Please comment! Eugene
======= HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9 This document describes how to configure bind9 to automatically sign zones as they are being modified by dynamic update mechanism. It is assumed that you already know how to configure manually signed zones [1] and know how to configure zones for dynamic updates [2]. For the purpose of this discussion, we presume that you control the parent zone 'example.com' which does not allow dynamic updates and is manually signed. The child zone 'dyn.example.com' is set up for dynamic updates. Your 'named' is not run in chroot environment, and executes under effective uid 'bind' and gid 'bind'. Bind configuration files and manually signed zones are kept in directory /etc/bind which is readable but not writable by 'bind' uid, and dynamically updatable zones are kept in directory /var/cache/bind which is readable and writable by 'bind' uid. The following are the steps to make 'dyn.example.com' zone automatically signed: 0. Make sure that you are using bind version 9.6 or later. 1. Create a directory to contain zone keys the are "visible" to named and therefore available to auto- signing mechanism: # mkdir /etc/bind/keys # chgrp bind /etc/bind/keys # chmod 0750 /etc/bind/keys 2. Create zone-signing keys for the zone 'dyn.example.com' and make the private key readable to 'bind' uid: # cd /etc/bind/keys # dnssec-keygen -a RSASHA1 -b 1024 \ > -n ZONE dyn.example.com # chgrp bind *.private # chmod 0640 *.private 3. Include DNSKEY into 'dyn.example.com' zone and manually sign it. The file must be made writable to 'bind' uid: # cd /var/cache/bind # rndc freeze dyn.example.com edit the file 'dyn.example.com' and add this line: '$include /etc/bind/keys/Kdyn.example.com.[...].key' (substitute the actual name of the key file) # dnssec-signzone -g -d /etc/bind/keys \ > dyn.example.com \ > /etc/bind/keys/Kdyn.example.com.[...].private (substitute the actual name of the key file) This step will create the file dyn.example.com.signed, and in addition to that, the file '/etc/bind/keys/dsset-dyn.example.com.'. # chown bind:bind dyn.example.com.signed 4. Include DS records into the parent zone: # cd /etc/bind edit the file example.com and add this line: '$include keys/dsset-dyn.example.com.' (don't forget to also update the zone's serial.) Manually sign the 'example.com' zone as you usually do. 5. Update bind's configuration: In the definition of 'dyn.example' zone, change the line 'file "/var/cache/bind/dyn.example.com";' to 'file "/var/cache/bind/dyn.example.com.signed";' In the 'options' section, add this lines: 'sig-validity-interval 2400;' 'key-directory "/etc/bind/keys";' (substitute '2400' to whatever period you deem appropriate. 2400 is 40 minutes.) 6. Make named re-read the configuration and thaw the dynamic zone: # rndc reload # rndc thaw dyn.example.com 7. Check that things work as expected. References: [1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman [2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/ How to allow dynamic updates with BIND, O'Reilly Answers =======
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users