summaryrefslogtreecommitdiff
path: root/doc/arm/Bv9ARM.ch04.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/arm/Bv9ARM.ch04.html')
-rw-r--r--doc/arm/Bv9ARM.ch04.html134
1 files changed, 67 insertions, 67 deletions
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 35f2df73..2a160ecd 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.27 2006/05/17 02:38:42 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.30 2006/07/20 02:33:48 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
@@ -49,28 +49,28 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2551297">Split DNS</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2575875">Split DNS</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551816">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551890">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551900">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551940">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2551997">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552042">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576326">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576536">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576547">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576586">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576644">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576757">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552056">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552173">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2576771">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2576820">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552310">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552448">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552595">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2576956">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2577026">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2577105">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2552669">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2577179">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552800">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2552821">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2577378">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2577399">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -78,14 +78,14 @@
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="notify"></a>Notify</h2></div></div></div>
<p>
- <span class="acronym">DNS</span> NOTIFY is a mechanism that allows master
+ <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
servers to notify their slave servers of changes to a zone's data. In
response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
slave will check to see that its version of the zone is the
current version and, if not, initiate a zone transfer.
</p>
<p>
- For more information about <span class="acronym">DNS</span>
+ For more information about <acronym class="acronym">DNS</acronym>
<span><strong class="command">NOTIFY</strong></span>, see the description of the
<span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
the description of the zone option <span><strong class="command">also-notify</strong></span> in
@@ -158,7 +158,7 @@
<p>
The zone files of dynamic zones cannot normally be edited by
hand because they are not guaranteed to contain the most recent
- dynamic changes - those are only in the journal file.
+ dynamic changes &#8212; those are only in the journal file.
The only way to ensure that the zone file of a dynamic zone
is up to date is to run <span><strong class="command">rndc stop</strong></span>.
</p>
@@ -184,7 +184,7 @@
1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
</p>
<p>
- When acting as a master, <span class="acronym">BIND</span> 9
+ When acting as a master, <acronym class="acronym">BIND</acronym> 9
supports IXFR for those zones
where the necessary change history information is available. These
include master zones maintained by dynamic update and slave zones
@@ -195,7 +195,7 @@
to <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
- When acting as a slave, <span class="acronym">BIND</span> 9 will
+ When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
attempt to use IXFR unless
it is explicitly disabled. For more information about disabling
IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
@@ -204,7 +204,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2551297"></a>Split DNS</h2></div></div></div>
+<a name="id2575875"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -328,7 +328,7 @@
<code class="literal">site2.internal</code> domains.
</li>
<li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with internal AND external people.</li>
+<li>Exchange mail with both internal and external people.</li>
</ul></div>
<p>
Hosts on the Internet will be able to:
@@ -455,16 +455,16 @@ nameserver 172.16.72.4
<a name="tsig"></a>TSIG</h2></div></div></div>
<p>
This is a short guide to setting up Transaction SIGnatures
- (TSIG) based transaction security in <span class="acronym">BIND</span>. It describes changes
+ (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
to the configuration file as well as what changes are required for
different features, including the process of creating transaction
- keys and using transaction signatures with <span class="acronym">BIND</span>.
+ keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
</p>
<p>
- <span class="acronym">BIND</span> primarily supports TSIG for server
+ <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
to server communication.
This includes zone transfer, notify, and recursive query messages.
- Resolvers based on newer versions of <span class="acronym">BIND</span> 8 have limited support
+ Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
for TSIG.
</p>
<p>
@@ -479,7 +479,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551816"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2576326"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -487,13 +487,13 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551833"></a>Automatic Generation</h4></div></div></div>
+<a name="id2576343"></a>Automatic Generation</h4></div></div></div>
<p>
- The following command will generate a 128 bit (16 byte) HMAC-MD5
+ The following command will generate a 128-bit (16 byte) HMAC-MD5
key as described above. Longer keys are better, but shorter keys
are easier to read. Note that the maximum key length is 512 bits;
- keys longer than that will be digested with MD5 to produce a 128
- bit key.
+ keys longer than that will be digested with MD5 to produce a
+ 128-bit key.
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
@@ -512,7 +512,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551872"></a>Manual Generation</h4></div></div></div>
+<a name="id2576381"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -527,7 +527,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551890"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2576536"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -535,7 +535,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551900"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2576547"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@@ -548,7 +548,7 @@ key host1-host2. {
};
</pre>
<p>
- The algorithm, hmac-md5, is the only one supported by <span class="acronym">BIND</span>.
+ The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <code class="filename">named.conf</code> be non-world
readable, or the key directive be added to a non-world readable
@@ -564,7 +564,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551940"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2576586"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -596,9 +596,9 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551997"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2576644"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
- <span class="acronym">BIND</span> allows IP addresses and ranges
+ <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
definitions and
<span><strong class="command">allow-{ query | transfer | update }</strong></span>
@@ -624,7 +624,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552042"></a>Errors</h3></div></div></div>
+<a name="id2576757"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -650,12 +650,12 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2552056"></a>TKEY</h2></div></div></div>
+<a name="id2576771"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
<span><strong class="command">TKEY</strong></span> that specify how the key is generated
- or assigned. <span class="acronym">BIND</span> 9 implements only one of
+ or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
these modes, the Diffie-Hellman key exchange. Both hosts are
required to have a Diffie-Hellman KEY record (although this
record is not required to be present in a zone). The
@@ -686,9 +686,9 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2552173"></a>SIG(0)</h2></div></div></div>
+<a name="id2576820"></a>SIG(0)</h2></div></div></div>
<p>
- <span class="acronym">BIND</span> 9 partially supports DNSSEC SIG(0)
+ <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC2931.
SIG(0)
uses public/private keys to authenticate messages. Access control
@@ -705,7 +705,7 @@ allow-update { key host1-host2. ;};
supported.
</p>
<p>
- The only tool shipped with <span class="acronym">BIND</span> 9 that
+ The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
</p>
</div>
@@ -720,7 +720,7 @@ allow-update { key host1-host2. ;};
</p>
<p>
In order to set up a DNSSEC secure zone, there are a series
- of steps which must be followed. <span class="acronym">BIND</span>
+ of steps which must be followed. <acronym class="acronym">BIND</acronym>
9 ships
with several tools
that are used in this process, which are explained in more detail
@@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552310"></a>Generating Keys</h3></div></div></div>
+<a name="id2576956"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@@ -764,7 +764,7 @@ allow-update { key host1-host2. ;};
the only one is RSASHA1.
</p>
<p>
- The following command will generate a 768 bit RSASHA1 key for
+ The following command will generate a 768-bit RSASHA1 key for
the <code class="filename">child.example</code> zone:
</p>
<p>
@@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552448"></a>Signing the Zone</h3></div></div></div>
+<a name="id2577026"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to
@@ -811,7 +811,7 @@ allow-update { key host1-host2. ;};
records for the zone, as well as <code class="literal">DS</code>
for
the child zones if <code class="literal">'-d'</code> is specified.
- If <code class="literal">'-d'</code> is not specified then
+ If <code class="literal">'-d'</code> is not specified, then
DS RRsets for
the secure child zones need to be added manually.
</p>
@@ -842,10 +842,10 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552595"></a>Configuring Servers</h3></div></div></div>
+<a name="id2577105"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
- to DNS requests from DNSSEC aware clients
+ to DNS requests from DNSSEC aware clients,
<span><strong class="command">dnssec-enable</strong></span> must be set to yes.
</p>
<p>
@@ -868,7 +868,7 @@ allow-update { key host1-host2. ;};
later in this document.
</p>
<p>
- Unlike <span class="acronym">BIND</span> 8, <span class="acronym">BIND</span>
+ Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
9 does not verify signatures on load, so zone keys for
authoritative zones do not need to be specified in the
configuration file.
@@ -895,7 +895,7 @@ trusted-keys {
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
-/* Key for out organizations forward zone */
+/* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
@@ -930,37 +930,37 @@ options {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2552669"></a>IPv6 Support in <span class="acronym">BIND</span> 9</h2></div></div></div>
+<a name="id2577179"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
- <span class="acronym">BIND</span> 9 fully supports all currently
+ <acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6
name to address and address to name lookups. It will also use
IPv6 addresses to make queries when running on an IPv6 capable
system.
</p>
<p>
- For forward lookups, <span class="acronym">BIND</span> 9 supports
+ For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
only AAAA records. RFC 3363 deprecated the use of A6 records,
and client-side support for A6 records was accordingly removed
- from <span class="acronym">BIND</span> 9.
- However, authoritative <span class="acronym">BIND</span> 9 name servers still
+ from <acronym class="acronym">BIND</acronym> 9.
+ However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
load zone files containing A6 records correctly, answer queries
for A6 records, and accept zone transfer for a zone containing A6
records.
</p>
<p>
- For IPv6 reverse lookups, <span class="acronym">BIND</span> 9 supports
+ For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
the traditional "nibble" format used in the
<span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
<span class="emphasis"><em>ip6.int</em></span> domain.
- Older versions of <span class="acronym">BIND</span> 9
+ Older versions of <acronym class="acronym">BIND</acronym> 9
supported the "binary label" (also known as "bitstring") format,
but support of binary labels has been completely removed per
RFC 3363.
- Many applications in <span class="acronym">BIND</span> 9 do not understand
+ Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
the binary label format at all any more, and will return an
error if given.
- In particular, an authoritative <span class="acronym">BIND</span> 9
+ In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
name server will not load a zone file containing binary labels.
</p>
<p>
@@ -969,7 +969,7 @@ options {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552800"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2577378"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -988,7 +988,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552821"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2577399"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
@@ -1018,7 +1018,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<tr>
<td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</td>
+<td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
</tr>
</table>
</div>
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-22 23:31:40 +0000