Please comment! Eugene
=======
HOW TO CONFIGURE AUTO-SIGNED DYNAMIC ZONES WITH BIND9
This document describes how to configure bind9 to
automatically sign zones as they are being modified
by dynamic update mechanism. It is assumed that
you already know how to configure manually signed
zones [1] and know how to configure zones for dynamic
updates [2].
For the purpose of this discussion, we presume that
you control the parent zone 'example.com' which does
not allow dynamic updates and is manually signed.
The child zone 'dyn.example.com' is set up for dynamic
updates. Your 'named' is not run in chroot environment,
and executes under effective uid 'bind' and gid 'bind'.
Bind configuration files and manually signed zones are
kept in directory /etc/bind which is readable but not
writable by 'bind' uid, and dynamically updatable
zones are kept in directory /var/cache/bind which is
readable and writable by 'bind' uid.
The following are the steps to make 'dyn.example.com'
zone automatically signed:
0. Make sure that you are using bind version 9.6 or later.
1. Create a directory to contain zone keys the are
"visible" to named and therefore available to auto-
signing mechanism:
# mkdir /etc/bind/keys
# chgrp bind /etc/bind/keys
# chmod 0750 /etc/bind/keys
2. Create zone-signing keys for the zone
'dyn.example.com' and make the private key readable
to 'bind' uid:
# cd /etc/bind/keys
# dnssec-keygen -a RSASHA1 -b 1024 \
> -n ZONE dyn.example.com
# chgrp bind *.private
# chmod 0640 *.private
3. Include DNSKEY into 'dyn.example.com' zone and
manually sign it. The file must be made writable to
'bind' uid:
# cd /var/cache/bind
# rndc freeze dyn.example.com
edit the file 'dyn.example.com' and add this line:
'$include /etc/bind/keys/Kdyn.example.com.[...].key'
(substitute the actual name of the key file)
# dnssec-signzone -g -d /etc/bind/keys \
> dyn.example.com \
> /etc/bind/keys/Kdyn.example.com.[...].private
(substitute the actual name of the key file)
This step will create the file dyn.example.com.signed,
and in addition to that, the file
'/etc/bind/keys/dsset-dyn.example.com.'.
# chown bind:bind dyn.example.com.signed
4. Include DS records into the parent zone:
# cd /etc/bind
edit the file example.com and add this line:
'$include keys/dsset-dyn.example.com.'
(don't forget to also update the zone's serial.)
Manually sign the 'example.com' zone as you usually
do.
5. Update bind's configuration:
In the definition of 'dyn.example' zone, change
the line
'file "/var/cache/bind/dyn.example.com";'
to
'file "/var/cache/bind/dyn.example.com.signed";'
In the 'options' section, add this lines:
'sig-validity-interval 2400;'
'key-directory "/etc/bind/keys";'
(substitute '2400' to whatever period you deem
appropriate. 2400 is 40 minutes.)
6. Make named re-read the configuration and thaw
the dynamic zone:
# rndc reload
# rndc thaw dyn.example.com
7. Check that things work as expected.
References:
[1] http://www.nlnetlabs.nl/publications/dnssec_howto/index.html
DNSSEC HOWTO, a tutorial in disguise, by Olaf Kolkman
[2] http://answers.oreilly.com/topic/192-how-to-allow-dynamic-updates-with-bind/
How to allow dynamic updates with BIND, O'Reilly Answers
=======
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
