Manualshelf

Internet Services Delta Manual for HP-UX 11i Version 1.6

ManualsBrandsHP ManualsNetwork HardwareHP General IO Connectivity
31323334353637383940
Signing the Child's Keyset
The /usr/bin/dnssec-signkey program is used to sign a keyset for a child zone.
# /usr/bin/dnssec-signkey example.com.keyset Kcom.+003+51944
The output of the above command is a file named example.com.signedkey which has the
keys for example.com signed by the com zone's zone key.
Signing the Zone
The /usr/bin/dnssec-signzone program is used to sign a zone.
A sample directive to invoke the dnssec-signzone to sign the zone, example.com is as shown
below.
Kexample.com.+003+26160 is the key identifier generated by the dnssec-keygen program.
# /usr/bin/dnssec-signzone example.com Kexample.com.+003+26160
dnssec-signzone will create a file named example.com.signed, the signed version of the
example.com zone. This file can then be referenced in a zone statement{} in /etc/named.conf
so that it can be loaded by the nameserver.
Configuring Servers
Unlike in BIND 8.1.2, data is not verified on load in BIND 9.2.0. Hence zone keys for authoritative
zones do not need to be specified in the configuration file. The public key for any security root
must be there in the configuration file's trusted-keys statement.
Dynamic DNS Update
Dynamic update is the ability to add, modify or delete records or RR sets in the master zone files
under a specified zone. Dynamic update is based on RFC 2136. Dynamic update is enabled on
a zone-by-zone basis, by including an allow-update or update-policy clause in the zone statement
of the /etc/named.conf file.
NOTE: Zone files of dynamic zones must not be edited manually, as those changes could cause
conflict with dynamic updates. Use the nsupdate utility to submit dynamic DNS update requests
to a name server.
TSIG-based Security
To secure server-to-server communication, BIND 9.2.0 primarily uses TSIG. This includes zone
transfer, notify, and recursive query messages. TSIG is most useful for dynamic updates. To secure
dynamic updates to a primary server of a dynamic zone, key-based access control is more effective
than IP-based access control. The nsupdate program with the "-k" and "-y" options is used to
provide the shared secret needed to generate the TSIG record for authenticating dynamic DNS
update request.
NOTE: Refer to the nsupdate(1) man page for more details.
Lightweight Resolver Library and Daemon
The applications that require address-to-name lookups have been linked with a stub resolver library
that sends recursive DNS queries to a local caching name server.
BIND 9.2.0 provides resolution services to local clients using a combination of a lightweight resolver
library and a resolver daemon process running on the local host. These communicate using a
simple UDP-based protocol "lightweight resolver protocol", that is distinct from and simpler than
the full DNS protocol.
To use the lightweight resolver interface, the system must run the resolver daemon lwresd. The
daemon currently looks only in the DNS, but in the future it may use other sources such as
/etc/hosts, NIS, etcetera.
32 BIND 9.2.0