1<!-- 2 - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000-2003 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- $Id$ --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>Chapter�4.�Advanced DNS Features</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 25<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter�3.�Name Server Configuration"> 26<link rel="next" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver"> 27</head> 28<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29<div class="navheader"> 30<table width="100%" summary="Navigation header"> 31<tr><th colspan="3" align="center">Chapter�4.�Advanced DNS Features</th></tr> 32<tr> 33<td width="20%" align="left"> 34<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td> 35<th width="60%" align="center">�</th> 36<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a> 37</td> 38</tr> 39</table> 40<hr> 41</div> 42<div class="chapter" lang="en"> 43<div class="titlepage"><div><div><h2 class="title"> 44<a name="Bv9ARM.ch04"></a>Chapter�4.�Advanced DNS Features</h2></div></div></div> 45<div class="toc"> 46<p><b>Table of Contents</b></p> 47<dl> 48<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt> 49<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt> 50<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd> 51<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt> 52<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt> 53<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd> 54<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt> 55<dd><dl> 56<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt> 57<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt> 58<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt> 59<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt> 60<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt> 61<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt> 62</dl></dd> 63<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt> 64<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt> 65<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt> 66<dd><dl> 67<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt> 68<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt> 69<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt> 70</dl></dd> 71<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> 72<dd><dl> 73<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571421">Converting from insecure to secure</a></span></dt> 74<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571459">Dynamic DNS update method</a></span></dt> 75<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563508">Fully automatic zone signing</a></span></dt> 76<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563590">Private-type records</a></span></dt> 77<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563696">DNSKEY rollovers</a></span></dt> 78<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563708">Dynamic DNS update method</a></span></dt> 79<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563741">Automatic key rollovers</a></span></dt> 80<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">NSEC3PARAM rollovers via UPDATE</a></span></dt> 81<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563846">Converting from NSEC to NSEC3</a></span></dt> 82<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563856">Converting from NSEC3 to NSEC</a></span></dt> 83<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563868">Converting from secure to insecure</a></span></dt> 84<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563906">Periodic re-signing</a></span></dt> 85<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563915">NSEC3 and OPTOUT</a></span></dt> 86</dl></dd> 87<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> 88<dd><dl> 89<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571685">Validating Resolver</a></span></dt> 90<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571707">Authoritative Server</a></span></dt> 91</dl></dd> 92<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> 93<dd><dl> 94<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609970">Prerequisites</a></span></dt> 95<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608219">Building BIND 9 with PKCS#11</a></span></dt> 96<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610529">PKCS #11 Tools</a></span></dt> 97<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610560">Using the HSM</a></span></dt> 98<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635129">Specifying the engine on the command line</a></span></dt> 99<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635243">Running named with automatic zone re-signing</a></span></dt> 100</dl></dd> 101<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> 102<dd><dl> 103<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt> 104<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt> 105</dl></dd> 106</dl> 107</div> 108<div class="sect1" lang="en"> 109<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 110<a name="notify"></a>Notify</h2></div></div></div> 111<p> 112 <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master 113 servers to notify their slave servers of changes to a zone's data. In 114 response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the 115 slave will check to see that its version of the zone is the 116 current version and, if not, initiate a zone transfer. 117 </p> 118<p> 119 For more information about <acronym class="acronym">DNS</acronym> 120 <span><strong class="command">NOTIFY</strong></span>, see the description of the 121 <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and 122 the description of the zone option <span><strong class="command">also-notify</strong></span> in 123 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span><strong class="command">NOTIFY</strong></span> 124 protocol is specified in RFC 1996. 125 </p> 126<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 127<h3 class="title">Note</h3> 128 As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>, 129 by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone 130 it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will 131 cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master 132 zones that it loads. 133 </div> 134</div> 135<div class="sect1" lang="en"> 136<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 137<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div> 138<p> 139 Dynamic Update is a method for adding, replacing or deleting 140 records in a master server by sending it a special form of DNS 141 messages. The format and meaning of these messages is specified 142 in RFC 2136. 143 </p> 144<p> 145 Dynamic update is enabled by including an 146 <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span> 147 clause in the <span><strong class="command">zone</strong></span> statement. 148 </p> 149<p> 150 If the zone's <span><strong class="command">update-policy</strong></span> is set to 151 <strong class="userinput"><code>local</code></strong>, updates to the zone 152 will be permitted for the key <code class="varname">local-ddns</code>, 153 which will be generated by <span><strong class="command">named</strong></span> at startup. 154 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details. 155 </p> 156<p> 157 Dynamic updates using Kerberos signed requests can be made 158 using the TKEY/GSS protocol by setting either the 159 <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively 160 by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span> 161 and <span><strong class="command">tkey-domain</strong></span> options. Once enabled, 162 Kerberos signed requests will be matched against the update 163 policies for the zone, using the Kerberos principal as the 164 signer for the request. 165 </p> 166<p> 167 Updating of secure zones (zones using DNSSEC) follows RFC 168 3007: RRSIG, NSEC and NSEC3 records affected by updates are 169 automatically regenerated by the server using an online 170 zone key. Update authorization is based on transaction 171 signatures and an explicit server policy. 172 </p> 173<div class="sect2" lang="en"> 174<div class="titlepage"><div><div><h3 class="title"> 175<a name="journal"></a>The journal file</h3></div></div></div> 176<p> 177 All changes made to a zone using dynamic update are stored 178 in the zone's journal file. This file is automatically created 179 by the server when the first dynamic update takes place. 180 The name of the journal file is formed by appending the extension 181 <code class="filename">.jnl</code> to the name of the 182 corresponding zone 183 file unless specifically overridden. The journal file is in a 184 binary format and should not be edited manually. 185 </p> 186<p> 187 The server will also occasionally write ("dump") 188 the complete contents of the updated zone to its zone file. 189 This is not done immediately after 190 each dynamic update, because that would be too slow when a large 191 zone is updated frequently. Instead, the dump is delayed by 192 up to 15 minutes, allowing additional updates to take place. 193 During the dump process, transient files will be created 194 with the extensions <code class="filename">.jnw</code> and 195 <code class="filename">.jbk</code>; under ordinary circumstances, these 196 will be removed when the dump is complete, and can be safely 197 ignored. 198 </p> 199<p> 200 When a server is restarted after a shutdown or crash, it will replay 201 the journal file to incorporate into the zone any updates that 202 took 203 place after the last zone dump. 204 </p> 205<p> 206 Changes that result from incoming incremental zone transfers are 207 also 208 journalled in a similar way. 209 </p> 210<p> 211 The zone files of dynamic zones cannot normally be edited by 212 hand because they are not guaranteed to contain the most recent 213 dynamic changes — those are only in the journal file. 214 The only way to ensure that the zone file of a dynamic zone 215 is up to date is to run <span><strong class="command">rndc stop</strong></span>. 216 </p> 217<p> 218 If you have to make changes to a dynamic zone 219 manually, the following procedure will work: Disable dynamic updates 220 to the zone using 221 <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>. 222 This will also remove the zone's <code class="filename">.jnl</code> file 223 and update the master file. Edit the zone file. Run 224 <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span> 225 to reload the changed zone and re-enable dynamic updates. 226 </p> 227</div> 228</div> 229<div class="sect1" lang="en"> 230<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 231<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div> 232<p> 233 The incremental zone transfer (IXFR) protocol is a way for 234 slave servers to transfer only changed data, instead of having to 235 transfer the entire zone. The IXFR protocol is specified in RFC 236 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>. 237 </p> 238<p> 239 When acting as a master, <acronym class="acronym">BIND</acronym> 9 240 supports IXFR for those zones 241 where the necessary change history information is available. These 242 include master zones maintained by dynamic update and slave zones 243 whose data was obtained by IXFR. For manually maintained master 244 zones, and for slave zones obtained by performing a full zone 245 transfer (AXFR), IXFR is supported only if the option 246 <span><strong class="command">ixfr-from-differences</strong></span> is set 247 to <strong class="userinput"><code>yes</code></strong>. 248 </p> 249<p> 250 When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will attempt 251 to use IXFR unless it is explicitly disabled via the 252 <span><strong class="command">request-ixfr</strong></span> option or the use of 253 <span><strong class="command">ixfr-from-differences</strong></span>. For 254 more information about disabling IXFR, see the description 255 of the <span><strong class="command">request-ixfr</strong></span> clause of the 256 <span><strong class="command">server</strong></span> statement. 257 </p> 258</div> 259<div class="sect1" lang="en"> 260<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 261<a name="id2570934"></a>Split DNS</h2></div></div></div> 262<p> 263 Setting up different views, or visibility, of the DNS space to 264 internal and external resolvers is usually referred to as a 265 <span class="emphasis"><em>Split DNS</em></span> setup. There are several 266 reasons an organization would want to set up its DNS this way. 267 </p> 268<p> 269 One common reason for setting up a DNS system this way is 270 to hide "internal" DNS information from "external" clients on the 271 Internet. There is some debate as to whether or not this is actually 272 useful. 273 Internal DNS information leaks out in many ways (via email headers, 274 for example) and most savvy "attackers" can find the information 275 they need using other means. 276 However, since listing addresses of internal servers that 277 external clients cannot possibly reach can result in 278 connection delays and other annoyances, an organization may 279 choose to use a Split DNS to present a consistent view of itself 280 to the outside world. 281 </p> 282<p> 283 Another common reason for setting up a Split DNS system is 284 to allow internal networks that are behind filters or in RFC 1918 285 space (reserved IP space, as documented in RFC 1918) to resolve DNS 286 on the Internet. Split DNS can also be used to allow mail from outside 287 back in to the internal network. 288 </p> 289<div class="sect2" lang="en"> 290<div class="titlepage"><div><div><h3 class="title"> 291<a name="id2570952"></a>Example split DNS setup</h3></div></div></div> 292<p> 293 Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span> 294 (<code class="literal">example.com</code>) 295 has several corporate sites that have an internal network with 296 reserved 297 Internet Protocol (IP) space and an external demilitarized zone (DMZ), 298 or "outside" section of a network, that is available to the public. 299 </p> 300<p> 301 <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients 302 to be able to resolve external hostnames and to exchange mail with 303 people on the outside. The company also wants its internal resolvers 304 to have access to certain internal-only zones that are not available 305 at all outside of the internal network. 306 </p> 307<p> 308 In order to accomplish this, the company will set up two sets 309 of name servers. One set will be on the inside network (in the 310 reserved 311 IP space) and the other set will be on bastion hosts, which are 312 "proxy" 313 hosts that can talk to both sides of its network, in the DMZ. 314 </p> 315<p> 316 The internal servers will be configured to forward all queries, 317 except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>, 318 and <code class="filename">site2.example.com</code>, to the servers 319 in the 320 DMZ. These internal servers will have complete sets of information 321 for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>, 322 and <code class="filename">site2.internal</code>. 323 </p> 324<p> 325 To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains, 326 the internal name servers must be configured to disallow all queries 327 to these domains from any external hosts, including the bastion 328 hosts. 329 </p> 330<p> 331 The external servers, which are on the bastion hosts, will 332 be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones. 333 This could include things such as the host records for public servers 334 (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>), 335 and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>). 336 </p> 337<p> 338 In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones 339 should have special MX records that contain wildcard (`*') records 340 pointing to the bastion hosts. This is needed because external mail 341 servers do not have any other way of looking up how to deliver mail 342 to those internal hosts. With the wildcard records, the mail will 343 be delivered to the bastion host, which can then forward it on to 344 internal hosts. 345 </p> 346<p> 347 Here's an example of a wildcard MX record: 348 </p> 349<pre class="programlisting">* IN MX 10 external1.example.com.</pre> 350<p> 351 Now that they accept mail on behalf of anything in the internal 352 network, the bastion hosts will need to know how to deliver mail 353 to internal hosts. In order for this to work properly, the resolvers 354 on 355 the bastion hosts will need to be configured to point to the internal 356 name servers for DNS resolution. 357 </p> 358<p> 359 Queries for internal hostnames will be answered by the internal 360 servers, and queries for external hostnames will be forwarded back 361 out to the DNS servers on the bastion hosts. 362 </p> 363<p> 364 In order for all this to work properly, internal clients will 365 need to be configured to query <span class="emphasis"><em>only</em></span> the internal 366 name servers for DNS queries. This could also be enforced via 367 selective 368 filtering on the network. 369 </p> 370<p> 371 If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s 372 internal clients will now be able to: 373 </p> 374<div class="itemizedlist"><ul type="disc"> 375<li> 376 Look up any hostnames in the <code class="literal">site1</code> 377 and 378 <code class="literal">site2.example.com</code> zones. 379 </li> 380<li> 381 Look up any hostnames in the <code class="literal">site1.internal</code> and 382 <code class="literal">site2.internal</code> domains. 383 </li> 384<li>Look up any hostnames on the Internet.</li> 385<li>Exchange mail with both internal and external people.</li> 386</ul></div> 387<p> 388 Hosts on the Internet will be able to: 389 </p> 390<div class="itemizedlist"><ul type="disc"> 391<li> 392 Look up any hostnames in the <code class="literal">site1</code> 393 and 394 <code class="literal">site2.example.com</code> zones. 395 </li> 396<li> 397 Exchange mail with anyone in the <code class="literal">site1</code> and 398 <code class="literal">site2.example.com</code> zones. 399 </li> 400</ul></div> 401<p> 402 Here is an example configuration for the setup we just 403 described above. Note that this is only configuration information; 404 for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>. 405 </p> 406<p> 407 Internal DNS server config: 408 </p> 409<pre class="programlisting"> 410 411acl internals { 172.16.72.0/24; 192.168.1.0/24; }; 412 413acl externals { <code class="varname">bastion-ips-go-here</code>; }; 414 415options { 416 ... 417 ... 418 forward only; 419 // forward to external servers 420 forwarders { 421 <code class="varname">bastion-ips-go-here</code>; 422 }; 423 // sample allow-transfer (no one) 424 allow-transfer { none; }; 425 // restrict query access 426 allow-query { internals; externals; }; 427 // restrict recursion 428 allow-recursion { internals; }; 429 ... 430 ... 431}; 432 433// sample master zone 434zone "site1.example.com" { 435 type master; 436 file "m/site1.example.com"; 437 // do normal iterative resolution (do not forward) 438 forwarders { }; 439 allow-query { internals; externals; }; 440 allow-transfer { internals; }; 441}; 442 443// sample slave zone 444zone "site2.example.com" { 445 type slave; 446 file "s/site2.example.com"; 447 masters { 172.16.72.3; }; 448 forwarders { }; 449 allow-query { internals; externals; }; 450 allow-transfer { internals; }; 451}; 452 453zone "site1.internal" { 454 type master; 455 file "m/site1.internal"; 456 forwarders { }; 457 allow-query { internals; }; 458 allow-transfer { internals; } 459}; 460 461zone "site2.internal" { 462 type slave; 463 file "s/site2.internal"; 464 masters { 172.16.72.3; }; 465 forwarders { }; 466 allow-query { internals }; 467 allow-transfer { internals; } 468}; 469</pre> 470<p> 471 External (bastion host) DNS server config: 472 </p> 473<pre class="programlisting"> 474acl internals { 172.16.72.0/24; 192.168.1.0/24; }; 475 476acl externals { bastion-ips-go-here; }; 477 478options { 479 ... 480 ... 481 // sample allow-transfer (no one) 482 allow-transfer { none; }; 483 // default query access 484 allow-query { any; }; 485 // restrict cache access 486 allow-query-cache { internals; externals; }; 487 // restrict recursion 488 allow-recursion { internals; externals; }; 489 ... 490 ... 491}; 492 493// sample slave zone 494zone "site1.example.com" { 495 type master; 496 file "m/site1.foo.com"; 497 allow-transfer { internals; externals; }; 498}; 499 500zone "site2.example.com" { 501 type slave; 502 file "s/site2.foo.com"; 503 masters { another_bastion_host_maybe; }; 504 allow-transfer { internals; externals; } 505}; 506</pre> 507<p> 508 In the <code class="filename">resolv.conf</code> (or equivalent) on 509 the bastion host(s): 510 </p> 511<pre class="programlisting"> 512search ... 513nameserver 172.16.72.2 514nameserver 172.16.72.3 515nameserver 172.16.72.4 516</pre> 517</div> 518</div> 519<div class="sect1" lang="en"> 520<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 521<a name="tsig"></a>TSIG</h2></div></div></div> 522<p> 523 This is a short guide to setting up Transaction SIGnatures 524 (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes 525 to the configuration file as well as what changes are required for 526 different features, including the process of creating transaction 527 keys and using transaction signatures with <acronym class="acronym">BIND</acronym>. 528 </p> 529<p> 530 <acronym class="acronym">BIND</acronym> primarily supports TSIG for server 531 to server communication. 532 This includes zone transfer, notify, and recursive query messages. 533 Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support 534 for TSIG. 535 </p> 536<p> 537 TSIG can also be useful for dynamic update. A primary 538 server for a dynamic zone should control access to the dynamic 539 update service, but IP-based access control is insufficient. 540 The cryptographic access control provided by TSIG 541 is far superior. The <span><strong class="command">nsupdate</strong></span> 542 program supports TSIG via the <code class="option">-k</code> and 543 <code class="option">-y</code> command line options or inline by use 544 of the <span><strong class="command">key</strong></span>. 545 </p> 546<div class="sect2" lang="en"> 547<div class="titlepage"><div><div><h3 class="title"> 548<a name="id2564012"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div> 549<p> 550 A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>. 551 An arbitrary key name is chosen: "host1-host2.". The key name must 552 be the same on both hosts. 553 </p> 554<div class="sect3" lang="en"> 555<div class="titlepage"><div><div><h4 class="title"> 556<a name="id2564029"></a>Automatic Generation</h4></div></div></div> 557<p> 558 The following command will generate a 128-bit (16 byte) HMAC-SHA256 559 key as described above. Longer keys are better, but shorter keys 560 are easier to read. Note that the maximum key length is the digest 561 length, here 256 bits. 562 </p> 563<p> 564 <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong> 565 </p> 566<p> 567 The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>. 568 Nothing directly uses this file, but the base-64 encoded string 569 following "<code class="literal">Key:</code>" 570 can be extracted from the file and used as a shared secret: 571 </p> 572<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre> 573<p> 574 The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can 575 be used as the shared secret. 576 </p> 577</div> 578<div class="sect3" lang="en"> 579<div class="titlepage"><div><div><h4 class="title"> 580<a name="id2564068"></a>Manual Generation</h4></div></div></div> 581<p> 582 The shared secret is simply a random sequence of bits, encoded 583 in base-64. Most ASCII strings are valid base-64 strings (assuming 584 the length is a multiple of 4 and only valid characters are used), 585 so the shared secret can be manually generated. 586 </p> 587<p> 588 Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or 589 a similar program to generate base-64 encoded data. 590 </p> 591</div> 592</div> 593<div class="sect2" lang="en"> 594<div class="titlepage"><div><div><h3 class="title"> 595<a name="id2564086"></a>Copying the Shared Secret to Both Machines</h3></div></div></div> 596<p> 597 This is beyond the scope of DNS. A secure transport mechanism 598 should be used. This could be secure FTP, ssh, telephone, etc. 599 </p> 600</div> 601<div class="sect2" lang="en"> 602<div class="titlepage"><div><div><h3 class="title"> 603<a name="id2571811"></a>Informing the Servers of the Key's Existence</h3></div></div></div> 604<p> 605 Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> 606 are 607 both servers. The following is added to each server's <code class="filename">named.conf</code> file: 608 </p> 609<pre class="programlisting"> 610key host1-host2. { 611 algorithm hmac-sha256; 612 secret "La/E5CjG9O+os1jq0a2jdA=="; 613}; 614</pre> 615<p> 616 The secret is the one generated above. Since this is a secret, it 617 is recommended that either <code class="filename">named.conf</code> be 618 non-world readable, or the key directive be added to a non-world 619 readable file that is included by <code class="filename">named.conf</code>. 620 </p> 621<p> 622 At this point, the key is recognized. This means that if the 623 server receives a message signed by this key, it can verify the 624 signature. If the signature is successfully verified, the 625 response is signed by the same key. 626 </p> 627</div> 628<div class="sect2" lang="en"> 629<div class="titlepage"><div><div><h3 class="title"> 630<a name="id2571847"></a>Instructing the Server to Use the Key</h3></div></div></div> 631<p> 632 Since keys are shared between two hosts only, the server must 633 be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file 634 for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is 635 10.1.2.3: 636 </p> 637<pre class="programlisting"> 638server 10.1.2.3 { 639 keys { host1-host2. ;}; 640}; 641</pre> 642<p> 643 Multiple keys may be present, but only the first is used. 644 This directive does not contain any secrets, so it may be in a 645 world-readable 646 file. 647 </p> 648<p> 649 If <span class="emphasis"><em>host1</em></span> sends a message that is a request 650 to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will 651 expect any responses to signed messages to be signed with the same 652 key. 653 </p> 654<p> 655 A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s 656 configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to 657 sign request messages to <span class="emphasis"><em>host1</em></span>. 658 </p> 659</div> 660<div class="sect2" lang="en"> 661<div class="titlepage"><div><div><h3 class="title"> 662<a name="id2571905"></a>TSIG Key Based Access Control</h3></div></div></div> 663<p> 664 <acronym class="acronym">BIND</acronym> allows IP addresses and ranges 665 to be specified in ACL 666 definitions and 667 <span><strong class="command">allow-{ query | transfer | update }</strong></span> 668 directives. 669 This has been extended to allow TSIG keys also. The above key would 670 be denoted <span><strong class="command">key host1-host2.</strong></span> 671 </p> 672<p> 673 An example of an <span><strong class="command">allow-update</strong></span> directive would be: 674 </p> 675<pre class="programlisting"> 676allow-update { key host1-host2. ;}; 677</pre> 678<p> 679 This allows dynamic updates to succeed only if the request 680 was signed by a key named "<span><strong class="command">host1-host2.</strong></span>". 681 </p> 682<p> 683 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of 684 the more flexible <span><strong class="command">update-policy</strong></span> statement. 685 </p> 686</div> 687<div class="sect2" lang="en"> 688<div class="titlepage"><div><div><h3 class="title"> 689<a name="id2571954"></a>Errors</h3></div></div></div> 690<p> 691 The processing of TSIG signed messages can result in 692 several errors. If a signed message is sent to a non-TSIG aware 693 server, a FORMERR (format error) will be returned, since the server will not 694 understand the record. This is a result of misconfiguration, 695 since the server must be explicitly configured to send a TSIG 696 signed message to a specific server. 697 </p> 698<p> 699 If a TSIG aware server receives a message signed by an 700 unknown key, the response will be unsigned with the TSIG 701 extended error code set to BADKEY. If a TSIG aware server 702 receives a message with a signature that does not validate, the 703 response will be unsigned with the TSIG extended error code set 704 to BADSIG. If a TSIG aware server receives a message with a time 705 outside of the allowed range, the response will be signed with 706 the TSIG extended error code set to BADTIME, and the time values 707 will be adjusted so that the response can be successfully 708 verified. In any of these cases, the message's rcode (response code) is set to 709 NOTAUTH (not authenticated). 710 </p> 711</div> 712</div> 713<div class="sect1" lang="en"> 714<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 715<a name="id2571968"></a>TKEY</h2></div></div></div> 716<p><span><strong class="command">TKEY</strong></span> 717 is a mechanism for automatically generating a shared secret 718 between two hosts. There are several "modes" of 719 <span><strong class="command">TKEY</strong></span> that specify how the key is generated 720 or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of 721 these modes, the Diffie-Hellman key exchange. Both hosts are 722 required to have a Diffie-Hellman KEY record (although this 723 record is not required to be present in a zone). The 724 <span><strong class="command">TKEY</strong></span> process must use signed messages, 725 signed either by TSIG or SIG(0). The result of 726 <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to 727 sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be 728 used to delete shared secrets that it had previously 729 generated. 730 </p> 731<p> 732 The <span><strong class="command">TKEY</strong></span> process is initiated by a 733 client 734 or server by sending a signed <span><strong class="command">TKEY</strong></span> 735 query 736 (including any appropriate KEYs) to a TKEY-aware server. The 737 server response, if it indicates success, will contain a 738 <span><strong class="command">TKEY</strong></span> record and any appropriate keys. 739 After 740 this exchange, both participants have enough information to 741 determine the shared secret; the exact process depends on the 742 <span><strong class="command">TKEY</strong></span> mode. When using the 743 Diffie-Hellman 744 <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are 745 exchanged, 746 and the shared secret is derived by both participants. 747 </p> 748</div> 749<div class="sect1" lang="en"> 750<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 751<a name="id2572153"></a>SIG(0)</h2></div></div></div> 752<p> 753 <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0) 754 transaction signatures as specified in RFC 2535 and RFC 2931. 755 SIG(0) 756 uses public/private keys to authenticate messages. Access control 757 is performed in the same manner as TSIG keys; privileges can be 758 granted or denied based on the key name. 759 </p> 760<p> 761 When a SIG(0) signed message is received, it will only be 762 verified if the key is known and trusted by the server; the server 763 will not attempt to locate and/or validate the key. 764 </p> 765<p> 766 SIG(0) signing of multiple-message TCP streams is not 767 supported. 768 </p> 769<p> 770 The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that 771 generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>. 772 </p> 773</div> 774<div class="sect1" lang="en"> 775<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 776<a name="DNSSEC"></a>DNSSEC</h2></div></div></div> 777<p> 778 Cryptographic authentication of DNS information is possible 779 through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions, 780 defined in RFC 4033, RFC 4034, and RFC 4035. 781 This section describes the creation and use of DNSSEC signed zones. 782 </p> 783<p> 784 In order to set up a DNSSEC secure zone, there are a series 785 of steps which must be followed. <acronym class="acronym">BIND</acronym> 786 9 ships 787 with several tools 788 that are used in this process, which are explained in more detail 789 below. In all cases, the <code class="option">-h</code> option prints a 790 full list of parameters. Note that the DNSSEC tools require the 791 keyset files to be in the working directory or the 792 directory specified by the <code class="option">-d</code> option, and 793 that the tools shipped with BIND 9.2.x and earlier are not compatible 794 with the current ones. 795 </p> 796<p> 797 There must also be communication with the administrators of 798 the parent and/or child zone to transmit keys. A zone's security 799 status must be indicated by the parent zone for a DNSSEC capable 800 resolver to trust its data. This is done through the presence 801 or absence of a <code class="literal">DS</code> record at the 802 delegation 803 point. 804 </p> 805<p> 806 For other servers to trust data in this zone, they must 807 either be statically configured with this zone's zone key or the 808 zone key of another zone above this one in the DNS tree. 809 </p> 810<div class="sect2" lang="en"> 811<div class="titlepage"><div><div><h3 class="title"> 812<a name="id2572221"></a>Generating Keys</h3></div></div></div> 813<p> 814 The <span><strong class="command">dnssec-keygen</strong></span> program is used to 815 generate keys. 816 </p> 817<p> 818 A secure zone must contain one or more zone keys. The 819 zone keys will sign all other records in the zone, as well as 820 the zone keys of any secure delegated zones. Zone keys must 821 have the same name as the zone, a name type of 822 <span><strong class="command">ZONE</strong></span>, and must be usable for 823 authentication. 824 It is recommended that zone keys use a cryptographic algorithm 825 designated as "mandatory to implement" by the IETF; currently 826 the only one is RSASHA1. 827 </p> 828<p> 829 The following command will generate a 768-bit RSASHA1 key for 830 the <code class="filename">child.example</code> zone: 831 </p> 832<p> 833 <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong> 834 </p> 835<p> 836 Two output files will be produced: 837 <code class="filename">Kchild.example.+005+12345.key</code> and 838 <code class="filename">Kchild.example.+005+12345.private</code> 839 (where 840 12345 is an example of a key tag). The key filenames contain 841 the key name (<code class="filename">child.example.</code>), 842 algorithm (3 843 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in 844 this case). 845 The private key (in the <code class="filename">.private</code> 846 file) is 847 used to generate signatures, and the public key (in the 848 <code class="filename">.key</code> file) is used for signature 849 verification. 850 </p> 851<p> 852 To generate another key with the same properties (but with 853 a different key tag), repeat the above command. 854 </p> 855<p> 856 The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used 857 to get a key pair from a crypto hardware and build the key 858 files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>. 859 </p> 860<p> 861 The public keys should be inserted into the zone file by 862 including the <code class="filename">.key</code> files using 863 <span><strong class="command">$INCLUDE</strong></span> statements. 864 </p> 865</div> 866<div class="sect2" lang="en"> 867<div class="titlepage"><div><div><h3 class="title"> 868<a name="id2572300"></a>Signing the Zone</h3></div></div></div> 869<p> 870 The <span><strong class="command">dnssec-signzone</strong></span> program is used 871 to sign a zone. 872 </p> 873<p> 874 Any <code class="filename">keyset</code> files corresponding to 875 secure subzones should be present. The zone signer will 876 generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code> 877 and <code class="literal">RRSIG</code> records for the zone, as 878 well as <code class="literal">DS</code> for the child zones if 879 <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code> 880 is not specified, then DS RRsets for the secure child 881 zones need to be added manually. 882 </p> 883<p> 884 The following command signs the zone, assuming it is in a 885 file called <code class="filename">zone.child.example</code>. By 886 default, all zone keys which have an available private key are 887 used to generate signatures. 888 </p> 889<p> 890 <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong> 891 </p> 892<p> 893 One output file is produced: 894 <code class="filename">zone.child.example.signed</code>. This 895 file 896 should be referenced by <code class="filename">named.conf</code> 897 as the 898 input file for the zone. 899 </p> 900<p><span><strong class="command">dnssec-signzone</strong></span> 901 will also produce a keyset and dsset files and optionally a 902 dlvset file. These are used to provide the parent zone 903 administrators with the <code class="literal">DNSKEYs</code> (or their 904 corresponding <code class="literal">DS</code> records) that are the 905 secure entry point to the zone. 906 </p> 907</div> 908<div class="sect2" lang="en"> 909<div class="titlepage"><div><div><h3 class="title"> 910<a name="id2572381"></a>Configuring Servers</h3></div></div></div> 911<p> 912 To enable <span><strong class="command">named</strong></span> to respond appropriately 913 to DNS requests from DNSSEC aware clients, 914 <span><strong class="command">dnssec-enable</strong></span> must be set to yes. 915 (This is the default setting.) 916 </p> 917<p> 918 To enable <span><strong class="command">named</strong></span> to validate answers from 919 other servers, the <span><strong class="command">dnssec-enable</strong></span> option 920 must be set to <strong class="userinput"><code>yes</code></strong>, and the 921 <span><strong class="command">dnssec-validation</strong></span> options must be set to 922 <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>. 923 </p> 924<p> 925 If <span><strong class="command">dnssec-validation</strong></span> is set to 926 <strong class="userinput"><code>auto</code></strong>, then a default 927 trust anchor for the DNS root zone will be used. 928 If it is set to <strong class="userinput"><code>yes</code></strong>, however, 929 then at least one trust anchor must be configured 930 with a <span><strong class="command">trusted-keys</strong></span> or 931 <span><strong class="command">managed-keys</strong></span> statement in 932 <code class="filename">named.conf</code>, or DNSSEC validation 933 will not occur. The default setting is 934 <strong class="userinput"><code>yes</code></strong>. 935 </p> 936<p> 937 <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs 938 for zones that are used to form the first link in the 939 cryptographic chain of trust. All keys listed in 940 <span><strong class="command">trusted-keys</strong></span> (and corresponding zones) 941 are deemed to exist and only the listed keys will be used 942 to validated the DNSKEY RRset that they are from. 943 </p> 944<p> 945 <span><strong class="command">managed-keys</strong></span> are trusted keys which are 946 automatically kept up to date via RFC 5011 trust anchor 947 maintenance. 948 </p> 949<p> 950 <span><strong class="command">trusted-keys</strong></span> and 951 <span><strong class="command">managed-keys</strong></span> are described in more detail 952 later in this document. 953 </p> 954<p> 955 Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym> 956 9 does not verify signatures on load, so zone keys for 957 authoritative zones do not need to be specified in the 958 configuration file. 959 </p> 960<p> 961 After DNSSEC gets established, a typical DNSSEC configuration 962 will look something like the following. It has one or 963 more public keys for the root. This allows answers from 964 outside the organization to be validated. It will also 965 have several keys for parts of the namespace the organization 966 controls. These are here to ensure that <span><strong class="command">named</strong></span> 967 is immune to compromises in the DNSSEC components of the security 968 of parent zones. 969 </p> 970<pre class="programlisting"> 971managed-keys { 972 /* Root Key */ 973 "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS 974 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh 975 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy 976 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg 977 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp 978 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke 979 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq 980 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ 981 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ 982 dgxbcDTClU0CRBdiieyLMNzXG3"; 983}; 984 985trusted-keys { 986 /* Key for our organization's forward zone */ 987 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6 988 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z 989 GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb 990 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL 991 kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O 992 g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S 993 TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq 994 FxmAVZP20igTixin/1LcrgX/KMEGd/biuv 995 F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm 996 /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o 997 1OTQ09A0="; 998 999 /* Key for our reverse zone. */ 1000 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc 1001 xOdNax071L18QqZnQQQAVVr+i 1002 LhGTnNGp3HoWQLUIzKrJVZ3zg 1003 gy3WwNT6kZo6c0tszYqbtvchm 1004 gQC8CzKojM/W16i6MG/eafGU3 1005 siaOdS0yOI6BgPsw+YZdzlYMa 1006 IJGf4M4dyoKIhzdZyQ2bYQrjy 1007 Q4LB0lC7aOnsMyYKHHYeRvPxj 1008 IQXmdqgOJGq+vsevG06zW+1xg 1009 YJh9rCIfnm1GX/KMgxLPG2vXT 1010 D/RnLX+D3T3UL7HJYHJhAZD5L 1011 59VvjSPsZJHeDCUyWYrvPZesZ 1012 DIRvhDD52SKvbheeTJUm6Ehkz 1013 ytNN2SN96QRk8j/iI8ib"; 1014}; 1015 1016options { 1017 ... 1018 dnssec-enable yes; 1019 dnssec-validation yes; 1020}; 1021</pre> 1022<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 1023<h3 class="title">Note</h3> 1024 None of the keys listed in this example are valid. In particular, 1025 the root key is not valid. 1026 </div> 1027<p> 1028 When DNSSEC validation is enabled and properly configured, 1029 the resolver will reject any answers from signed, secure zones 1030 which fail to validate, and will return SERVFAIL to the client. 1031 </p> 1032<p> 1033 Responses may fail to validate for any of several reasons, 1034 including missing, expired, or invalid signatures, a key which 1035 does not match the DS RRset in the parent zone, or an insecure 1036 response from a zone which, according to its parent, should have 1037 been secure. 1038 </p> 1039<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 1040<h3 class="title">Note</h3> 1041<p> 1042 When the validator receives a response from an unsigned zone 1043 that has a signed parent, it must confirm with the parent 1044 that the zone was intentionally left unsigned. It does 1045 this by verifying, via signed and validated NSEC/NSEC3 records, 1046 that the parent zone contains no DS records for the child. 1047 </p> 1048<p> 1049 If the validator <span class="emphasis"><em>can</em></span> prove that the zone 1050 is insecure, then the response is accepted. However, if it 1051 cannot, then it must assume an insecure response to be a 1052 forgery; it rejects the response and logs an error. 1053 </p> 1054<p> 1055 The logged error reads "insecurity proof failed" and 1056 "got insecure response; parent indicates it should be secure". 1057 (Prior to BIND 9.7, the logged error was "not insecure". 1058 This referred to the zone, not the response.) 1059 </p> 1060</div> 1061</div> 1062</div> 1063<div class="sect1" lang="en"> 1064<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 1065<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div> 1066<p>As of BIND 9.7.0 it is possible to change a dynamic zone 1067 from insecure to signed and back again. A secure zone can use 1068 either NSEC or NSEC3 chains.</p> 1069<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1070<a name="id2571421"></a>Converting from insecure to secure</h3></div></div></div></div> 1071<p>Changing a zone from insecure to secure can be done in two 1072 ways: using a dynamic DNS update, or the 1073 <span><strong class="command">auto-dnssec</strong></span> zone option.</p> 1074<p>For either method, you need to configure 1075 <span><strong class="command">named</strong></span> so that it can see the 1076 <code class="filename">K*</code> files which contain the public and private 1077 parts of the keys that will be used to sign the zone. These files 1078 will have been generated by 1079 <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them 1080 in the key-directory, as specified in 1081 <code class="filename">named.conf</code>:</p> 1082<pre class="programlisting"> 1083 zone example.net { 1084 type master; 1085 update-policy local; 1086 file "dynamic/example.net/example.net"; 1087 key-directory "dynamic/example.net"; 1088 }; 1089</pre> 1090<p>If one KSK and one ZSK DNSKEY key have been generated, this 1091 configuration will cause all records in the zone to be signed 1092 with the ZSK, and the DNSKEY RRset to be signed with the KSK as 1093 well. An NSEC chain will be generated as part of the initial 1094 signing process.</p> 1095<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1096<a name="id2571459"></a>Dynamic DNS update method</h3></div></div></div></div> 1097<p>To insert the keys via dynamic update:</p> 1098<pre class="screen"> 1099 % nsupdate 1100 > ttl 3600 1101 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= 1102 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= 1103 > send 1104</pre> 1105<p>While the update request will complete almost immediately, 1106 the zone will not be completely signed until 1107 <span><strong class="command">named</strong></span> has had time to walk the zone and 1108 generate the NSEC and RRSIG records. The NSEC record at the apex 1109 will be added last, to signal that there is a complete NSEC 1110 chain.</p> 1111<p>If you wish to sign using NSEC3 instead of NSEC, you should 1112 add an NSEC3PARAM record to the initial update request. If you 1113 wish the NSEC3 chain to have the OPTOUT bit set, set it in the 1114 flags field of the NSEC3PARAM record.</p> 1115<pre class="screen"> 1116 % nsupdate 1117 > ttl 3600 1118 > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= 1119 > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= 1120 > update add example.net NSEC3PARAM 1 1 100 1234567890 1121 > send 1122</pre> 1123<p>Again, this update request will complete almost 1124 immediately; however, the record won't show up until 1125 <span><strong class="command">named</strong></span> has had a chance to build/remove the 1126 relevant chain. A private type record will be created to record 1127 the state of the operation (see below for more details), and will 1128 be removed once the operation completes.</p> 1129<p>While the initial signing and NSEC/NSEC3 chain generation 1130 is happening, other updates are possible as well.</p> 1131<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1132<a name="id2563508"></a>Fully automatic zone signing</h3></div></div></div></div> 1133<p>To enable automatic signing, add the 1134 <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 1135 <code class="filename">named.conf</code>. 1136 <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: 1137 <code class="constant">allow</code> or 1138 <code class="constant">maintain</code>.</p> 1139<p>With 1140 <span><strong class="command">auto-dnssec allow</strong></span>, 1141 <span><strong class="command">named</strong></span> can search the key directory for keys 1142 matching the zone, insert them into the zone, and use them to 1143 sign the zone. It will do so only when it receives an 1144 <span><strong class="command">rndc sign <zonename></strong></span> or 1145 <span><strong class="command">rndc loadkeys <zonename></strong></span> command.</p> 1146<p> 1147 1148 <span><strong class="command">auto-dnssec maintain</strong></span> includes the above 1149 functionality, but will also automatically adjust the zone's 1150 DNSKEY records on schedule according to the keys' timing metadata. 1151 (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and 1152 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) 1153 If keys are present in the key directory the first time the zone 1154 is loaded, it will be signed immediately, without waiting for an 1155 <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span> 1156 command. (Those commands can still be used when there are unscheduled 1157 key changes, however.) 1158 </p> 1159<p>Using the 1160 <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be 1161 configured to allow dynamic updates, by adding an 1162 <span><strong class="command">allow-update</strong></span> or 1163 <span><strong class="command">update-policy</strong></span> statement to the zone 1164 configuration. If this has not been done, the configuration will 1165 fail.</p> 1166<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1167<a name="id2563590"></a>Private-type records</h3></div></div></div></div> 1168<p>The state of the signing process is signaled by 1169 private-type records (with a default type value of 65534). When 1170 signing is complete, these records will have a nonzero value for 1171 the final octet (for those records which have a nonzero initial 1172 octet).</p> 1173<p>The private type record format: If the first octet is 1174 non-zero then the record indicates that the zone needs to be 1175 signed with the key matching the record, or that all signatures 1176 that match the record should be removed.</p> 1177<p> 1178 </p> 1179<div class="literallayout"><p><br> 1180<br> 1181��algorithm�(octet�1)<br> 1182��key�id�in�network�order�(octet�2�and�3)<br> 1183��removal�flag�(octet�4)<br> 1184��complete�flag�(octet�5)<br> 1185</p></div> 1186<p> 1187 </p> 1188<p>Only records flagged as "complete" can be removed via 1189 dynamic update. Attempts to remove other private type records 1190 will be silently ignored.</p> 1191<p>If the first octet is zero (this is a reserved algorithm 1192 number that should never appear in a DNSKEY record) then the 1193 record indicates changes to the NSEC3 chains are in progress. The 1194 rest of the record contains an NSEC3PARAM record. The flag field 1195 tells what operation to perform based on the flag bits.</p> 1196<p> 1197 </p> 1198<div class="literallayout"><p><br> 1199<br> 1200��0x01�OPTOUT<br> 1201��0x80�CREATE<br> 1202��0x40�REMOVE<br> 1203��0x20�NONSEC<br> 1204</p></div> 1205<p> 1206 </p> 1207<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1208<a name="id2563696"></a>DNSKEY rollovers</h3></div></div></div></div> 1209<p>As with insecure-to-secure conversions, rolling DNSSEC 1210 keys can be done in two ways: using a dynamic DNS update, or the 1211 <span><strong class="command">auto-dnssec</strong></span> zone option.</p> 1212<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1213<a name="id2563708"></a>Dynamic DNS update method</h3></div></div></div></div> 1214<p> To perform key rollovers via dynamic update, you need to add 1215 the <code class="filename">K*</code> files for the new keys so that 1216 <span><strong class="command">named</strong></span> can find them. You can then add the new 1217 DNSKEY RRs via dynamic update. 1218 <span><strong class="command">named</strong></span> will then cause the zone to be signed 1219 with the new keys. When the signing is complete the private type 1220 records will be updated so that the last octet is non 1221 zero.</p> 1222<p>If this is for a KSK you need to inform the parent and any 1223 trust anchor repositories of the new KSK.</p> 1224<p>You should then wait for the maximum TTL in the zone before 1225 removing the old DNSKEY. If it is a KSK that is being updated, 1226 you also need to wait for the DS RRset in the parent to be 1227 updated and its TTL to expire. This ensures that all clients will 1228 be able to verify at least one signature when you remove the old 1229 DNSKEY.</p> 1230<p>The old DNSKEY can be removed via UPDATE. Take care to 1231 specify the correct key. 1232 <span><strong class="command">named</strong></span> will clean out any signatures generated 1233 by the old key after the update completes.</p> 1234<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1235<a name="id2563741"></a>Automatic key rollovers</h3></div></div></div></div> 1236<p>When a new key reaches its activation date (as set by 1237 <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>), 1238 if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to 1239 <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will 1240 automatically carry out the key rollover. If the key's algorithm 1241 has not previously been used to sign the zone, then the zone will 1242 be fully signed as quickly as possible. However, if the new key 1243 is replacing an existing key of the same algorithm, then the 1244 zone will be re-signed incrementally, with signatures from the 1245 old key being replaced with signatures from the new key as their 1246 signature validity periods expire. By default, this rollover 1247 completes in 30 days, after which it will be safe to remove the 1248 old key from the DNSKEY RRset.</p> 1249<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1250<a name="id2563836"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div> 1251<p>Add the new NSEC3PARAM record via dynamic update. When the 1252 new NSEC3 chain has been generated, the NSEC3PARAM flag field 1253 will be zero. At this point you can remove the old NSEC3PARAM 1254 record. The old chain will be removed after the update request 1255 completes.</p> 1256<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1257<a name="id2563846"></a>Converting from NSEC to NSEC3</h3></div></div></div></div> 1258<p>To do this, you just need to add an NSEC3PARAM record. When 1259 the conversion is complete, the NSEC chain will have been removed 1260 and the NSEC3PARAM record will have a zero flag field. The NSEC3 1261 chain will be generated before the NSEC chain is 1262 destroyed.</p> 1263<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1264<a name="id2563856"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div> 1265<p>To do this, use <span><strong class="command">nsupdate</strong></span> to 1266 remove all NSEC3PARAM records with a zero flag 1267 field. The NSEC chain will be generated before the NSEC3 chain is 1268 removed.</p> 1269<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1270<a name="id2563868"></a>Converting from secure to insecure</h3></div></div></div></div> 1271<p>To convert a signed zone to unsigned using dynamic DNS, 1272 delete all the DNSKEY records from the zone apex using 1273 <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains, 1274 and associated NSEC3PARAM records will be removed automatically. 1275 This will take place after the update request completes.</p> 1276<p> This requires the 1277 <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to 1278 <strong class="userinput"><code>yes</code></strong> in 1279 <code class="filename">named.conf</code>.</p> 1280<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span> 1281 zone statement is used, it should be removed or changed to 1282 <span><strong class="command">allow</strong></span> instead (or it will re-sign). 1283 </p> 1284<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1285<a name="id2563906"></a>Periodic re-signing</h3></div></div></div></div> 1286<p>In any secure zone which supports dynamic updates, named 1287 will periodically re-sign RRsets which have not been re-signed as 1288 a result of some update action. The signature lifetimes will be 1289 adjusted so as to spread the re-sign load over time rather than 1290 all at once.</p> 1291<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> 1292<a name="id2563915"></a>NSEC3 and OPTOUT</h3></div></div></div></div> 1293<p> 1294 <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains 1295 where all the NSEC3 records in the zone have the same OPTOUT 1296 state. 1297 <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3 1298 records in the chain have mixed OPTOUT state. 1299 <span><strong class="command">named</strong></span> does not support changing the OPTOUT 1300 state of an individual NSEC3 record, the entire chain needs to be 1301 changed if the OPTOUT state of an individual NSEC3 needs to be 1302 changed.</p> 1303</div> 1304<div class="sect1" lang="en"> 1305<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 1306<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div> 1307<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust 1308 anchor management. Using this feature allows 1309 <span><strong class="command">named</strong></span> to keep track of changes to critical 1310 DNSSEC keys without any need for the operator to make changes to 1311 configuration files.</p> 1312<div class="sect2" lang="en"> 1313<div class="titlepage"><div><div><h3 class="title"> 1314<a name="id2571685"></a>Validating Resolver</h3></div></div></div> 1315<p>To configure a validating resolver to use RFC 5011 to 1316 maintain a trust anchor, configure the trust anchor using a 1317 <span><strong class="command">managed-keys</strong></span> statement. Information about 1318 this can be found in 1319 <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition 1320 and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition 1321 and Usage”</a>.</p> 1322</div> 1323<div class="sect2" lang="en"> 1324<div class="titlepage"><div><div><h3 class="title"> 1325<a name="id2571707"></a>Authoritative Server</h3></div></div></div> 1326<p>To set up an authoritative zone for RFC 5011 trust anchor 1327 maintenance, generate two (or more) key signing keys (KSKs) for 1328 the zone. Sign the zone with one of them; this is the "active" 1329 KSK. All KSK's which do not sign the zone are "stand-by" 1330 keys.</p> 1331<p>Any validating resolver which is configured to use the 1332 active KSK as an RFC 5011-managed trust anchor will take note 1333 of the stand-by KSKs in the zone's DNSKEY RRset, and store them 1334 for future reference. The resolver will recheck the zone 1335 periodically, and after 30 days, if the new key is still there, 1336 then the key will be accepted by the resolver as a valid trust 1337 anchor for the zone. Any time after this 30-day acceptance 1338 timer has completed, the active KSK can be revoked, and the 1339 zone can be "rolled over" to the newly accepted key.</p> 1340<p>The easiest way to place a stand-by key in a zone is to 1341 use the "smart signing" features of 1342 <span><strong class="command">dnssec-keygen</strong></span> and 1343 <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication 1344 date in the past, but an activation date which is unset or in 1345 the future, " 1346 <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY 1347 record in the zone, but will not sign with it:</p> 1348<pre class="screen"> 1349$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong> 1350$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong> 1351</pre> 1352<p>To revoke a key, the new command 1353 <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the 1354 REVOKED bit to the key flags and re-generates the 1355 <code class="filename">K*.key</code> and 1356 <code class="filename">K*.private</code> files.</p> 1357<p>After revoking the active key, the zone must be signed 1358 with both the revoked KSK and the new active KSK. (Smart 1359 signing takes care of this automatically.)</p> 1360<p>Once a key has been revoked and used to sign the DNSKEY 1361 RRset in which it appears, that key will never again be 1362 accepted as a valid trust anchor by the resolver. However, 1363 validation can proceed using the new active key (which had been 1364 accepted by the resolver when it was a stand-by key).</p> 1365<p>See RFC 5011 for more details on key rollover 1366 scenarios.</p> 1367<p>When a key has been revoked, its key ID changes, 1368 increasing by 128, and wrapping around at 65535. So, for 1369 example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes 1370 "<code class="filename">Kexample.com.+005+10128</code>".</p> 1371<p>If two keys have ID's exactly 128 apart, and one is 1372 revoked, then the two key ID's will collide, causing several 1373 problems. To prevent this, 1374 <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if 1375 another key is present which may collide. This checking will 1376 only occur if the new keys are written to the same directory 1377 which holds all other keys in use for that zone.</p> 1378<p>Older versions of BIND 9 did not have this precaution. 1379 Exercise caution if using key revocation on keys that were 1380 generated by previous releases, or if using keys stored in 1381 multiple directories or on multiple machines.</p> 1382<p>It is expected that a future release of BIND 9 will 1383 address this problem in a different way, by storing revoked 1384 keys with their original unrevoked key ID's.</p> 1385</div> 1386</div> 1387<div class="sect1" lang="en"> 1388<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 1389<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div> 1390<p>PKCS #11 (Public Key Cryptography Standard #11) defines a 1391 platform- independent API for the control of hardware security 1392 modules (HSMs) and other cryptographic support devices.</p> 1393<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000 1394 cryptographic acceleration board, tested under Solaris x86, and 1395 the AEP Keyper network-attached key storage device, tested with 1396 Debian Linux, Solaris x86 and Windows Server 2003.</p> 1397<div class="sect2" lang="en"> 1398<div class="titlepage"><div><div><h3 class="title"> 1399<a name="id2609970"></a>Prerequisites</h3></div></div></div> 1400<p>See the HSM vendor documentation for information about 1401 installing, initializing, testing and troubleshooting the 1402 HSM.</p> 1403<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL 1404 does not yet fully support PKCS #11. However, a PKCS #11 engine 1405 for OpenSSL is available from the OpenSolaris project. It has 1406 been modified by ISC to work with with BIND 9, and to provide 1407 new features such as PIN management and key by 1408 reference.</p> 1409<p>The patched OpenSSL depends on a "PKCS #11 provider". 1410 This is a shared library object, providing a low-level PKCS #11 1411 interface to the HSM hardware. It is dynamically loaded by 1412 OpenSSL at runtime. The PKCS #11 provider comes from the HSM 1413 vendor, and and is specific to the HSM to be controlled.</p> 1414<p>There are two "flavors" of PKCS #11 support provided by 1415 the patched OpenSSL, one of which must be chosen at 1416 configuration time. The correct choice depends on the HSM 1417 hardware:</p> 1418<div class="itemizedlist"><ul type="disc"> 1419<li><p>Use 'crypto-accelerator' with HSMs that have hardware 1420 cryptographic acceleration features, such as the SCA 6000 1421 board. This causes OpenSSL to run all supported 1422 cryptographic operations in the HSM.</p></li> 1423<li><p>Use 'sign-only' with HSMs that are designed to 1424 function primarily as secure key storage devices, but lack 1425 hardware acceleration. These devices are highly secure, but 1426 are not necessarily any faster at cryptography than the 1427 system CPU — often, they are slower. It is therefore 1428 most efficient to use them only for those cryptographic 1429 functions that require access to the secured private key, 1430 such as zone signing, and to use the system CPU for all 1431 other computationally-intensive operations. The AEP Keyper 1432 is an example of such a device.</p></li> 1433</ul></div> 1434<p>The modified OpenSSL code is included in the BIND 9 release, 1435 in the form of a context diff against the latest verions of 1436 OpenSSL. OpenSSL 0.9.8 and 1.0.0 are both supported; there are 1437 separate diffs for each version. In the examples to follow, 1438 we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0. 1439 </p> 1440<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 1441<h3 class="title">Note</h3> 1442 The latest OpenSSL versions at the time of the BIND release 1443 are 0.9.8s and 1.0.0f. 1444 ISC will provide an updated patch as new versions of OpenSSL 1445 are released. The version number in the following examples 1446 is expected to change.</div> 1447<p> 1448 Before building BIND 9 with PKCS #11 support, it will be 1449 necessary to build OpenSSL with this patch in place and inform 1450 it of the path to the HSM-specific PKCS #11 provider 1451 library.</p> 1452<p>Obtain OpenSSL 0.9.8s:</p> 1453<pre class="screen"> 1454$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong> 1455</pre> 1456<p>Extract the tarball:</p> 1457<pre class="screen"> 1458$ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong> 1459</pre> 1460<p>Apply the patch from the BIND 9 release:</p> 1461<pre class="screen"> 1462$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \ 1463 < bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong> 1464</pre> 1465<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 1466<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the 1467 "patch" utility on all operating systems. You may need to 1468 install GNU patch.)</div> 1469<p>When building OpenSSL, place it in a non-standard 1470 location so that it does not interfere with OpenSSL libraries 1471 elsewhere on the system. In the following examples, we choose 1472 to install into "/opt/pkcs11/usr". We will use this location 1473 when we configure BIND 9.</p> 1474<div class="sect3" lang="en"> 1475<div class="titlepage"><div><div><h4 class="title"> 1476<a name="id2607881"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div> 1477<p>The AEP Keyper is a highly secure key storage device, 1478 but does not provide hardware cryptographic acceleration. It 1479 can carry out cryptographic operations, but it is probably 1480 slower than your system's CPU. Therefore, we choose the 1481 'sign-only' flavor when building OpenSSL.</p> 1482<p>The Keyper-specific PKCS #11 provider library is 1483 delivered with the Keyper software. In this example, we place 1484 it /opt/pkcs11/usr/lib:</p> 1485<pre class="screen"> 1486$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong> 1487</pre> 1488<p>This library is only available for Linux as a 32-bit 1489 binary. If we are compiling on a 64-bit Linux system, it is 1490 necessary to force a 32-bit build, by specifying -m32 in the 1491 build options.</p> 1492<p>Finally, the Keyper library requires threads, so we 1493 must specify -pthread.</p> 1494<pre class="screen"> 1495$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong> 1496$ <strong class="userinput"><code>/Configure linux-generic32 -m32 -pthread \ 1497 --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ 1498 --pk11-flavor=sign-only \ 1499 --prefix=/opt/pkcs11/usr</code></strong> 1500</pre> 1501<p>After configuring, run "<span><strong class="command">make</strong></span>" 1502 and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make 1503 test</strong></span>" fails with "pthread_atfork() not found", you forgot to 1504 add the -pthread above.</p> 1505</div> 1506<div class="sect3" lang="en"> 1507<div class="titlepage"><div><div><h4 class="title"> 1508<a name="id2608019"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div> 1509<p>The SCA-6000 PKCS #11 provider is installed as a system 1510 library, libpkcs11. It is a true crypto accelerator, up to 4 1511 times faster than any CPU, so the flavor shall be 1512 'crypto-accelerator'.</p> 1513<p>In this example, we are building on Solaris x86 on an 1514 AMD64 system.</p> 1515<pre class="screen"> 1516$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong> 1517$ <strong class="userinput"><code>/Configure solaris64-x86_64-cc \ 1518 --pk11-libname=/usr/lib/64/libpkcs11.so \ 1519 --pk11-flavor=crypto-accelerator \ 1520 --prefix=/opt/pkcs11/usr</code></strong> 1521</pre> 1522<p>(For a 32-bit build, use "solaris-x86-cc" and 1523 /usr/lib/libpkcs11.so.)</p> 1524<p>After configuring, run 1525 <span><strong class="command">make</strong></span> and 1526 <span><strong class="command">make test</strong></span>.</p> 1527</div> 1528<div class="sect3" lang="en"> 1529<div class="titlepage"><div><div><h4 class="title"> 1530<a name="id2608068"></a>Building OpenSSL for SoftHSM</h4></div></div></div> 1531<p>SoftHSM is a software library provided by the OpenDNSSEC 1532 project (http://www.opendnssec.org) which provides a PKCS#11 1533 interface to a virtual HSM, implemented in the form of encrypted 1534 data on the local filesystem. It uses the Botan library for 1535 encryption and SQLite3 for data storage. Though less secure 1536 than a true HSM, it can provide more secure key storage than 1537 traditional key files, and can allow you to experiment with 1538 PKCS#11 when an HSM is not available.</p> 1539<p>The SoftHSM cryptographic store must be installed and 1540 initialized before using it with OpenSSL, and the SOFTHSM_CONF 1541 environment variable must always point to the SoftHSM configuration 1542 file:</p> 1543<pre class="screen"> 1544$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong> 1545$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong> 1546$ <strong class="userinput"><code> make </code></strong> 1547$ <strong class="userinput"><code> make install </code></strong> 1548$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong> 1549$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong> 1550$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong> 1551</pre> 1552<p>SoftHSM can perform all cryptographic operations, but 1553 since it only uses your system CPU, there is no need to use it 1554 for anything but signing. Therefore, we choose the 'sign-only' 1555 flavor when building OpenSSL.</p> 1556<pre class="screen"> 1557$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong> 1558$ <strong class="userinput"><code>/Configure linux-x86_64 -pthread \ 1559 --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ 1560 --pk11-flavor=sign-only \ 1561 --prefix=/opt/pkcs11/usr</code></strong> 1562</pre> 1563<p>After configuring, run "<span><strong class="command">make</strong></span>" 1564 and "<span><strong class="command">make test</strong></span>".</p> 1565</div> 1566<p>Once you have built OpenSSL, run 1567 "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm 1568 that PKCS #11 support was compiled in correctly. The output 1569 should be one of the following lines, depending on the flavor 1570 selected:</p> 1571<pre class="screen"> 1572 (pkcs11) PKCS #11 engine support (sign only) 1573</pre> 1574<p>Or:</p> 1575<pre class="screen"> 1576 (pkcs11) PKCS #11 engine support (crypto accelerator) 1577</pre> 1578<p>Next, run 1579 "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will 1580 attempt to initialize the PKCS #11 engine. If it is able to 1581 do so successfully, it will report 1582 “<span class="quote"><code class="literal">[ available ]</code></span>”.</p> 1583<p>If the output is correct, run 1584 "<span><strong class="command">make install</strong></span>" which will install the 1585 modified OpenSSL suite to 1586 <code class="filename">/opt/pkcs11/usr</code>.</p> 1587</div> 1588<div class="sect2" lang="en"> 1589<div class="titlepage"><div><div><h3 class="title"> 1590<a name="id2608219"></a>Building BIND 9 with PKCS#11</h3></div></div></div> 1591<p>When building BIND 9, the location of the custom-built 1592 OpenSSL library must be specified via configure.</p> 1593<div class="sect3" lang="en"> 1594<div class="titlepage"><div><div><h4 class="title"> 1595<a name="id2608228"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div> 1596<p>To link with the PKCS #11 provider, threads must be 1597 enabled in the BIND 9 build.</p> 1598<p>The PKCS #11 library for the AEP Keyper is currently 1599 only available as a 32-bit binary. If we are building on a 1600 64-bit host, we must force a 32-bit build by adding "-m32" to 1601 the CC options on the "configure" command line.</p> 1602<pre class="screen"> 1603$ <strong class="userinput"><code>cd /bind9</code></strong> 1604$ <strong class="userinput"><code>/configure CC="gcc -m32" --enable-threads \ 1605 --with-openssl=/opt/pkcs11/usr \ 1606 --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong> 1607</pre> 1608</div> 1609<div class="sect3" lang="en"> 1610<div class="titlepage"><div><div><h4 class="title"> 1611<a name="id2608260"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div> 1612<p>To link with the PKCS #11 provider, threads must be 1613 enabled in the BIND 9 build.</p> 1614<pre class="screen"> 1615$ <strong class="userinput"><code>cd /bind9</code></strong> 1616$ <strong class="userinput"><code>/configure CC="cc -xarch=amd64" --enable-threads \ 1617 --with-openssl=/opt/pkcs11/usr \ 1618 --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong> 1619</pre> 1620<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p> 1621<p>If configure complains about OpenSSL not working, you 1622 may have a 32/64-bit architecture mismatch. Or, you may have 1623 incorrectly specified the path to OpenSSL (it should be the 1624 same as the --prefix argument to the OpenSSL 1625 Configure).</p> 1626</div> 1627<div class="sect3" lang="en"> 1628<div class="titlepage"><div><div><h4 class="title"> 1629<a name="id2610481"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div> 1630<pre class="screen"> 1631$ <strong class="userinput"><code>cd /bind9</code></strong> 1632$ <strong class="userinput"><code>/configure --enable-threads \ 1633 --with-openssl=/opt/pkcs11/usr \ 1634 --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong> 1635</pre> 1636</div> 1637<p>After configuring, run 1638 "<span><strong class="command">make</strong></span>", 1639 "<span><strong class="command">make test</strong></span>" and 1640 "<span><strong class="command">make install</strong></span>".</p> 1641<p>(Note: If "make test" fails in the "pkcs11" system test, you may 1642 have forgotten to set the SOFTHSM_CONF environment variable.)</p> 1643</div> 1644<div class="sect2" lang="en"> 1645<div class="titlepage"><div><div><h3 class="title"> 1646<a name="id2610529"></a>PKCS #11 Tools</h3></div></div></div> 1647<p>BIND 9 includes a minimal set of tools to operate the 1648 HSM, including 1649 <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair 1650 within the HSM, 1651 <span><strong class="command">pkcs11-list</strong></span> to list objects currently 1652 available, and 1653 <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p> 1654<p>In UNIX/Linux builds, these tools are built only if BIND 1655 9 is configured with the --with-pkcs11 option. (NOTE: If 1656 --with-pkcs11 is set to "yes", rather than to the path of the 1657 PKCS #11 provider, then the tools will be built but the 1658 provider will be left undefined. Use the -m option or the 1659 PKCS11_PROVIDER environment variable to specify the path to the 1660 provider.)</p> 1661</div> 1662<div class="sect2" lang="en"> 1663<div class="titlepage"><div><div><h3 class="title"> 1664<a name="id2610560"></a>Using the HSM</h3></div></div></div> 1665<p>First, we must set up the runtime environment so the 1666 OpenSSL and PKCS #11 libraries can be loaded:</p> 1667<pre class="screen"> 1668$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong> 1669</pre> 1670<p>When operating an AEP Keyper, it is also necessary to 1671 specify the location of the "machine" file, which stores 1672 information about the Keyper for use by PKCS #11 provider 1673 library. If the machine file is in 1674 <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>, 1675 use:</p> 1676<pre class="screen"> 1677$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong> 1678</pre> 1679<p>These environment variables must be set whenever running 1680 any tool that uses the HSM, including 1681 <span><strong class="command">pkcs11-keygen</strong></span>, 1682 <span><strong class="command">pkcs11-list</strong></span>, 1683 <span><strong class="command">pkcs11-destroy</strong></span>, 1684 <span><strong class="command">dnssec-keyfromlabel</strong></span>, 1685 <span><strong class="command">dnssec-signzone</strong></span>, 1686 <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for 1687 random number generation), and 1688 <span><strong class="command">named</strong></span>.</p> 1689<p>We can now create and use keys in the HSM. In this case, 1690 we will create a 2048 bit key and give it the label 1691 "sample-ksk":</p> 1692<pre class="screen"> 1693$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong> 1694</pre> 1695<p>To confirm that the key exists:</p> 1696<pre class="screen"> 1697$ <strong class="userinput"><code>pkcs11-list</code></strong> 1698Enter PIN: 1699object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] 1700object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] 1701</pre> 1702<p>Before using this key to sign a zone, we must create a 1703 pair of BIND 9 key files. The "dnssec-keyfromlabel" utility 1704 does this. In this case, we will be using the HSM key 1705 "sample-ksk" as the key-signing key for "example.net":</p> 1706<pre class="screen"> 1707$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong> 1708</pre> 1709<p>The resulting K*.key and K*.private files can now be used 1710 to sign the zone. Unlike normal K* files, which contain both 1711 public and private key data, these files will contain only the 1712 public key data, plus an identifier for the private key which 1713 remains stored within the HSM. The HSM handles signing with the 1714 private key.</p> 1715<p>If you wish to generate a second key in the HSM for use 1716 as a zone-signing key, follow the same procedure above, using a 1717 different keylabel, a smaller key size, and omitting "-f KSK" 1718 from the dnssec-keyfromlabel arguments:</p> 1719<pre class="screen"> 1720$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong> 1721$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong> 1722</pre> 1723<p>Alternatively, you may prefer to generate a conventional 1724 on-disk key, using dnssec-keygen:</p> 1725<pre class="screen"> 1726$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong> 1727</pre> 1728<p>This provides less security than an HSM key, but since 1729 HSMs can be slow or cumbersome to use for security reasons, it 1730 may be more efficient to reserve HSM keys for use in the less 1731 frequent key-signing operation. The zone-signing key can be 1732 rolled more frequently, if you wish, to compensate for a 1733 reduction in key security.</p> 1734<p>Now you can sign the zone. (Note: If not using the -S 1735 option to 1736 <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add 1737 the contents of both 1738 <code class="filename">K*.key</code> files to the zone master file before 1739 signing it.)</p> 1740<pre class="screen"> 1741$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong> 1742Enter PIN: 1743Verifying the zone using the following algorithms: 1744NSEC3RSASHA1. 1745Zone signing complete: 1746Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by 1747example.net.signed 1748</pre> 1749</div> 1750<div class="sect2" lang="en"> 1751<div class="titlepage"><div><div><h3 class="title"> 1752<a name="id2635129"></a>Specifying the engine on the command line</h3></div></div></div> 1753<p>The OpenSSL engine can be specified in 1754 <span><strong class="command">named</strong></span> and all of the BIND 1755 <span><strong class="command">dnssec-*</strong></span> tools by using the "-E 1756 <engine>" command line option. If BIND 9 is built with 1757 the --with-pkcs11 option, this option defaults to "pkcs11". 1758 Specifying the engine will generally not be necessary unless 1759 for some reason you wish to use a different OpenSSL 1760 engine.</p> 1761<p>If you wish to disable use of the "pkcs11" engine — 1762 for troubleshooting purposes, or because the HSM is unavailable 1763 — set the engine to the empty string. For example:</p> 1764<pre class="screen"> 1765$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong> 1766</pre> 1767<p>This causes 1768 <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled 1769 without the --with-pkcs11 option.</p> 1770</div> 1771<div class="sect2" lang="en"> 1772<div class="titlepage"><div><div><h3 class="title"> 1773<a name="id2635243"></a>Running named with automatic zone re-signing</h3></div></div></div> 1774<p>If you want 1775 <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM 1776 keys, and/or to to sign new records inserted via nsupdate, then 1777 named must have access to the HSM PIN. This can be accomplished 1778 by placing the PIN into the openssl.cnf file (in the above 1779 examples, 1780 <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p> 1781<p>The location of the openssl.cnf file can be overridden by 1782 setting the OPENSSL_CONF environment variable before running 1783 named.</p> 1784<p>Sample openssl.cnf:</p> 1785<pre class="programlisting"> 1786 openssl_conf = openssl_def 1787 [ openssl_def ] 1788 engines = engine_section 1789 [ engine_section ] 1790 pkcs11 = pkcs11_section 1791 [ pkcs11_section ] 1792 PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em> 1793</pre> 1794<p>This will also allow the dnssec-* tools to access the HSM 1795 without PIN entry. (The pkcs11-* tools access the HSM directly, 1796 not via OpenSSL, so a PIN will still be required to use 1797 them.)</p> 1798<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> 1799<h3 class="title">Warning</h3> 1800<p>Placing the HSM's PIN in a text file in 1801 this manner may reduce the security advantage of using an 1802 HSM. Be sure this is what you want to do before configuring 1803 OpenSSL in this way.</p> 1804</div> 1805</div> 1806</div> 1807<div class="sect1" lang="en"> 1808<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 1809<a name="id2572669"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div> 1810<p> 1811 <acronym class="acronym">BIND</acronym> 9 fully supports all currently 1812 defined forms of IPv6 name to address and address to name 1813 lookups. It will also use IPv6 addresses to make queries when 1814 running on an IPv6 capable system. 1815 </p> 1816<p> 1817 For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports 1818 only AAAA records. RFC 3363 deprecated the use of A6 records, 1819 and client-side support for A6 records was accordingly removed 1820 from <acronym class="acronym">BIND</acronym> 9. 1821 However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still 1822 load zone files containing A6 records correctly, answer queries 1823 for A6 records, and accept zone transfer for a zone containing A6 1824 records. 1825 </p> 1826<p> 1827 For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports 1828 the traditional "nibble" format used in the 1829 <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated 1830 <span class="emphasis"><em>ip6.int</em></span> domain. 1831 Older versions of <acronym class="acronym">BIND</acronym> 9 1832 supported the "binary label" (also known as "bitstring") format, 1833 but support of binary labels has been completely removed per 1834 RFC 3363. 1835 Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand 1836 the binary label format at all any more, and will return an 1837 error if given. 1838 In particular, an authoritative <acronym class="acronym">BIND</acronym> 9 1839 name server will not load a zone file containing binary labels. 1840 </p> 1841<p> 1842 For an overview of the format and structure of IPv6 addresses, 1843 see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>. 1844 </p> 1845<div class="sect2" lang="en"> 1846<div class="titlepage"><div><div><h3 class="title"> 1847<a name="id2572868"></a>Address Lookups Using AAAA Records</h3></div></div></div> 1848<p> 1849 The IPv6 AAAA record is a parallel to the IPv4 A record, 1850 and, unlike the deprecated A6 record, specifies the entire 1851 IPv6 address in a single record. For example, 1852 </p> 1853<pre class="programlisting"> 1854$ORIGIN example.com. 1855host 3600 IN AAAA 2001:db8::1 1856</pre> 1857<p> 1858 Use of IPv4-in-IPv6 mapped addresses is not recommended. 1859 If a host has an IPv4 address, use an A record, not 1860 a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as 1861 the address. 1862 </p> 1863</div> 1864<div class="sect2" lang="en"> 1865<div class="titlepage"><div><div><h3 class="title"> 1866<a name="id2572889"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> 1867<p> 1868 When looking up an address in nibble format, the address 1869 components are simply reversed, just as in IPv4, and 1870 <code class="literal">ip6.arpa.</code> is appended to the 1871 resulting name. 1872 For example, the following would provide reverse name lookup for 1873 a host with address 1874 <code class="literal">2001:db8::1</code>. 1875 </p> 1876<pre class="programlisting"> 1877$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 18781.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR ( 1879 host.example.com. ) 1880</pre> 1881</div> 1882</div> 1883</div> 1884<div class="navfooter"> 1885<hr> 1886<table width="100%" summary="Navigation footer"> 1887<tr> 1888<td width="40%" align="left"> 1889<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>�</td> 1890<td width="20%" align="center">�</td> 1891<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch05.html">Next</a> 1892</td> 1893</tr> 1894<tr> 1895<td width="40%" align="left" valign="top">Chapter�3.�Name Server Configuration�</td> 1896<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 1897<td width="40%" align="right" valign="top">�Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td> 1898</tr> 1899</table> 1900</div> 1901</body> 1902</html> 1903