freebsd-dev/contrib/bind/doc/secure/usage.txt
Peter Wemm 4e0ffe0bae Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on
final release.

Obtained from:  ftp.isc.org
1998-05-03 04:11:49 +00:00

216 lines
8.0 KiB
Plaintext

USAGE_SEC
Secure DNS (TIS/DNSSEC)
September 1996
This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version
BETA-1.3. This looks like a standard named distribution, with
the following exceptions
this version is coded against BIND-4.9.4-P1
there are three new directories in this distribution
dnssec_lib
signer
rsaref
rsaref/ is place holder directory for RSAREF distribution.
You must get RSAREF on your own.
signer/ contains two applications needed by DNSSEC:
signer: tool to sign zones
key_gen: tool to generate keys
dnssec_lib/ contains common library routines that are used by
named, key_gen and signer.
This is where most of the DNSSEC work is done.
Before compiling you need to do your standard configurations for named
and the edits explained in INSTALL_SEC. This version has been tested
on SUNOS4.1.3. This version includes portability fixes from previous
beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD.
CHANGES TO BIND
res/
There are minor changes to the files in the res directory. Most of
the changes have to do with displaying NXT
records. There are also some changes related to translating
domain names into uncompressed lower case names upon request.
tools/
Minor changes to recognize NXT records and display them.
named/
Added code to read and write new record types.
Added code to do signature validation on read.
Added code to return appropriate SIG records.
Added security flags to databuf and zoneinfo structures.
Names can now have CNAME record and security RR's.
Records are stored and transmitted in DNS SEC sort order.
conf/
Turned off ROUND_ROBIN option and installed new sorting required
for signature verification.
signer/
NXT record generation.
Key generation
Signing of zones
Converting data records to format required for signatures.
dnssec_lib/
Interfacing with Crypto library.
Verifying signatures,
preparing data for signing and verification
The role of <zone>.PARENT files:
DNSSEC specification requires change who is authorative for certain
resource records. In order to support certification hierarchy each
zone KEY RR must be signed by parent zone. The parent signed KEY RR
must be distributed by the zone itself as it is the most authorative
for its own records.
To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT
file for every name in a zone that has a NS record. This file contains
the KEY records stored under this name and
NXT record and corresponding SIG records. If no KEY record is found
for a name with a NS record a NULL-KEY record is generated to indicate
that the child is INSECURE.
Each <zone>.PARENT file must be sent via an out of band mechanism to
the appropriate primary for the zone, for inclusion. signer program
adds an $INCLUDE <zone>.PARENT command at the end of each zone file,
if no file exists an warning message is printed.
Potential PROBLEM: It is likely that the parent and child are on a
different signing schedule. If new <zone>.PARENT file is put on the
primary, due to the fact that the zone data changed but the SOA did
not, it may take a long time for new records to propagate to the
secondaries. This is only a problem if zone has added/deleted a KEY
or if the the signatures will expire in the near future. To overcome
this problem, resign your zone when any of above conditions is true.
DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future.
TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of
zone data to secondaries, signer takes over the management of SOA
serial numbers. Each time signer signs a zone it sets the serial
number to a value reflecting the time the zone was signed, in standard
Unix time seconds since 1970/1/1 0:0:0 GMT.
How to configure a secure zone.
Create a directory <zone> to contain your zone files.
Create a output directory <outdir> for the signer output.
Put in <zone> a boot file that includes the files from that zone.
Create a KEY for the zone by running key_gen, Name the key <domain>.
Run signer on your zone writing to the output directory <outdir>.
Signer will rewrite the boot file to include new directive
"pubkey" of the key used to sign the file. If there where
any pubkey declarations in the input boot file they will be
deleted.
Signer generates files that correspond to the load files specified.
In case of load file that $INCLUDEs another load file, signer will
merge them to the output file.
You will notice that the output files are significantly larger.
The output files will be in a different order than the input files,
all records are sorted into DNSSEC sort order.
NXT and SIG records have been added.
If there are any NS records for a name other than the zone name of
each input file you will see messages that NULL KEY records
have been created, if this is not correct behavior, add
the correct KEY RRs.
For each domain name that has a NS record but is not a zone name
of load file you will see a file named <name>.PARENT,
this file contains the KEY record for that name and an
NXT record + 2 SIG records.
This file needs to be sent to the nameserver that is primary for that
zone. There are two reasons for this:
1. To support Certification Hierarchy, each zone key is
signed by the parent zone key.
2. Zone is the most trustworthy source for itself unless
these records are loaded into the primary server for
the zone, the records may not get propagated.
how to run SEC_NAMED:
Included in the distribution there is a small test setup:
# run signer
./signer boot-f simple_test/test.boot [out-dir /tmp]
# or
make test
# This takes few minutes to run depending on your machine and the size
# of the key selected
# all output files will be stored in /tmp unless out-dir is specified
#
# Now we are ready to run named
cd ../named
./named -p 12345 -b /tmp/test.boot.save [-d x]
#
# you can now check for data in the data base
# using the new dig.
#
cd ../tools
./dig @yourhost snore.foo.bar. any in -p 12345
#
# Output from new dig will be something like this
#
; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1
;; QUESTIONS:
;; snore.foo.bar, type = ANY, class = IN
;; ANSWERS:
snore.foo.bar. 259200 A 10.17.3.20
snore.foo.bar. 259200 SIG A (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0=
) ; END Signature
snore.foo.bar. 259200 MX 96 who.foo.bar.
snore.foo.bar. 259200 MX 100 foo.bar.
snore.foo.bar. 259200 MX 120 xxx.foo.bar.
snore.foo.bar. 259200 MX 130 maGellan.foo.bar.
snore.foo.bar. 259200 MX 140 bozo.foo.bar.
snore.foo.bar. 259200 SIG MX (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8=
) ; END Signature
snore.foo.bar. 259200 NXT xxx.foo.bar.
snore.foo.bar. 259200 SIG NXT (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE=
) ; END Signature
;; Total query time: 195 msec
;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1
;; WHEN: Thu Apr 6 16:20:32 1995
;; MSG SIZE sent: 31 rcvd: 662