dnssec.xml (234010) | dnssec.xml (254897) |
---|---|
1<?xml version="1.0" encoding="utf-8"?> 2<!-- | 1<?xml version="1.0" encoding="utf-8"?> 2<!-- |
3 - Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC") | 3 - Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") |
4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17 | 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17 |
18 | 18<!-- $Id: dnssec.xml,v 1.7 2011/10/13 23:47:10 tbox Exp $ --> |
19 20<sect1 id="dnssec.dynamic.zones"> 21 <title>DNSSEC, Dynamic Zones, and Automatic Signing</title> 22 <para>As of BIND 9.7.0 it is possible to change a dynamic zone 23 from insecure to signed and back again. A secure zone can use 24 either NSEC or NSEC3 chains.</para> 25 <sect2> 26 <title>Converting from insecure to secure</title> --- 68 unchanged lines hidden (view full) --- 95 <command>auto-dnssec</command> has two possible arguments: 96 <constant>allow</constant> or 97 <constant>maintain</constant>.</para> 98 <para>With 99 <command>auto-dnssec allow</command>, 100 <command>named</command> can search the key directory for keys 101 matching the zone, insert them into the zone, and use them to 102 sign the zone. It will do so only when it receives an | 19 20<sect1 id="dnssec.dynamic.zones"> 21 <title>DNSSEC, Dynamic Zones, and Automatic Signing</title> 22 <para>As of BIND 9.7.0 it is possible to change a dynamic zone 23 from insecure to signed and back again. A secure zone can use 24 either NSEC or NSEC3 chains.</para> 25 <sect2> 26 <title>Converting from insecure to secure</title> --- 68 unchanged lines hidden (view full) --- 95 <command>auto-dnssec</command> has two possible arguments: 96 <constant>allow</constant> or 97 <constant>maintain</constant>.</para> 98 <para>With 99 <command>auto-dnssec allow</command>, 100 <command>named</command> can search the key directory for keys 101 matching the zone, insert them into the zone, and use them to 102 sign the zone. It will do so only when it receives an |
103 <command>rndc sign <zonename></command> or 104 <command>rndc loadkeys <zonename></command> command.</para> | 103 <command>rndc sign <zonename></command>.</para> |
105 <para> 106 <!-- TODO: this is repeated in the ARM --> 107 <command>auto-dnssec maintain</command> includes the above 108 functionality, but will also automatically adjust the zone's 109 DNSKEY records on schedule according to the keys' timing metadata. 110 (See <xref linkend="man.dnssec-keygen"/> and 111 <xref linkend="man.dnssec-settime"/> for more information.) | 104 <para> 105 <!-- TODO: this is repeated in the ARM --> 106 <command>auto-dnssec maintain</command> includes the above 107 functionality, but will also automatically adjust the zone's 108 DNSKEY records on schedule according to the keys' timing metadata. 109 (See <xref linkend="man.dnssec-keygen"/> and 110 <xref linkend="man.dnssec-settime"/> for more information.) |
111 </para> 112 <para> 113 <command>named</command> will periodically search the key directory 114 for keys matching the zone, and if the keys' metadata indicates 115 that any change should be made the zone, such as adding, removing, 116 or revoking a key, then that action will be carried out. By default, 117 the key directory is checked for changes every 60 minutes; this period 118 can be adjusted with the <option>dnssec-loadkeys-interval</option>, up 119 to a maximum of 24 hours. The <command>rndc loadkeys</command> forces 120 <command>named</command> to check for key updates immediately. 121 </para> 122 <para> |
|
112 If keys are present in the key directory the first time the zone | 123 If keys are present in the key directory the first time the zone |
113 is loaded, it will be signed immediately, without waiting for an | 124 is loaded, the zone will be signed immediately, without waiting for an |
114 <command>rndc sign</command> or <command>rndc loadkeys</command> 115 command. (Those commands can still be used when there are unscheduled 116 key changes, however.) 117 </para> | 125 <command>rndc sign</command> or <command>rndc loadkeys</command> 126 command. (Those commands can still be used when there are unscheduled 127 key changes, however.) 128 </para> |
129 <para> 130 If you wish the zone to be signed using NSEC3 instead of NSEC, 131 submit an NSEC3PARAM record via dynamic update prior to the 132 scheduled publication and activation of the keys. If you wish the 133 NSEC3 chain to have the OPTOUT bit set, set it in the flags field 134 of the NSEC3PARAM record. The NSEC3PARAM record will not appear in 135 the zone immediately, but it will be stored for later reference. When 136 the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM 137 record will appear in the zone. 138 </para> |
|
118 <para>Using the 119 <command>auto-dnssec</command> option requires the zone to be 120 configured to allow dynamic updates, by adding an 121 <command>allow-update</command> or 122 <command>update-policy</command> statement to the zone 123 configuration. If this has not been done, the configuration will 124 fail.</para> 125 <sect2> --- 143 unchanged lines hidden --- | 139 <para>Using the 140 <command>auto-dnssec</command> option requires the zone to be 141 configured to allow dynamic updates, by adding an 142 <command>allow-update</command> or 143 <command>update-policy</command> statement to the zone 144 configuration. If this has not been done, the configuration will 145 fail.</para> 146 <sect2> --- 143 unchanged lines hidden --- |