d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Files gone from 8.2.2.p5

Browse Source
This commit is contained in:
Peter Wemm 1999-11-30 03:41:17 +00:00
parent 0e460bd389
commit bf49e5ccac
4 changed files with 0 additions and 491 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
contrib/bind/doc/secure/copyright.txt
View File

@ -1,28 +0,0 @@
/*
* Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION
* SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*
* Trusted Information Systems, Inc. has received approval from the
* United States Government for export and reexport of TIS/DNSSEC
* software from the United States of America under the provisions of
* the Export Administration Regulations (EAR) General Software Note
* (GSN) license exception for mass market software. Under the
* provisions of this license, this software may be exported or
* reexported to all destinations except for the embargoed countries of
* Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
* or reexport of TIS/DNSSEC software to the embargoed countries
* requires additional, specific licensing approval from the United
* States Government.
*/

155
contrib/bind/doc/secure/install.txt
View File

@ -1,155 +0,0 @@
INSTALL_SEC
Bind with Secure DNS (TIS/DNSSEC)
Version 1.3.0 Beta
September 1996
This version has been compiled and tested on SUNOS 4.1.3,
FreeBSD-2.1.5-REL and Linux 2.0.11.
There may be still be portability problems.
If you have access to other hardware platforms please let us know if
there are any problems porting and send us patches, to include in
future releases.
This version of secure Bind uses RSAREF-2.0 library from RSA,
First you should get/read the RSAREF FAQ
http://www.consensus.com/rsaref-faq.html
Then you can copy RSAREF from
ftp://ftp.rsa.com/rsaref/README
You need to read this README file carefully for further instructions.
Installation: (this version is based on 4.9.4-REL-P1).
1. The tar ball will create a directory sec_bind in the current directory
untar the archive
The content of the sec_bind directory has the same directory
structure as bind distribution with the addition of the directories
dnssec_lib/ and signer/, some named directories have been
deleted from the distribution.
dnssec_lib/ contains the library files for signature generation
signer/ contains tools for signing bind boot files and
generating keys.
In addition, there is a new file, "res/res_sign.c", which
contains library routines that are required in the resolver
for displaying new RR types.
You need to tailor sec_bind/Makefile to your system as you do
with bind distributions.
The sec_bind distribution expects to find RSAREF in the
rsaref/ subdirectory. If you install RSAREF in a different
place you can place a pointer to the RSAREF installation
directory in place of sec_bind/rsaref.
sec_bind/Makefile expects to find the RSAREF library file
at sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution
does not contain that directory. If you are installing RSAREF
for the first time create that directory copy the correct
Makefile from the appropriate rsaref/install/ subdirectory.
Sec_bind will compile RSAREF for you.
We recommend that you use an ANSI C compliant compiler to
compile this distribution.
2. Follow Bind installation guidelines on your system
Set your normal configuration in conf/options.h with the
following exceptions/additions:
ROUND_ROBIN must be OFF (for right now)
DNS_SECURITY must be ON
RSAREF must be ON if you have a copy of RSAREF.
This version of sec_bind does not work well without RSAREF.
3. make
If you are going to use make install everything will work right
out of the box. If you are going to run programs out of the
sec_bind directory you need to set the DESTEXEC variables
accordingly.
4. Once everything compiles you can run the simple test that is include in
the distribution.
First you need to edit the file signer/simple_test/test.boot to
set directory directive to the full path of the directory this
file is in.
Now the signer program can be run to sign the simple_test data.
The signed zone will be written to /tmp
% cd sec_bind/signer
% make test
The passwords for the keys in the distribution are:
Key: Password:
foo.bar foo.bar
mobile.foo.bar mobile
fix.foo.bar fix.foo.bar
sub.foo.bar sub.foo.bar
some.bar some.bar
Notice the differences between simple_test/test.boot and
/tmp/test.boot. The pubkey directive are required for correct
behavior of new named.
To check the if named can read the new zone files and verify
the signatures run following commands
% cd ../named
% make test
Exit/error code 66 indicates that program completed normally
in "load-only" mode (new -l flag).
If you want to load up named run same command as make test does
without -l flag. (the -d 3 flag is to make sure the process
does not do a fork).
% ./named -p 12345 -b /tmp/test.boot -d 3
% cd ../tools
% ./dig @localhost snore.foo.bar. -p 12345
This should return an A record + SIG(A) record
% ./dig @localhost no_such_name.foo.bar. -p 12345
This should return a NXT record +SIG(NXT) for *.foo.bar.
You can also test against our nameserver for zone sd-bogus.tis.com
the host is uranus.hq.tis.com(192.94.214.95)
% ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa
will return the SOA and SIG(SOA) + KEY
% ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb
will return NXT for sd-bogus.tis.com
% ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns
will NS +KEY for foo.sd-bog.tis.com.
5. Converting your setup to secure DNS zones.
need to create a key for your zone.
If you have a copy of the last release of sec_bind the key file
format has changed and you need to regenerate all your keys, Sorry.
The new format for private key files is portable between
different architectures and operating systems, the encryption
of the key file is compatible with the des program.
To generate key use sec_bind/signer/key_gen. To generate zone key
for name you.bar, with 512 bit modulus and exponent of 3,
execute following command
% cd signer
% ./key_gen -z -g 512 you.bar
key_gen will ask for an encryption password for the private
key file, if you do not want to encrypt the key hit <Return>.
The program will output resource record suitable for zone file.
key_gen creates two files you.bar.priv and foo.bar.public.
If you want, at any time, to display the public key for foo.bar
run key_gen without the -g flag or cat file foo.bar.public.
key_gen without any flags will print out the usage information.
key_gen has extensive error checking on flags.
To modify the flags field for an existing key run key_gen with
the new flags but without the -g flag.
Note: The key above is suitable for signing records but not for
encrypting data.
6. Send problems, fixes and suggestions to dns-security@tis.com.

93
contrib/bind/doc/secure/readme.txt
View File

@ -1,93 +0,0 @@
Secure DNS (TIS/DNSSEC)
September 1996
Copyright (C) 1995,1996 Trusted Information Systems, Incorporated
Trusted Information Systems, Inc. has received approval from the
United States Government for export and reexport of TIS/DNSSEC
software from the United States of America under the provisions of
the Export Administration Regulations (EAR) General Software Note
(GSN) license exception for mass market software. Under the
provisions of this license, this software may be exported or
reexported to all destinations except for the embargoed countries of
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
or reexport of TIS/DNSSEC software to the embargoed countries
requires additional, specific licensing approval from the United
States Government.
Trusted Information Systems, Inc., is pleased to
provide a reference implementation of the secure Domain Name System
(TIS/DNSSEC). In order to foster acceptance of secure DNS and provide
the community with a usable, working version of this technology,
TIS/DNSSEC is being made available for broad use on the following basis.
- Trusted Information Systems makes no representation about the
suitability of this software for any purpose. It is provided "as is"
without express or implied warranty.
- TIS/DNSSEC is distributed in source code form, with all modules written
in the C programming language. It runs on many UNIX derived platforms
and is integrated with the Bind implementation of the DNS protocol.
- This beta version of TIS/DNSSEC may be used, copied, and modified for
testing and evaluation purposes without fee during the beta test
period, provided that this notice appears in supporting documentation
and is retained in all software modules in which it appears. Any other
use requires specific, written prior permission from Trusted Information
Systems.
TIS maintains the email distribution list dns-security@tis.com for
discussion of secure DNS. To join, send email to
dns-security-request@tis.com.
TIS/DNSSEC technical questions and bug reports should be addressed to
dns-security@tis.com.
To reach the maintainers of TIS/DNSSEC send mail to
tisdnssec-support@tis.com
TIS/DNSSEC is a product of Trusted Information Systems, Inc.
This is an beta version of Bind with secure DNS extensions it uses
RSAREF which you must obtain separately.
Implemented and tested in this version:
Portable key storage format.
Improved authentication API
Support for using different authentication packages.
All Security RRs including KEY SIG, NXT, and support for wild cards
tool for generating KEYs
tool for signing RRs in boot files
verification of RRs on load
verification of RRs over the wire
transmission of SIG RRs
returns NXT when name and/or type does not exist
storage of NXT, KEY, and SIG RRs with CNAME RR
AD/ID bits added to header and setting of these bits
key storage and retrieval
dig and nslookup can display new header bits and RRs
AXFR signature RR
keyfile directive
$SIGNER directive (to turn on and off signing)
adding KEY to answers with NS or SOA
SOA sequence numbers are now set each time zone is signed
SIG AXFR ignores label count of names
generation and inclusion of .PARENT files
Returns only one NXT at delegation points unless two are required
Expired SIG records are now returned in response to query
Implemented but not fully tested:
Known bugs:
Not implemented:
ROUND_ROBIN behaviour
zone transfer in SIG(AXFR) sort order.
transaction SIGs
verification in resolver. (stub resolvers must trust local servers
resolver library is to low level to implement security)
knowing when to trust the AD bit in responses
Read files INSTALL_SEC and USAGE_SEC for installation and user
instructions, respectively.

215
contrib/bind/doc/secure/usage.txt
View File

@ -1,215 +0,0 @@
USAGE_SEC
Secure DNS (TIS/DNSSEC)
September 1996
This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version
BETA-1.3. This looks like a standard named distribution, with
the following exceptions
this version is coded against BIND-4.9.4-P1
there are three new directories in this distribution
dnssec_lib
signer
rsaref
rsaref/ is place holder directory for RSAREF distribution.
You must get RSAREF on your own.
signer/ contains two applications needed by DNSSEC:
signer: tool to sign zones
key_gen: tool to generate keys
dnssec_lib/ contains common library routines that are used by
named, key_gen and signer.
This is where most of the DNSSEC work is done.
Before compiling you need to do your standard configurations for named
and the edits explained in INSTALL_SEC. This version has been tested
on SUNOS4.1.3. This version includes portability fixes from previous
beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD.
CHANGES TO BIND
res/
There are minor changes to the files in the res directory. Most of
the changes have to do with displaying NXT
records. There are also some changes related to translating
domain names into uncompressed lower case names upon request.
tools/
Minor changes to recognize NXT records and display them.
named/
Added code to read and write new record types.
Added code to do signature validation on read.
Added code to return appropriate SIG records.
Added security flags to databuf and zoneinfo structures.
Names can now have CNAME record and security RR's.
Records are stored and transmitted in DNS SEC sort order.
conf/
Turned off ROUND_ROBIN option and installed new sorting required
for signature verification.
signer/
NXT record generation.
Key generation
Signing of zones
Converting data records to format required for signatures.
dnssec_lib/
Interfacing with Crypto library.
Verifying signatures,
preparing data for signing and verification
The role of <zone>.PARENT files:
DNSSEC specification requires change who is authorative for certain
resource records. In order to support certification hierarchy each
zone KEY RR must be signed by parent zone. The parent signed KEY RR
must be distributed by the zone itself as it is the most authorative
for its own records.
To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT
file for every name in a zone that has a NS record. This file contains
the KEY records stored under this name and
NXT record and corresponding SIG records. If no KEY record is found
for a name with a NS record a NULL-KEY record is generated to indicate
that the child is INSECURE.
Each <zone>.PARENT file must be sent via an out of band mechanism to
the appropriate primary for the zone, for inclusion. signer program
adds an $INCLUDE <zone>.PARENT command at the end of each zone file,
if no file exists an warning message is printed.
Potential PROBLEM: It is likely that the parent and child are on a
different signing schedule. If new <zone>.PARENT file is put on the
primary, due to the fact that the zone data changed but the SOA did
not, it may take a long time for new records to propagate to the
secondaries. This is only a problem if zone has added/deleted a KEY
or if the the signatures will expire in the near future. To overcome
this problem, resign your zone when any of above conditions is true.
DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future.
TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of
zone data to secondaries, signer takes over the management of SOA
serial numbers. Each time signer signs a zone it sets the serial
number to a value reflecting the time the zone was signed, in standard
Unix time seconds since 1970/1/1 0:0:0 GMT.
How to configure a secure zone.
Create a directory <zone> to contain your zone files.
Create a output directory <outdir> for the signer output.
Put in <zone> a boot file that includes the files from that zone.
Create a KEY for the zone by running key_gen, Name the key <domain>.
Run signer on your zone writing to the output directory <outdir>.
Signer will rewrite the boot file to include new directive
"pubkey" of the key used to sign the file. If there where
any pubkey declarations in the input boot file they will be
deleted.
Signer generates files that correspond to the load files specified.
In case of load file that $INCLUDEs another load file, signer will
merge them to the output file.
You will notice that the output files are significantly larger.
The output files will be in a different order than the input files,
all records are sorted into DNSSEC sort order.
NXT and SIG records have been added.
If there are any NS records for a name other than the zone name of
each input file you will see messages that NULL KEY records
have been created, if this is not correct behavior, add
the correct KEY RRs.
For each domain name that has a NS record but is not a zone name
of load file you will see a file named <name>.PARENT,
this file contains the KEY record for that name and an
NXT record + 2 SIG records.
This file needs to be sent to the nameserver that is primary for that
zone. There are two reasons for this:
1. To support Certification Hierarchy, each zone key is
signed by the parent zone key.
2. Zone is the most trustworthy source for itself unless
these records are loaded into the primary server for
the zone, the records may not get propagated.
how to run SEC_NAMED:
Included in the distribution there is a small test setup:
# run signer
./signer boot-f simple_test/test.boot [out-dir /tmp]
# or
make test
# This takes few minutes to run depending on your machine and the size
# of the key selected
# all output files will be stored in /tmp unless out-dir is specified
#
# Now we are ready to run named
cd ../named
./named -p 12345 -b /tmp/test.boot.save [-d x]
#
# you can now check for data in the data base
# using the new dig.
#
cd ../tools
./dig @yourhost snore.foo.bar. any in -p 12345
#
# Output from new dig will be something like this
#
; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1
;; QUESTIONS:
;; snore.foo.bar, type = ANY, class = IN
;; ANSWERS:
snore.foo.bar. 259200 A 10.17.3.20
snore.foo.bar. 259200 SIG A (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0=
) ; END Signature
snore.foo.bar. 259200 MX 96 who.foo.bar.
snore.foo.bar. 259200 MX 100 foo.bar.
snore.foo.bar. 259200 MX 120 xxx.foo.bar.
snore.foo.bar. 259200 MX 130 maGellan.foo.bar.
snore.foo.bar. 259200 MX 140 bozo.foo.bar.
snore.foo.bar. 259200 SIG MX (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8=
) ; END Signature
snore.foo.bar. 259200 NXT xxx.foo.bar.
snore.foo.bar. 259200 SIG NXT (
1 3; alg labels
259200 ; TTL
19950506200636 ; Signature expiration
19950406200659 ; time signed
47437 ; Key foot print
foo.bar. ; Signers name
eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE=
) ; END Signature
;; Total query time: 195 msec
;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1
;; WHEN: Thu Apr 6 16:20:32 1995
;; MSG SIZE sent: 31 rcvd: 662