 |
» |
|
|
|
|  | |
BIND 9.3.2 offers the following features: DNSSEC Implementation Based on RFC 4033, 4034, and 4035 | |
Starting with BIND 9.3.2, the Domain Name System
Security Extensions (DNSSEC) feature implements the standards specified
in RFC 4033 (DNS Security Introduction and Requirements), 4034 (Resource
Records for the DNS Security Extensions), and 4035 (Protocol Modifications
for the DNS Security Extension). The DNSSEC implementation provides
the following new features:
Signed Zone A signed zone contains additional
security-related resource records (RRs). Table 1-1 describes additional
security-related records in BIND 9.3.2. Table 1-1 Security-Related RRs in a Signed Zone | RR Type | Description |
|---|
DNS Public Key (DNSKEY) | Enables
normal DNS resolution and stores public keys. The DNSKEY record replaces the KEY record. | Resource Record Signature
(RRSIG) | Stores cryptographically generated digital signatures | Next Secure (NSEC) | Enables
a security-aware resolver to authenticate a negative reply, for non-existence
of name or type, using the same mechanism that is used to authenticate
other DNS replies. The NSEC record
replaces the NXT record. | Delegation Signer (DS) | Simplifies
administrative tasks involved in signing delegations across organizational
boundaries |
New DNSSEC options in the options statement BIND 9.3.2
provides new DNSSEC options in the options statement.
lists the new options in the options statement located in the /etc/named.conf file. Table 1-2 New DNSSEC Options | Option | Description |
|---|
| dnssec-enable yes_or_no; | Enables or disables DNSSEC support.
If this option is set to yes, named supports the DNSSEC feature. By default, the DNSSEC feature is not
enabled. | | dnssec-lookaside domain
trust-anchor domain; | Provides
the validator an alternate method to validate DNSKEY records at the top of a zone. | | dnssec-must-be-secure domain
yes_or_no; | Specifies hierarchies
that are secure (signed and validated). If this option is set to yes, named accepts answers only if
they are secure. If this option is set to no, named applies the standard DNSSEC
validation. | | disable-algorithms domain
{ algorithm; [ algorithm; ] }; | Disables the specified DNSSEC algorithms at and below the specified
name. Multiple disable-algorithms statements are
allowed. However, only the most specific is applied. | | sig-validity-interval number; | Specifies when the automatically
generated DNSSEC signatures expire. The default value is 30 days.
The maximum is 3660 days (10 years). |
For more information on the new DNSSEC options, see named.conf(1) New DNSSEC statement in the options statement BIND 9.3.2
contains trusted-keys, a new DNSSEC statement in the options statement located in /etc/named.conf file. The trusted-keys statement defines DNSSEC
security roots. A security root is defined when the public key for
a non-authoritative zone cannot be securely obtained through DNS,
either because it is the DNS root zone or because its parent zone
is unsigned. When a key is configured as a trusted key, it is treated
as if it is validated and is secure. The resolver attempts DNSSEC
validation on all DNS data in the subdomains of a security root. The trusted-keys statement can contain multiple key entries,
each consisting of the key's domain name, flags, protocol, algorithm,
and the base-64 representation of the key data. For more information
on the trusted-keys statement, see named.conf(1)
Support for the ip6.arpa Domain | |
BIND 9.3.2 uses the ip6.arpa domain for IPv6 forward lookups, instead of the ip6.int domain. However, BIND 9.3.2 continues to
support the ip6.int domain for backward
compatibility. BIND 9.3.2 also uses the ip6.arpa domain for storing IPv6 addresses in the DNS. The existing queries
that perform additional section processing to locate IPv4 addresses
are redefined to perform additional section processing on both IPv4
and IPv6 addresses. The ip6.arpa domain
is a special domain defined to look up a record given an IPv6 address.
This domain provides a method to map an IPv6 address to a host name. An IPv6 address is represented as a name in the ip6.arpa domain by a sequence of nibbles separated
by dots with the suffix .ip6.arpa. The sequence of nibbles is encoded in reverse order wherein the
low-order nibble is encoded first, followed by the next low-order
nibble and so on. Each nibble is represented by a hexadecimal digit. For example, consider the following IPv6 address: Following is the reverse lookup domain name in
the ip6.arpa domain: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa. |
New Method of Listing Master Servers | |
Starting with BIND 9.3.2, the masters statement provides a list of master name
servers that can be included in the masters clause
of the zone statement. Following is the masters statement with the new masters_list option, which specifies the acl name of the list
of master name servers: masters name [port ip_port] {(masters_list
| ip_addr [port ip_port] [key key]); [...]}; The masters_list option specifies
one or more IP addresses of master servers, which the slave can contact
to update its copy of the zone. The masters_list elements
can also be names of other master lists. This list can be used in
the masters clause in the zone statement. Following is a sample acl statement
that assigns a symbolic name to an address match list: acl acl1 {
15.70.190.186; 15.70.190.115;
}; |
Following is a sample zone statement with the masters clause: zone "example.com" {
type slave;
masters {acl1;};
file "db.example";
}; |
Where: acl1 specifies
the name of the list of master name servers. New Options in the options Statement | |
Table 1-3 lists
the new options added in the options statement. Table 1-3 New Options in the Options Statement | Option | Description |
|---|
| hostname | Identifies the host name of the anycast named server that answers the query | | server-id | Identifies the server ID of the
anycast named server that answers the query | | key-directory | Specifies the location of the public
and private key files if the current directory is not the working
directory | | memstatistics-file | Specifies the pathname of the file
where the server writes memory usage statistics upon exit. The default
file is named.memstats. | | flush-zones-on-shutdown | Specifies whether any pending zone
writes must be flushed when the name server exits because of a SIGTERM signal. The default value is no. | | check-names | Specifies the list of IPv4 and IPv6
UDP ports that are not used as system assigned source ports for UDP
sockets. The default value depends on the usage area.
For master zones, the default value is fail. For slave zones, the default value is warn. For an answer (response) received from the network, the default
value is ignore. | | avoid-v4-udp-ports and avoid-v6-udp-ports | Avoids named from selecting certain
ports | | query-source-v6 | Specifies the address and port used
for queries | | tcp-listen-queue | This option specifies the length
of the listen queue. The default and minimum values are 3. If the kernel supports the dataready accept filter, this option also
controls the number of TCP connections that are queued in the kernel
space waiting for data, before data is passed to the accept filter. | | alt-transfer-source | Specifies an alternate transfer
source, if the transfer source listed in the transfer-source option fails and the use-alt-transfer-source option is set. | | alt-transfer-source-v6 | Specifies an alternate transfer
source, if the transfer source listed in the transfer-source-v6 option fails and the use-alt-transfer-source option is set. | | use-alt-transfer-source | Specifies whether named must use the alternate transfer sources. Alternate
transfer sources are used if views are specified; otherwise, the alternate
transfer sources are not used for
BIND 8 compatibility. | | max-journal-size | Sets a maximum size for each journal
file. When the journal file approaches the specified size, older transactions
in the journal are removed. The default value is unlimited. | | rrset-order | Configures the ordering of records
in a multiple record response | | preferred-glue | Specifies the glue that is emitted
first in the additional section of a query response. If specified,
the listed type (A or AAAA) is emitted before any other glue. The default
value is NONE if a preference is
not set for any type of glue. | | root-delegation-only | Switches on the enforcement of delegation-only
in top level domains (TLDs) and root zones with an optional exclude list. | | querylog | Specifies whether query logging
must be started when named starts.
If querylog is not specified, query
logging is determined by the presence of the logging category queries. | | disable-algorithms | Disables the DNSSEC algorithms at
and below the specified name. Multiple disable-algorithms statements are allowed. However, only the most specific disable-algorithms option is applied. |
New Option to Configure the Ordering of Records | |
The new rrset-order option in
the options statement enables you to configure the
ordering of the records in a multiple-record response. When the name
server returns multiple records in a response, it is useful to configure
the order of the records placed into the response. Following is the syntax of the rrset-order option: rrset-order {order_spec}; Where, an order_spec can be defined as follows: [class class_name]
[ type type_name ]
[ name domain_name]
order ordering The default value for class and type is ANY, and for name is *. The valid values for ordering are:
- fixed
Records are returned in the order they are defined
in the zone file - random
Records are returned in a random order - cyclic
Records are returned in a round-robin order
Following is an example of the rrset-order option: rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
}; |
This rrset-order option causes
responses for type A records in class IN that have host.example.com as a suffix, to be returned in random order. Other types of records
are returned in cyclic order. If the options statement contains multiple rrset-order options,
they are not combined but only the last rrset-order option is used. New Option to Set the Advertized EDNS UDP Buffer Size | |
The edns-udp-size option in the options statement sets the advertised Extended DNS (EDNS)
User Datagram Protocol (UDP) buffer size to enable UDP answers to
pass through broken firewalls that block fragmented packets greater
than 512 bytes. The valid range of values is 512 to 4096 bytes (values
not in this range are adjusted appropriately). The default value of
this option is 4096 bytes. New Option to Restrict the Character Set of Domain Names | |
This check-names option in the options statement restricts the character set and syntax
of certain domain names in the master files and DNS responses. The
rules for valid host names or mail domains are derived from RFC 952
(DoD Internet Host Table Specification) and RFC 821 (Simple Mail Transfer
Protocol) as modified by RFC 1123 (Requirements for Internet Hosts
- Application and Support). The check-names option checks the names of the owner names of A, AAAA, and MX records and also checks domain names in the RDATA of NS, SOA, and MX records. It also applies
to the RDATA of PTR records where the owner name indicates that it is a reverse lookup
of a hostname (the owner name ends with in-addr.arpa, ip6.arpa, or ip6.int). The default value of the check-names option depends on the usage area. For master zones, the default
value is fail. For slave zones, the
default value is warn. For an answer
(response) received from the network, the default value is ignore. New Options to Enable and Disable IXFR | |
In BIND 9.3.2, the incremental zone transfer (IXFR)
feature is enabled by default. describes the new options available
in the options statement that can be used to enable
and disable IXFR. Table 1-4 Options to Enable and Disable IXFR | Option | Description |
|---|
provide-ixfr yes_or_no; | Determines whether the local
server, which acts as a master, responds with an incremental zone
transfer when the remove slave server requests an IXFR. If the provide-ixfr option is set to yes, incremental transfer is provided whenever possible. If this option
is set to no, all transfers to the remote server
is non-incremental. If the provide-ixfr option is not set, the value of provide-ixfr in the view or global options statement is used as default. | | request-ixfr yes_or_no; | Determines whether the local server,
acting as a slave, requests incremental zone transfers from a remote
master server. If this option is not set, the value of request-ixfr in the view or global options statement
is used as default. If this option is set to yes, the server, by default, collects statistical data of all zones
in the server. If this option is set to no,
the server requests a full zone transfer (AXFR). | | ixfr-from-differences yes_or_no; | Loads a new version of the master
zone from the zone file of the server, or receives a new version of
the slave file by a non-incremental zone transfer. If this option
is set to yes, when the server receives a new
version of a slave file by a non-incremental zone transfer, the server
compares the new version of the master zone with the previous version
of master zone and calculates the set of differences. The differences
are logged in the journal file of the zone such that the changes can
be transmitted to downstream slaves as an incremental zone transfer.
If this option is set to no, the name server
must perform a complete zone transfer to the slave server. |
Transition Support for IPv4 and IPv6 | |
BIND 9.3.2 provides transition support for IPv4
and IPv6 to solve the problem caused by lack of support for either
IPv4 or IPv6 address on a host system. It also provides the dual-stack-servers option to enable the transition support
for IPv4 and IPv6 addresses. This option specifies host names or addresses
of systems that access both IPv4 and IPv6 transports. If the host
name is specified, a name server must be able to resolve a host name
by using only the transport supported by the name server. If the dual-stack-servers option is used in dual-stacked system,
this option does not have any influence if access to the IPv4 or IPv6
transport is disabled on the command line using the named
-4 command or named -6 command, respectively. The syntax for the dual-stack-servers option in the options statement
in the /etc/named.conf file is as follows:
[ dual-stack-servers [port ip_port] { ( domain_name [port
ip_port] | ip_addr [port ip_port] ) ; ... }; ] New Commands in the rndc Utility | |
The following are new commands in the remote name daemon control (rndc) utility: retransfer zone [class [view]] This command enables you to retransfer the given zone
from the master name server. freeze zone [class [view]] This command enables you to suspend updates to a dynamic
zone and enables you to edit a zone that is usually updated dynamically.
This command results in changes to the journal file to be synchronized
into the master, and the journal file to be removed. All dynamic update
attempts are refused if the zone is frozen. thaw zone [class [view]] This command enables you to update a frozen dynamic
zone. This command causes the server to reload the zone from the disk
and re-enables dynamic updates after the load is complete.
For more information on these commands, see rndc(1). A sample rndc.conf file is distributed
with this release of BIND in the /usr/examples/bind directory. This file can be generated automatically using the rndc-confgen utility, which is also distributed
with BIND 9.3.2. New Option in the zone Statement | |
The delegation-only option is added to the zone statement.
You can use this option to enforce the delegation-only status of infrastructure
zones (for example, COM, NET, and ORG).
Any answer that a name server receives without an explicit or implicit
delegation in the authority section is treated as NXDOMAIN, which indicates that a host name is not
found. The NXDOMAIN response is the
type of response sent by the name server. New Command-Line Options | |
Table 1-5 lists
the new command-line options for the various binaries and tools in
BIND 9.3.2. Table 1-5 New Command-Line Options
| Binaries/Tools | Options | Description |
|---|
| dnssec-keygen | -f flag | Sets the specified flag in the flag field
of the KEY or DNSKEY record. The
only recognized flag is Signed Key (KSK) DNSKEY. | | dnssec-keygen | -k | Generates KEY records, instead of the DNSKEY records | | dnssec-signzone | -g | Generates DS records for child zones
from the keyset files. Existing DS records are removed from the signed db files. | | dnssec-signzone | -k key | Treats the specified key as a key signing key and ignores
any key flags. This option can be specified multiple times. | | dnssec-signzone | -l domain | Generates a DNSSEC lookaside validation (DLV) set in addition
to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records. | | named-checkconf | -z | Performs a check load on the master zone files in the /etc/named.conf file | | named-checkconf | -j | Reads the journal while loading a zone file | | named-checkzone | -j | Reads the journal while loading a zone file | | named-checkzone | -k mode | Performs check-name checks
with the specified failure mode. The values for the failure modes
are fail, warn, and ignore. The default value is warn. | | named-checkzone | -n mode | Specifies if name server (NS) records must be checked
to verify whether they are addresses. The values for this option are fail, warn, and ignore. The default value is warn. | | named-checkzone | -o filename | Writes the zone output to the directory | | named-checkzone | -t directory | Specifies the directory under which the named-checkzone command is chrooted. The $INCLUDE directives in the configuration file are
also processed as if they are run by a similarly chrooted named. | | named-checkzone | -w directory | Specifies named to change to directory so that
relative filenames in the master file $INCLUDE directives are functional. This option is similar to the directory clause in the /etc/named.conf file. | | named-checkzone | -D | Specifies the dump zone file in canonical format | | named | -4 | Specifies named to use only the IPv4 transport even if the host system is capable
of handling IPv6 addresses | | named | -6 | Specifies named to use only the IPv6 transport even if the host system is capable
of handling IPv4 addresses | | nsupdate | -t | Sets the maximum timeout value for an update request
before it can abort. The default value is 300 seconds. To disable the timeout, set this option to 0. | | nsupdate | -u | Sets the UDP retry interval. The default value
is 3 seconds. If this option is set
to 0, the interval is computed from
the timeout interval and the number of UDP retries. | | nsupdate | -r | Sets the number of UDP retries. The default value
is 3. If this option is set to 0, only one update request is made. |
Supports RFC 4193 (Unique Local IPv6 Unicast Addresses) | |
BIND 9.3.2 (C.9.3.2.5.0) for the HP-UX 11i v3 operating system
conforms to RFC 4193 (Unique Local IPv6 Unicast Addresses). RFC 4193 defines a format for the unique local IPv6 unicast address
that is globally unique and not intended for external networks. When named receives an unique local IPv6 unicast address
for resolution, it does not send this address to the global DNS server
for resolution. Instead, it returns the NXDOMAIN response message by default. As a result, the unique local IPv6
unicast addresses are never exposed to the outside network and are
not accessible by external systems. |
