Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Chapter 4. Advanced Concepts
4.5. TKEY
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several
"modes" of TKEY that specify how the key is generated or assigned. BIND implements only one of
these modes, the Diffie-Hellman key exchange. Both hosts are required to have a Diffie-Hellman KEY
record (although this record is not required to be present in a zone). The TKEY process must use signed
messages, signed either by TSIG or SIG(0). The result of TKEY is a shared secret that can be used to
sign messages with TSIG. TKEY can also be used to delete shared secrets that it had previously
generated.
The TKEY process is initiated by a client or server by sending a signed TKEY query (including any
appropriate KEYs) to a TKEY-aware server. The server response, if it indicates success, will contain a
TKEY record and any appropriate keys. After this exchange, both participants have enough information
to determine the shared secret; the exact process depends on the TKEY mode. When using the
Diffie-Hellman TKEY mode, Diffie-Hellman keys are exchanged, and the shared secret is derived by
both participants.
4.6. SIG(0)
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535. SIG(0) uses
public/private keys to authenticate messages. Access control is performed in the same manner as TSIG
keys; privileges can be granted or denied based on the key name.
When a SIG(0) signed message is received, it will only be verified if the key is known and trusted by the
server; the server will not attempt to locate and/or validate the key.
SIG(0) signing of multiple-message TCP streams is not supported.
BIND 9 does not ship with any tools that generate SIG(0) signed messages.
4.7. DNSSEC
Cryptographic authentication of DNS information is possible through the DNS Security (DNSSEC)
extensions, defined in RFC 2535. This section describes the creation and use of DNSSEC signed zones.
In order to set up a DNSSEC secure zone, there are a series of steps which must be followed. BIND 9
ships with several tools that are used in this process, which are explained in more detail below. In all
cases, the "-h" option prints a full list of parameters. Note that the DNSSEC tools require the keyset and
signedkey files to be in the working directory, and that the tools shipped with BIND 9.0.x are not fully
compatible with the current ones.
33