Latest Result of DNSSEC Validation
Total Page:16
File Type:pdf, Size:1020Kb
BIND 9 Administrator Reference Manual Internet Systems Consortium Sep 23, 2021 CONTENTS 1 Introduction 1 1.1 Scope of Document ............................................ 1 1.2 Organization of This Document ..................................... 1 1.3 Conventions Used in This Document ................................... 1 1.4 The Domain Name System (DNS) .................................... 2 2 BIND Resource Requirements 7 2.1 Hardware Requirements ......................................... 7 2.2 CPU Requirements ............................................ 7 2.3 Memory Requirements .......................................... 7 2.4 Name Server-Intensive Environment Issues ............................... 7 2.5 Supported Operating Systems ...................................... 8 3 Name Server Configuration 9 3.1 Sample Configurations .......................................... 9 3.2 Load Balancing .............................................. 10 3.3 Name Server Operations ......................................... 11 3.4 Plugins .................................................. 13 4 BIND 9 Configuration Reference 15 4.1 Configuration File Elements ....................................... 15 4.2 Configuration File Grammar ....................................... 18 4.3 Zone File ................................................. 105 4.4 BIND 9 Statistics ............................................. 110 5 Advanced DNS Features 117 5.1 Notify ................................................... 117 5.2 Dynamic Update ............................................. 117 5.3 Incremental Zone Transfers (IXFR) ................................... 118 5.4 Split DNS ................................................. 119 5.5 TSIG ................................................... 122 5.6 TKEY ................................................... 124 5.7 SIG(0) .................................................. 124 5.8 DNSSEC ................................................. 125 5.9 DNSSEC, Dynamic Zones, and Automatic Signing ........................... 127 5.10 Dynamic Trust Anchor Management ................................... 131 5.11 PKCS#11 (Cryptoki) Support ...................................... 133 5.12 Dynamically Loadable Zones (DLZ) ................................... 136 5.13 Dynamic Database (DynDB) ....................................... 137 5.14 Catalog Zones ............................................... 138 i 5.15 IPv6 Support in BIND 9 ......................................... 141 6 BIND 9 Security Considerations 143 6.1 Access Control Lists ........................................... 143 6.2 Chroot and Setuid .......................................... 145 6.3 Dynamic Update Security ........................................ 145 7 Troubleshooting 147 7.1 Common Problems ............................................ 147 7.2 Incrementing and Changing the Serial Number .............................. 148 7.3 Where Can I Get Help? .......................................... 148 8 Release Notes 149 8.1 Introduction ................................................ 152 8.2 Supported Platforms ........................................... 152 8.3 Download ................................................. 152 8.4 Notes for BIND 9.17.18 ......................................... 152 8.5 Notes for BIND 9.17.18 ......................................... 153 8.6 Notes for BIND 9.17.17 ......................................... 154 8.7 Notes for BIND 9.17.16 ......................................... 155 8.8 Notes for BIND 9.17.15 ......................................... 156 8.9 Notes for BIND 9.17.14 ......................................... 157 8.10 Notes for BIND 9.17.13 ......................................... 157 8.11 Notes for BIND 9.17.12 ......................................... 158 8.12 Notes for BIND 9.17.11 ......................................... 159 8.13 Notes for BIND 9.17.10 ......................................... 161 8.14 Notes for BIND 9.17.9 .......................................... 162 8.15 Notes for BIND 9.17.8 .......................................... 163 8.16 Notes for BIND 9.17.7 .......................................... 164 8.17 Notes for BIND 9.17.6 .......................................... 165 8.18 Notes for BIND 9.17.5 .......................................... 165 8.19 Notes for BIND 9.17.4 .......................................... 166 8.20 Notes for BIND 9.17.3 .......................................... 168 8.21 Notes for BIND 9.17.2 .......................................... 169 8.22 Notes for BIND 9.17.1 .......................................... 171 8.23 Notes for BIND 9.17.0 .......................................... 172 8.24 License .................................................. 173 8.25 End of Life ................................................ 174 8.26 Thank You ................................................ 174 9 DNSSEC Guide 175 9.1 Preface .................................................. 175 9.2 Introduction ................................................ 176 9.3 Getting Started .............................................. 181 9.4 Validation ................................................. 184 9.5 Signing .................................................. 196 9.6 Basic DNSSEC Troubleshooting ..................................... 219 9.7 Advanced Discussions .......................................... 227 9.8 Recipes .................................................. 240 9.9 Commonly Asked Questions ....................................... 260 10 A Brief History of the DNS and BIND 263 11 General DNS Reference Information 265 11.1 IPv6 Addresses (AAAA) ......................................... 265 ii 11.2 Bibliography (and Suggested Reading) .................................. 265 11.3 Internet Standards ............................................ 266 11.4 Proposed Standards ............................................ 266 11.5 Informational RFCs ............................................ 268 11.6 Experimental RFCs ............................................ 269 11.7 Best Current Practice RFCs ....................................... 269 11.8 Historic RFCs .............................................. 270 11.9 RFCs of Type “Unknown” ........................................ 270 11.10 Obsoleted and Unimplemented Experimental RFCs ........................... 270 11.11 RFCs No Longer Supported in BIND 9 ................................. 271 12 Manual Pages 273 12.1 arpaname - translate IP addresses to the corresponding ARPA names .................. 273 12.2 delv - DNS lookup and validation utility ................................. 273 12.3 dig - DNS lookup utility ......................................... 277 12.4 dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY ............... 285 12.5 dnssec-dsfromkey - DNSSEC DS RR generation tool .......................... 287 12.6 dnssec-importkey - import DNSKEY records from external systems so they can be managed ...... 289 12.7 dnssec-keyfromlabel - DNSSEC key generation tool ........................... 290 12.8 dnssec-keygen: DNSSEC key generation tool .............................. 293 12.9 dnssec-revoke - set the REVOKED bit on a DNSSEC key ........................ 297 12.10 dnssec-settime: set the key timing metadata for a DNSSEC key ..................... 298 12.11 dnssec-signzone - DNSSEC zone signing tool .............................. 300 12.12 dnssec-verify - DNSSEC zone verification tool .............................. 305 12.13 dnstap-read - print dnstap data in human-readable form ......................... 306 12.14 filter-aaaa.so - filter AAAA in DNS responses when A is present .................... 306 12.15 host - DNS lookup utility ......................................... 308 12.16 mdig - DNS pipelined lookup utility ................................... 310 12.17 named-checkconf - named configuration file syntax checking tool .................... 313 12.18 named-checkzone, named-compilezone - zone file validity checking or converting tool ......... 314 12.19 named-journalprint - print zone journal in human-readable form .................... 316 12.20 named-nzd2nzf - convert an NZD database to NZF text format ..................... 317 12.21 named-rrchecker - syntax checker for individual DNS resource records ................. 318 12.22 named.conf - configuration file for named ................................ 318 12.23 named - Internet domain name server .................................. 338 12.24 nsec3hash - generate NSEC3 hash .................................... 341 12.25 nslookup - query Internet name servers interactively ........................... 341 12.26 nsupdate - dynamic DNS update utility .................................. 344 12.27 rndc-confgen - rndc key generation tool ................................. 348 12.28 rndc.conf - rndc configuration file .................................... 349 12.29 rndc - name server control utility ..................................... 351 12.30 tsig-keygen, ddns-confgen - TSIG key generation tool .......................... 358 Index 361 iii iv CHAPTER ONE INTRODUCTION The Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses. DNS data is maintained in a group of distributed hierarchical databases. 1.1 Scope of Document The Berkeley Internet Name Domain (BIND) implements a domain