| Previous | Contents | Index |
Checks the syntax of a BIND server configuration file.
bind_checkconf [-v] [-j] [-t directory] filename [-z]
The bind_checkconf utility checks the syntax, but not the semantics, of a BIND server configuration file.
-j
When loading a zonefile, read the journal if it exists.-z
Perform a test load of the master zonefiles found in TCPIP$BIND.CONF.-t directory
Looks for filename in the specified directory. The default directory is SYS$SPECIFIC:[TCPIP$BIND].-v
Displays only the version number of the bind_checkconf utility and exits.filename
Specifies the name of the configuration file to be checked. The default file is SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND.CONF.
Checks a zone file for syntax and consistency.
bind_checkzone [-d] [-j] [-q] [-v] [-c class] [-k mode] [-n mode] [-o filename] [-t directory] [-w directory] [-D] zonename filename
The bind_checkzone utility checks the syntax and integrity of a zone file. It performs the same checks as the BIND server does when it loads a zone. This makes bind_checkzone useful for checking zone files before configuring them into a name server.
-d
Enables debugging mode.-j
When loading the zonefile, read the journal if it exists.-q
Enables quiet mode (exit code only).-v
Displays the version number of bind_checkzone and exits.-c class
Specifies the class of the zone. If not specified, the default is IN.-k mode
Perform "check-name" checks with the specified failure mode. Possible modes are:
- fail
- warn (default)
- ignore
-n mode
Specify whether NS records should be checked to see if they are addresses. Possible modes are:
- fail
- warn (default)
- ignore
-o filename
Write zone output to the specified file. Only valid when used with the -D option.-t directory
Looks for the zone in the specified directory. The default directory is SYS$SYSPECIFIC:[TCPIP$BIND].-w directory
Change directory so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in the TCPIP$BIND.CONF configuration file.-D
Dump zone file information in canonical format.zonename
Specifies the name of the zone being checked.filename
Specifies the name of the zone file.
Generates keys for DNSSEC.
dnssec_keygen -a algorithm -b keysize -n nametype [-c class] [-e] [-f flag] [-g generator] [-h] [-k]
[-p protocol] [-r randomfile] [-s strength] [-t type] [-v level] name
The dnssec_keygen utility generates keys for DNSSEC, as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
name
Specifies the name of the domain.
-a algorithm
Selects the cryptographic algorithm. The value of algorithm must be one of the following:
- RSAMD5 (RSA)
- RSASHA1
- DSA
- DH (Diffie-Hellman)
- HMAC-MD5
These values are not case sensitive. HMAC-MD5 and DH automatically set the -k option.
-b keysize
Specifies the number of bits in the key. The choice of key size depends on the algorithm used:
- RSAMD5/RSASHA1 keys must be between 512 and 4096 bits.
- DH keys must be between 128 and 4096 bits.
- DSA keys must be between 512 and 1024 bits and must be an exact multiple of 64.
- HMAC-MD5 keys must be between 1 and 512 bits.
-n nametype
Specifies the owner type of the key. The value of nametype must one of the following:
- ZONE (for a DNSSEC zone key (KEY/DNSKEY))
- HOST or ENTITY (for a key associated with a host (KEY))
- USER (for a key associated with a user (KEY))
- OTHER (DNSKEY)
These values are not case sensitive.
-c class
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.-e
If generating an RSAMD5/RSASHA1 key, specifies the use of a large exponent.-f flag
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.-g generator
If generating a Diffie-Hellman key, specifies the generator. Allowed values for generator are 2 and 5. If no generator is specified, a known prime from RFC 2539 is used, if possible; otherwise the default is 2.-h
Displays a short summary of the options and arguments to the dnssec_keygen command.-k
Generate KEY records rather than DNSKEY records.-p protocol
Sets the protocol value for the generated key. The value of protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.-r randomfile
Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.
Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.-s strength
Specifies the strength value of the key. The value of strength is a number between 0 and 15. This option is currently not used.-t type
Indicates the use of the key. The type must be one of the following:
- AUTHCONF (authenticate and encrypt data)
- NOAUTHCONF (do not authenticate and do not encrypt data)
- NOAUTH (do not authenticate data)
- NOCONF (do not encrypt data)
The default is AUTHCONF.
-v level
Sets the debugging level.
When dnssec_keygen completes successfully, it displays a string of the following form to standard output:
Knnnn.aaa-iiiiiThis is an identification string for the key it has generated. These strings can be used as arguments to the dnssec_makekeyset utility. The string is interpreted as follows:
- nnnn is the key name.
- aaa is the numeric representation of the algorithm.
- iiiii is the key identifier (or footprint).
dnssec_keygen creates two files, with names based on the printed string. The file Knnnn.aaa-iiiii_KEY contains the public key, and Knnnn.aaa-iiiii_PRIVATE contains the private key.
The _KEY file contains a DNS KEY record that can be inserted into a zone file (either directly, or using an $INCLUDE statement).
The _PRIVATE file contains algorithm-specific fields. For security reasons, this file does not have general read permission.
Both _KEY and _PRIVATE files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.
To generate a 768-bit DSA key for the domain example.com , enter the following command:
| #1 |
|---|
$ dnssec_keygen -a DSA -b 768 -n ZONE example.com
|
This command displays a string of the form:
Kexample_com.003-26160In this example, dnssec_keygen creates the files KEXAMPLE_COM.003-26160_KEY and KEXAMPLE_COM.003-26160_PRIVATE.
Signs a zone.
dnssec_signzone [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-g] [-h] [-i interval] [-k key] [-l domain] [-n nthreads] [-o origin] [-p] [-r randomfile] [-t] [-v level] [-z] zonefile [key...]
The dnssec_signzone utility signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone.Before signing the zone, you must add the KEY record to the zone database file by using the $INCLUDE statement. HP recommends the use of a Zone Signing Key (ZSK) and a Key Signing Key (KSK), in which case you must add two $INCLUDE statements, one for each key. For example, in the zone file example_com.db , add:
$INCLUDE Kexample_com.003-26160_KEY ; ZSK $INCLUDE Kexample_com.003-26161_KEY ; KSK
zonefile
Specifies the file containing the zone to be signed.key...
Specifies the keys used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.
-a
Verifies all generated signatures.-c class
Specifies the DNS class of the zone.-d directory
Looks for signedkey files in the specified directory.-s start-time
Specifies the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. For example, 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time minus one hour (to allow for clock skew) is used.-e end-time
Specifies the date and time when the generated RRSIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.-f output-file
Specifies the name of the output file containing the signed zone. The default is to append _SIGNED to the input file name.-g
Generate DS records for child zones from keyset file. Existing DS records will be removed.-h
Displays a short summary of the options and arguments to the dnssec_signzone command.-i interval
When a previously signed zone is passed as input, records may be signed again. The interval option specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.The default cycle interval is one quarter of the difference between the signature end and start times. Therefore, if neither the end time nor the start time is specified, the dnssec_signzone utility generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they are replaced.
-k key
Treat specified key as a key signing key, ignoring any key flags. This option can be specified multiple times.-l domain
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.-n nthreads
Specifies the number of threads to use. By default, one thread is started for each detected CPU.-o origin
Specifies the zone origin. If this option is not specified, the name of the zone file is assumed to be the origin.-p
Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option can be useful when signing large zones or when the entropy source is limited.-r randomfile
Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.
Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.-t
Displays statistics at completion.-v level
Sets the debugging level.-z
Ignore KSK flag on key when determining what to sign.
The following command signs the example.com zone with the DSA key generated by the dnssec_keygen utility. The zone's keys must be in the zone. If there are keyset files associated with the child zones, they must be in the current directory.
| #1 |
|---|
$ dnssec_signzone -o example.com example_com.db Kexample_com.003-26160
|
In this example, dnssec_signzone creates the file EXAMPLE_COM.DB_SIGNED. This file should be referenced in a zone statement in the TCPIP$BIND.CONF file. This command displays the following:
example_com.db_signed
Controls the operation of the BIND server.
rndc [-c config] [-k keyfile] [-s server] [-p port] ["-V"] [-y key-id] command
The rndc utility controls the operation of a name server. rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. The only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.In BIND Version 9, rndc supports all the commands of the BIND Version 8 ndc utility except start , restart , and stop . Use the BIND startup and shutdown command procedures, as described in Section 6.4, to accomplish these tasks.
The rndc utility reads a configuration file to determine how to contact the name server and to decide what algorithm and key it should use.
A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret. The default location for the rndc configuration file is TCPIP$ETC:RNDC.CONF, but an alternate location can be specified with the -c option. If the configuration file is not found, rndc also looks in TCPIP$ETC:RNDC.KEY. The RNDC.KEY file is generated by running rndc_confgen -a . This command provides basic functionality, but it offers less configuration flexibility than modifying the RNDC.CONF file.
Note
For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.
The configuration file for the rndc utility is TCPIP$ETC:RNDC.CONF. The structure of this file is similar to TCPIP$BIND.CONF. Statements are enclosed in braces and are terminated with semicolons. Clauses in the statements are also terminated with semicolons. For example:
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
key samplekey {
algorithm hmac-md5
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW";
};
|
Three statements are used in the RNDC.CONF file:
$ rndc_confgen |
reload
Reloads configuration file and zones.reload zone [class [view]]
Reload the given zone.refresh zone [class [view]]
Schedule zone maintenance for the given zone.retransfer zone [class [view]]
Retransfer the specified zone from the master.freeze zone [class [view]]
Suspend updates to a dynamic zone. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synchronized into the master and the journal file to be removed. All dynamic update attempts will be refused while the zone is frozen.unfreeze zone [class [view]]
Enable updates to a frozen dynamic zone. This causes the server to reload the zone from disk, and re-enables dynamic updates after the load has completed. After a zone is unfrozen, dynamic updates will no longer be refused.reconfig
Reloads the configuration file and loads new zones, but does not reload existing zone files even if they have changed. This is faster than a full reload when there is a large number of zones because it avoids the need to examine the modification times of the zones files.stats
Writes server statistics to the statistics file, TCPIP$BIND.STATS.querylog
Toggles query logging. Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of TCPIP$BIND.CONF.dumpdb
Dumps the server's caches to the dump file, TCPIP$BIND_DUMP.DB.trace
Increments the servers debugging level by one.trace level
Sets the server's debugging level to an explicit value.notrace
Sets the server's debugging level to 0.flush
Flushes the server's cache.flush-updates
Saves any pending dynamic updates being stored in the zone journal (_JNL) files to the master zone files. (This command is available on OpenVMS systems only.)status
Displays the status of the server. The number of zones includes the internal /CH zone, and the default ./IN hint zone if no root zone has been explicitly configured.
-c config-file
Uses config-file as the configuration file instead of the default, TCPIP$ETC:RNDC.CONF.-k keyfile
Use the specified keyfile instead of the default (TCPIP$ETC:RNDC.KEY). If the configuration file does not exist, the key from TCPIP$ETC:RNDC.KEY will be used instead.-s server
Specifies the name or address of the server which matches a server statement in the configuration file for rndc . If no server is supplied on the command line, the host named by the default-server clause in the option statement of the configuration file is used.-p port
Send commands to the specified TCP port instead of the default control channel port, 953."-V"
Enables verbose logging. Use quotation marks to preserve uppercase options.-y keyid
Use the specified keyid from the configuration file specified with the -c option. If the configuration file was not specified on the command line, the rndc configuration file, RNDC.CONF, is used. The keyid must be known by the BIND server with the same algorithm and secret string in order for control message validation to succeed.If no keyid is specified, rndc first looks for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement.
Note that the configuration file contains shared secrets that are used to send authenticated control commands to name servers. Therefore, the file should not have general read or write access.
| Previous | Next | Contents | Index |