<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
-<!-- File: $Id: Bv9ARM-book.xml,v 1.247 2004/06/04 02:31:42 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.248 2004/06/11 00:13:41 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
<command>zone</command> statement.</para>
<para>Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: SIG and NXT records affected by updates are automatically
+ RFC 3007: RRSIG and NSEC records affected by updates are automatically
regenerated by the server using an online zone key.
Update authorization is based
on transaction signatures and an explicit server policy.</para>
<title>DNSSEC</title>
<para>Cryptographic authentication of DNS information is possible
- through the DNS Security (<emphasis>DNSSEC</emphasis>) extensions,
- defined in RFC 2535. This section describes the creation and use
+ through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
+ defined in RFC <TBA>. This section describes the creation and use
of DNSSEC signed zones.</para>
<para>In order to set up a DNSSEC secure zone, there are a series
that are used in this process, which are explained in more detail
below. In all cases, the <option>-h</option> option prints a
full list of parameters. Note that the DNSSEC tools require the
- keyset and signedkey files to be in the working directory or the
+ keyset files to be in the working directory or the
directory specified by the <option>-h</option> option, and
- that the tools shipped with BIND 9.0.x are not fully compatible
+ that the tools shipped with BIND 9.2.x and earlier are not compatible
with the current ones.</para>
<para>There must also be communication with the administrators of
- the parent and/or child zone to transmit keys and signatures. A
- zone's security status must be indicated by the parent zone for a
- DNSSEC capable resolver to trust its data.</para>
+ the parent and/or child zone to transmit keys. A zone's security
+ status must be indicated by the parent zone for a DNSSEC capable
+ resolver to trust its data. This is done through the presense
+ or absence of a <literal>DS</literal> record at the delegation
+ point.</para>
<para>For other servers to trust data in this zone, they must
either be statically configured with this zone's zone key or the
<command>ZONE</command>, and must be usable for authentication.
It is recommended that zone keys use a cryptographic algorithm
designated as "mandatory to implement" by the IETF; currently
- these are RSASHA1 and DSA.</para>
+ the only one is RSASHA1.</para>
- <para>The following command will generate a 768 bit DSA key for
+ <para>The following command will generate a 768 bit RSASHA1 key for
the <filename>child.example</filename> zone:</para>
- <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</userinput></para>
+ <para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
<para>Two output files will be produced:
- <filename>Kchild.example.+003+12345.key</filename> and
- <filename>Kchild.example.+003+12345.private</filename> (where
+ <filename>Kchild.example.+005+12345.key</filename> and
+ <filename>Kchild.example.+005+12345.private</filename> (where
12345 is an example of a key tag). The key file names contain
the key name (<filename>child.example.</filename>), algorithm (3
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
<command>$INCLUDE</command> statements.
</para>
- </sect2>
- <sect2>
- <title>Creating a Keyset</title>
-
- <para>The <command>dnssec-makekeyset</command> program is used
- to create a key set from one or more keys.</para>
-
- <para>Once the zone keys have been generated, a key set must be
- built for transmission to the administrator of the parent zone,
- so that the parent zone can sign the keys with its own zone key
- and correctly indicate the security status of this zone. When
- building a key set, the list of keys to be included and the TTL
- of the set must be specified, and the desired signature validity
- period of the parent's signature may also be specified.</para>
-
- <para>The list of keys to be inserted into the key set may also
- included non-zone keys present at the top of the zone.
- <command>dnssec-makekeyset</command> may also be used at other
- names in the zone.</para>
-
- <para>The following command generates a key set containing the
- above key and another key similarly generated, with a TTL of
- 3600 and a signature validity period of 10 days starting from
- now.</para>
-
-<para><userinput>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
-
- <para>One output file is produced:
- <filename>keyset-child.example.</filename>. This file should be
- transmitted to the parent to be signed. It includes the keys,
- as well as signatures over the key set generated by the zone
- keys themselves, which are used to prove ownership of the
- private keys and encode the desired validity period.</para>
-
- </sect2>
- <sect2>
- <title>Signing the Child's Keyset</title>
-
- <para>The <command>dnssec-signkey</command> program is used to
- sign one child's keyset.</para>
-
- <para>If the <filename>child.example</filename> zone has any
- delegations which are secure, for example,
- <filename>grand.child.example</filename>, the
- <filename>child.example</filename> administrator should receive
- keyset files for each secure subzone. These keys must be signed
- by this zone's zone keys.</para>
-
- <para>The following command signs the child's key set with the
- zone keys:</para>
-
-<para><userinput>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
-
- <para>One output file is produced:
- <filename>signedkey-grand.child.example.</filename>. This file
- should be both transmitted back to the child and retained. It
- includes all keys (the child's keys) from the keyset file and
- signatures generated by this zone's zone keys.</para>
-
</sect2>
<sect2>
<title>Signing the Zone</title>
<para>The <command>dnssec-signzone</command> program is used to
sign a zone.</para>
- <para>Any <filename>signedkey</filename> files corresponding to
- secure subzones should be present, as well as a
- <filename>signedkey</filename> file for this zone generated by
- the parent (if there is one). The zone signer will generate
- <literal>NXT</literal> and <literal>SIG</literal> records for
- the zone, as well as incorporate the zone key signature from the
- parent and indicate the security status at all delegation
- points.</para>
+ <para>Any <filename>keyset</filename> files corresponding
+ to secure subzones should be present. The zone signer will
+ generate <literal>NSEC</literal> and <literal>RRSIG</literal>
+ records for the zone, as well as <literal>DS</literal> for
+ the child zones if <literal>'-d'</literal> is specified.
+ If <literal>'-d'</literal> is not specified then DS RRsets for
+ the secure child zones need to be added manually.</para>
<para>The following command signs the zone, assuming it is in a
file called <filename>zone.child.example</filename>. By
should be referenced by <filename>named.conf</filename> as the
input file for the zone.</para>
+ <para><command>dnssec-signzone</command> will also produce a
+ keyset and dsset files and optionally a dlvset file. These
+ are used to provide the parent zone administators with the
+ <literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
+ records) that are the secure entry point to the zone.</para>
+
</sect2>
<sect2><title>Configuring Servers</title>
At startup, specifing the category <command>queries</command> will also
enable query logging unless <command>querylog</command> option has been
specified.
-</para></entry>
+</para>
+<para>
+The query log entry reports the client's IP address and port number. The
+query name, class and type. It also reports whether the Recursion Desired
+flag was set (+ if set, - if not set), EDNS was in use (E) or if the
+query was signed (S).</para>
+<programlisting><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
+<computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
+</programlisting>
+</entry>
</row>
<row rowsep = "0">
<entry colname = "1"><para><command>dispatch</command></para></entry>
projects / thirdparty / bind9.git / commitdiff
