BIND 9 Administrator Reference Manual Release BIND 9.16.21 (Extended Support Version)

Total Page:16

File Type:pdf, Size:1020Kb

BIND 9 Administrator Reference Manual Release BIND 9.16.21 (Extended Support Version) BIND 9 Administrator Reference Manual Release BIND 9.16.21 (Extended Support Version) Internet Systems Consortium 2021-09-07 CONTENTS 1 Introduction 1 1.1 Scope of Document ............................................ 1 1.2 Organization of This Document ..................................... 1 1.3 Conventions Used in This Document ................................... 1 1.4 The Domain Name System (DNS) .................................... 2 2 BIND Resource Requirements 7 2.1 Hardware Requirements ......................................... 7 2.2 CPU Requirements ............................................ 7 2.3 Memory Requirements .......................................... 7 2.4 Name Server-Intensive Environment Issues ............................... 7 2.5 Supported Operating Systems ...................................... 8 3 Name Server Configuration 9 3.1 Sample Configurations .......................................... 9 3.2 Load Balancing .............................................. 10 3.3 Name Server Operations ......................................... 11 3.4 Plugins .................................................. 13 4 BIND 9 Configuration Reference 15 4.1 Configuration File Elements ....................................... 15 4.2 Configuration File Grammar ....................................... 18 4.3 Zone File ................................................. 101 4.4 BIND 9 Statistics ............................................. 107 5 Advanced DNS Features 113 5.1 Notify ................................................... 113 5.2 Dynamic Update ............................................. 113 5.3 Incremental Zone Transfers (IXFR) ................................... 114 5.4 Split DNS ................................................. 115 5.5 TSIG ................................................... 118 5.6 TKEY ................................................... 120 5.7 SIG(0) .................................................. 120 5.8 DNSSEC ................................................. 121 5.9 DNSSEC, Dynamic Zones, and Automatic Signing ........................... 123 5.10 Dynamic Trust Anchor Management ................................... 127 5.11 PKCS#11 (Cryptoki) Support ...................................... 129 5.12 Dynamically Loadable Zones (DLZ) ................................... 132 5.13 Dynamic Database (DynDB) ....................................... 134 5.14 Catalog Zones ............................................... 135 i 5.15 IPv6 Support in BIND 9 ......................................... 138 6 BIND 9 Security Considerations 139 6.1 Access Control Lists ........................................... 139 6.2 Chroot and Setuid .......................................... 141 6.3 Dynamic Update Security ........................................ 141 7 Troubleshooting 143 7.1 Common Problems ............................................ 143 7.2 Incrementing and Changing the Serial Number .............................. 144 7.3 Where Can I Get Help? .......................................... 144 8 Release Notes 145 8.1 Introduction ................................................ 148 8.2 Note on Version Numbering ....................................... 148 8.3 Supported Platforms ........................................... 148 8.4 Download ................................................. 148 8.5 Notes for BIND 9.16.21 ......................................... 148 8.6 Notes for BIND 9.16.20 ......................................... 149 8.7 Notes for BIND 9.16.19 ......................................... 150 8.8 Notes for BIND 9.16.18 ......................................... 150 8.9 Notes for BIND 9.16.17 ......................................... 151 8.10 Notes for BIND 9.16.16 ......................................... 151 8.11 Notes for BIND 9.16.15 ......................................... 152 8.12 Notes for BIND 9.16.14 ......................................... 153 8.13 Notes for BIND 9.16.13 ......................................... 154 8.14 Notes for BIND 9.16.12 ......................................... 155 8.15 Notes for BIND 9.16.11 ......................................... 156 8.16 Notes for BIND 9.16.10 ......................................... 157 8.17 Notes for BIND 9.16.9 .......................................... 157 8.18 Notes for BIND 9.16.8 .......................................... 158 8.19 Notes for BIND 9.16.7 .......................................... 159 8.20 Notes for BIND 9.16.6 .......................................... 159 8.21 Notes for BIND 9.16.5 .......................................... 161 8.22 Notes for BIND 9.16.4 .......................................... 161 8.23 Notes for BIND 9.16.3 .......................................... 163 8.24 Notes for BIND 9.16.2 .......................................... 164 8.25 Notes for BIND 9.16.1 .......................................... 164 8.26 Notes for BIND 9.16.0 .......................................... 165 8.27 License .................................................. 167 8.28 End of Life ................................................ 167 8.29 Thank You ................................................ 167 9 DNSSEC Guide 169 9.1 Preface .................................................. 169 9.2 Introduction ................................................ 170 9.3 Getting Started .............................................. 175 9.4 Validation ................................................. 178 9.5 Signing .................................................. 190 9.6 Basic DNSSEC Troubleshooting ..................................... 213 9.7 Advanced Discussions .......................................... 221 9.8 Recipes .................................................. 234 9.9 Commonly Asked Questions ....................................... 254 10 A Brief History of the DNS and BIND 257 ii 11 General DNS Reference Information 259 11.1 IPv6 Addresses (AAAA) ......................................... 259 11.2 Bibliography (and Suggested Reading) .................................. 259 11.3 Internet Standards ............................................ 260 11.4 Proposed Standards ............................................ 260 11.5 Informational RFCs ............................................ 262 11.6 Experimental RFCs ............................................ 263 11.7 Best Current Practice RFCs ....................................... 263 11.8 Historic RFCs .............................................. 264 11.9 RFCs of Type “Unknown” ........................................ 264 11.10 Obsoleted and Unimplemented Experimental RFCs ........................... 264 11.11 RFCs No Longer Supported in BIND 9 ................................. 265 12 Manual Pages 267 12.1 arpaname - translate IP addresses to the corresponding ARPA names .................. 267 12.2 ddns-confgen - ddns key generation tool ................................. 267 12.3 delv - DNS lookup and validation utility ................................. 268 12.4 dig - DNS lookup utility ......................................... 272 12.5 dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY ............... 279 12.6 dnssec-dsfromkey - DNSSEC DS RR generation tool .......................... 282 12.7 dnssec-importkey - import DNSKEY records from external systems so they can be managed ...... 283 12.8 dnssec-checkds - DNSSEC delegation consistency checking tool ..................... 285 12.9 dnssec-coverage - checks future DNSKEY coverage for a zone ..................... 286 12.10 dnssec-keymgr - Ensures correct DNSKEY coverage based on a defined policy ............. 288 12.11 dnssec-keyfromlabel - DNSSEC key generation tool ........................... 290 12.12 dnssec-keygen: DNSSEC key generation tool .............................. 293 12.13 dnssec-revoke - set the REVOKED bit on a DNSSEC key ........................ 297 12.14 dnssec-settime: set the key timing metadata for a DNSSEC key ..................... 298 12.15 dnssec-signzone - DNSSEC zone signing tool .............................. 301 12.16 dnssec-verify - DNSSEC zone verification tool .............................. 305 12.17 dnstap-read - print dnstap data in human-readable form ......................... 306 12.18 filter-aaaa.so - filter AAAA in DNS responses when A is present .................... 307 12.19 host - DNS lookup utility ......................................... 308 12.20 mdig - DNS pipelined lookup utility ................................... 310 12.21 named-checkconf - named configuration file syntax checking tool .................... 313 12.22 named-checkzone, named-compilezone - zone file validity checking or converting tool ......... 314 12.23 named-journalprint - print zone journal in human-readable form .................... 317 12.24 named-nzd2nzf - convert an NZD database to NZF text format ..................... 317 12.25 named-rrchecker - syntax checker for individual DNS resource records ................. 318 12.26 named.conf - configuration file for named ................................ 319 12.27 named - Internet domain name server .................................. 337 12.28 nsec3hash - generate NSEC3 hash .................................... 340 12.29 nslookup - query Internet name servers interactively ........................... 341 12.30 nsupdate - dynamic DNS update utility .................................. 343 12.31 pkcs11-keygen - generate keys on a PKCS#11 device .......................... 348 12.32 pkcs11-list - list PKCS#11 objects .................................... 349
Recommended publications
  • Practical Domain Name System Security: a Survey of Common Hazards and Preventative Measures Nicholas A
    Practical Domain Name System Security: A Survey of Common Hazards and Preventative Measures Nicholas A. Plante | [email protected] College of Computer and Information Science Northeastern University, Boston MA I. Introduction The Domain Name System (DNS) is a hierarchical database distributed around the world whose primary function is to translate human-readable domain names to numerical IP addresses for network lookup and communication. The current system was designed in 1984 by Paul Mockapetris to eliminate scalability problems that had become apparent with the previous name-to-IP mapping scheme, which involved maintenance of a single hosts file distributed to end hosts periodically. A vast improvement to its predecessor, DNS is well suited to its task of maintaining a relatively efficient, distributed set of name- to-IP mappings, but unfortunately leaves something to be desired in terms of security. DNS is a critical part of everyday Internet usage required by anyone who has ever checked email through their provider, surfed to a website, or used a chat application to discuss the latest happenings with friends or family. Despite its relative invisibility to the common user, DNS is a service that most every networked application depends on dearly. This being the case, it is an obvious target for manipulation by malicious users. It is also particularly susceptible to compromise due to the following reasons: - DNS uses the connectionless User Datagram Protocol (UDP) to convey information from authoritative servers to clients instead of its connection-oriented counterpart, TCP. This decision was made for a number of legitimate reasons, but in terms of security, it makes requests particularly susceptible to hijacking, and responses easy to spoof, as it is not subjected to the three-way handshake that is required to set up a TCP connection.
    [Show full text]
  • Domain Name System 1 Domain Name System
    Domain Name System 1 Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service translates queries for domain names (which are easier to understand and utilize when accessing the internet) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2620:0:2d0:200::10 (IPv6). The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain.
    [Show full text]
  • Secure Domain Name System (DNS) Deployment Guide
    NIST Special Publication 800-81-2 Secure Domain Name System (DNS) Deployment Guide Ramaswamy Chandramouli Scott Rose C O M P U T E R S E C U R I T Y NIST Special Publication 800-81-2 Secure Domain Name System (DNS) Deployment Guide Ramaswamy Chandramouli Computer Security Division Information Technology Laboratory Scott Rose Advanced Network Technology Division Information Technology Laboratory September 2013 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.
    [Show full text]
  • Recommendation for Key Management, Part 3: Application
    NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application-Specific Key Management Guidance Elaine Barker Quynh Dang This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application-Specific Key Management Guidance Elaine Barker Quynh Dang Computer Security Division Information Technology Laboratory This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1 January 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • A New Approach to DNS Security (DNSSEC)
    A New Approach to DNS Security (DNSSEC) Giuseppe Ateniese Stefan Mangard Department of Computer Science and Institute for Applied Information JHU Information Security Institute Processing and Communications (IAIK) The Johns Hopkins University Graz University of Technology 3400 North Charles Street Inffeldgasse 16a Baltimore, MD 21218, USA 8010 Graz, Austria [email protected] [email protected] ABSTRACT the company but rather the DNS server upstream in the The Domain Name System (DNS) is a distributed database network. that allows convenient storing and retrieving of resource Increasingly, DNS is also being used to perform load dis- records. DNS has been extended to provide security ser- tribution among replicated servers. For instance, companies vices (DNSSEC) mainly through public-key cryptography. such as Akamai have used DNS to provide Web content dis- We propose a new approach to DNSSECthat may result tribution. Moreover, there is consensus that, since DNS is a in a significantly more efficient protocol. We introduce a global and available database, it can be employed as a Pub- new strategy to build chains of trust from root servers to lic Key Infrastructure (PKI) which would help with enabling authoritative servers. The techniques we employ are based e-commerce applications by making public keys globally ac- on symmetric-key cryptography. cessible. Securing DNS means providing data origin authentication and integrity protection. Confidentiality is not required as Keywords the information stored in the DNS database is supposedly Domain Name System Security (DNSSEC), Authentication public. When communication requirements call for private Protocols, Digital Signatures, Symmetric Encryption channels, IP security (IPSEC) is the currently selected can- didate system which could easily interface with DNS.
    [Show full text]