id2608020"></a>Configuring BIND 9 for Solaris</h4></div></div></div>
1569 <p>To link with the PKCS #11 provider, threads must be
1570 enabled in the BIND 9 build.</p>
1571 <pre class="screen">
1572 $ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong>
1573 $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
1574 --with-openssl=/opt/pkcs11/usr \
1575 --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
1577 <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
1578 <p>If configure complains about OpenSSL not working, you
1579 may have a 32/64-bit architecture mismatch. Or, you may have
1580 incorrectly specified the path to OpenSSL (it should be the
1581 same as the --prefix argument to the OpenSSL
1584 <p>After configuring, run
1585 "<span><strong class="command">make</strong></span>",
1586 "<span><strong class="command">make test</strong></span>" and
1587 "<span><strong class="command">make install</strong></span>".</p>
1589 <div class="sect2" lang="en">
1590 <div class="titlepage"><div><div><h3 class="title">
1591 <a name="id2608144"></a>PKCS #11 Tools</h3></div></div></div>
1592 <p>BIND 9 includes a minimal set of tools to operate the
1594 <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
1596 <span><strong class="command">pkcs11-list</strong></span> to list objects currently
1598 <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
1599 <p>In UNIX/Linux builds, these tools are built only if BIND
1600 9 is configured with the --with-pkcs11 option. (NOTE: If
1601 --with-pkcs11 is set to "yes", rather than to the path of the
1602 PKCS #11 provider, then the tools will be built but the
1603 provider will be left undefined. Use the -m option or the
1604 PKCS11_PROVIDER environment variable to specify the path to the
1607 <div class="sect2" lang="en">
1608 <div class="titlepage"><div><div><h3 class="title">
1609 <a name="id2608174"></a>Using the HSM</h3></div></div></div>
1610 <p>First, we must set up the runtime environment so the
1611 OpenSSL and PKCS #11 libraries can be loaded:</p>
1612 <pre class="screen">
1613 $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
1615 <p>When operating an AEP Keyper, it is also necessary to
1616 specify the location of the "machine" file, which stores
1617 information about the Keyper for use by PKCS #11 provider
1618 library. If the machine file is in
1619 <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
1621 <pre class="screen">
1622 $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
1624 <p>These environment variables must be set whenever running
1625 any tool that uses the HSM, including
1626 <span><strong class="command">pkcs11-keygen</strong></span>,
1627 <span><strong class="command">pkcs11-list</strong></span>,
1628 <span><strong class="command">pkcs11-destroy</strong></span>,
1629 <span><strong class="command">dnssec-keyfromlabel</strong></span>,
1630 <span><strong class="command">dnssec-signzone</strong></span>,
1631 <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
1632 random number generation), and
1633 <span><strong class="command">named</strong></span>.</p>
1634 <p>We can now create and use keys in the HSM. In this case,
1635 we will create a 2048 bit key and give it the label
1637 <pre class="screen">
1638 $ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
1640 <p>To confirm that the key exists:</p>
1641 <pre class="screen">
1642 $ <strong class="userinput"><code>pkcs11-list</code></strong>
1644 object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
1645 object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
1647 <p>Before using this key to sign a zone, we must create a
1648 pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
1649 does this. In this case, we will be using the HSM key
1650 "sample-ksk" as the key-signing key for "example.net":</p>
1651 <pre class="screen">
1652 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
1654 <p>The resulting K*.key and K*.private files can now be used
1655 to sign the zone. Unlike normal K* files, which contain both
1656 public and private key data, these files will contain only the
1657 public key data, plus an identifier for the private key which
1658 remains stored within the HSM. The HSM handles signing with the
1660 <p>If you wish to generate a second key in the HSM for use
1661 as a zone-signing key, follow the same procedure above, using a
1662 different keylabel, a smaller key size, and omitting "-f KSK"
1663 from the dnssec-keyfromlabel arguments:</p>
1664 <pre class="screen">
1665 $ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
1666 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
1668 <p>Alternatively, you may prefer to generate a conventional
1669 on-disk key, using dnssec-keygen:</p>
1670 <pre class="screen">
1671 $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
1673 <p>This provides less security than an HSM key, but since
1674 HSMs can be slow or cumbersome to use for security reasons, it
1675 may be more efficient to reserve HSM keys for use in the less
1676 frequent key-signing operation. The zone-signing key can be
1677 rolled more frequently, if you wish, to compensate for a
1678 reduction in key security.</p>
1679 <p>Now you can sign the zone. (Note: If not using the -S
1681 <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
1682 the contents of both
1683 <code class="filename">K*.key</code> files to the zone master file before
1685 <pre class="screen">
1686 $ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
1688 Verifying the zone using the following algorithms:
1690 Zone signing complete:
1691 Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
1695 <div class="sect2" lang="en">
1696 <div class="titlepage"><div><div><h3 class="title">
1697 <a name="id2610353"></a>Specifying the engine on the command line</h3></div></div></div>
1698 <p>The OpenSSL engine can be specified in
1699 <span><strong class="command">named</strong></span> and all of the BIND
1700 <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
1701 <engine>" command line option. If BIND 9 is built with
1702 the --with-pkcs11 option, this option defaults to "pkcs11".
1703 Specifying the engine will generally not be necessary unless
1704 for some reason you wish to use a different OpenSSL
1706 <p>If you wish to disable use of the "pkcs11" engine —
1707 for troubleshooting purposes, or because the HSM is unavailable
1708 — set the engine to the empty string. For example:</p>
1709 <pre class="screen">
1710 $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
1713 <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
1714 without the --with-pkcs11 option.</p>
1716 <div class="sect2" lang="en">
1717 <div class="titlepage"><div><div><h3 class="title">
1718 <a name="id2610467"></a>Running named with automatic zone re-signing</h3></div></div></div>
1720 <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
1721 keys, and/or to to sign new records inserted via nsupdate, then
1722 named must have access to the HSM PIN. This can be accomplished
1723 by placing the PIN into the openssl.cnf file (in the above
1725 <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
1726 <p>The location of the openssl.cnf file can be overridden by
1727 setting the OPENSSL_CONF environment variable before running
1729 <p>Sample openssl.cnf:</p>
1730 <pre class="programlisting">
1731 openssl_conf = openssl_def
1733 engines = engine_section
1735 pkcs11 = pkcs11_section
1737 PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
1739 <p>This will also allow the dnssec-* tools to access the HSM
1740 without PIN entry. (The pkcs11-* tools access the HSM directly,
1741 not via OpenSSL, so a PIN will still be required to use
1743 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
1744 <h3 class="title">Warning</h3>
1745 <p>Placing the HSM's PIN in a text file in
1746 this manner may reduce the security advantage of using an
1747 HSM. Be sure this is what you want to do before configuring
1748 OpenSSL in this way.</p>
1752 <div class="sect1" lang="en">
1753 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
1754 <a name="id2572484"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
1756 <acronym class="acronym">BIND</acronym> 9 fully supports all currently
1757 defined forms of IPv6 name to address and address to name
1758 lookups. It will also use IPv6 addresses to make queries when
1759 running on an IPv6 capable system.
1762 For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
1763 only AAAA records. RFC 3363 deprecated the use of A6 records,
1764 and client-side support for A6 records was accordingly removed
1765 from <acronym class="acronym">BIND</acronym> 9.
1766 However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
1767 load zone files containing A6 records correctly, answer queries
1768 for A6 records, and accept zone transfer for a zone containing A6
1772 For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
1773 the traditional "nibble" format used in the
1774 <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
1775 <span class="emphasis"><em>ip6.int</em></span> domain.
1776 Older versions of <acronym class="acronym">BIND</acronym> 9
1777 supported the "binary label" (also known as "bitstring") format,
1778 but support of binary labels has been completely removed per
1780 Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
1781 the binary label format at all any more, and will return an
1783 In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
1784 name server will not load a zone file containing binary labels.
1787 For an overview of the format and structure of IPv6 addresses,
1788 see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
1790 <div class="sect2" lang="en">
1791 <div class="titlepage"><div><div><h3 class="title">
1792 <a name="id2572819"></a>Address Lookups Using AAAA Records</h3></div></div></div>
1794 The IPv6 AAAA record is a parallel to the IPv4 A record,
1795 and, unlike the deprecated A6 record, specifies the entire
1796 IPv6 address in a single record. For example,
1798 <pre class="programlisting">
1799 $ORIGIN example.com.
1800 host 3600 IN AAAA 2001:db8::1
1803 Use of IPv4-in-IPv6 mapped addresses is not recommended.
1804 If a host has an IPv4 address, use an A record, not
1805 a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
1809 <div class="sect2" lang="en">
1810 <div class="titlepage"><div><div><h3 class="title">
1811 <a name="id2572840"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
1813 When looking up an address in nibble format, the address
1814 components are simply reversed, just as in IPv4, and
1815 <code class="literal">ip6.arpa.</code> is appended to the
1817 For example, the following would provide reverse name lookup for
1819 <code class="literal">2001:db8::1</code>.
1821 <pre class="programlisting">
1822 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1823 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
1829 <div class="navfooter">
1831 <table width="100%" summary="Navigation footer">
1833 <td width="40%" align="left">
1834 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
1835 <td width="20%" align="center"> </td>
1836 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
1840 <td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
1841 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1842 <td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>