From bf49e5ccacdd56fe3c641c2583bfc66198c172a4 Mon Sep 17 00:00:00 2001 From: Peter Wemm Date: Tue, 30 Nov 1999 03:41:17 +0000 Subject: [PATCH] Files gone from 8.2.2.p5 --- contrib/bind/doc/secure/copyright.txt | 28 ---- contrib/bind/doc/secure/install.txt | 155 ------------------- contrib/bind/doc/secure/readme.txt | 93 ----------- contrib/bind/doc/secure/usage.txt | 215 -------------------------- 4 files changed, 491 deletions(-) delete mode 100644 contrib/bind/doc/secure/copyright.txt delete mode 100644 contrib/bind/doc/secure/install.txt delete mode 100644 contrib/bind/doc/secure/readme.txt delete mode 100644 contrib/bind/doc/secure/usage.txt diff --git a/contrib/bind/doc/secure/copyright.txt b/contrib/bind/doc/secure/copyright.txt deleted file mode 100644 index cc3835608906..000000000000 --- a/contrib/bind/doc/secure/copyright.txt +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION - * SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - * - * Trusted Information Systems, Inc. has received approval from the - * United States Government for export and reexport of TIS/DNSSEC - * software from the United States of America under the provisions of - * the Export Administration Regulations (EAR) General Software Note - * (GSN) license exception for mass market software. Under the - * provisions of this license, this software may be exported or - * reexported to all destinations except for the embargoed countries of - * Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export - * or reexport of TIS/DNSSEC software to the embargoed countries - * requires additional, specific licensing approval from the United - * States Government. - */ diff --git a/contrib/bind/doc/secure/install.txt b/contrib/bind/doc/secure/install.txt deleted file mode 100644 index bb5bc94c211d..000000000000 --- a/contrib/bind/doc/secure/install.txt +++ /dev/null @@ -1,155 +0,0 @@ - -INSTALL_SEC - - Bind with Secure DNS (TIS/DNSSEC) - Version 1.3.0 Beta - September 1996 - -This version has been compiled and tested on SUNOS 4.1.3, -FreeBSD-2.1.5-REL and Linux 2.0.11. -There may be still be portability problems. -If you have access to other hardware platforms please let us know if -there are any problems porting and send us patches, to include in -future releases. - -This version of secure Bind uses RSAREF-2.0 library from RSA, -First you should get/read the RSAREF FAQ - http://www.consensus.com/rsaref-faq.html -Then you can copy RSAREF from - ftp://ftp.rsa.com/rsaref/README - -You need to read this README file carefully for further instructions. - -Installation: (this version is based on 4.9.4-REL-P1). - -1. The tar ball will create a directory sec_bind in the current directory - untar the archive - The content of the sec_bind directory has the same directory - structure as bind distribution with the addition of the directories - dnssec_lib/ and signer/, some named directories have been - deleted from the distribution. - - dnssec_lib/ contains the library files for signature generation - signer/ contains tools for signing bind boot files and - generating keys. - - In addition, there is a new file, "res/res_sign.c", which - contains library routines that are required in the resolver - for displaying new RR types. - - You need to tailor sec_bind/Makefile to your system as you do - with bind distributions. - - The sec_bind distribution expects to find RSAREF in the - rsaref/ subdirectory. If you install RSAREF in a different - place you can place a pointer to the RSAREF installation - directory in place of sec_bind/rsaref. - - sec_bind/Makefile expects to find the RSAREF library file - at sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution - does not contain that directory. If you are installing RSAREF - for the first time create that directory copy the correct - Makefile from the appropriate rsaref/install/ subdirectory. - Sec_bind will compile RSAREF for you. - - We recommend that you use an ANSI C compliant compiler to - compile this distribution. - -2. Follow Bind installation guidelines on your system - - Set your normal configuration in conf/options.h with the - following exceptions/additions: - ROUND_ROBIN must be OFF (for right now) - DNS_SECURITY must be ON - RSAREF must be ON if you have a copy of RSAREF. - This version of sec_bind does not work well without RSAREF. - -3. make - If you are going to use make install everything will work right - out of the box. If you are going to run programs out of the - sec_bind directory you need to set the DESTEXEC variables - accordingly. - -4. Once everything compiles you can run the simple test that is include in - the distribution. - - First you need to edit the file signer/simple_test/test.boot to - set directory directive to the full path of the directory this - file is in. - - Now the signer program can be run to sign the simple_test data. - The signed zone will be written to /tmp - % cd sec_bind/signer - % make test - The passwords for the keys in the distribution are: - Key: Password: - foo.bar foo.bar - mobile.foo.bar mobile - fix.foo.bar fix.foo.bar - sub.foo.bar sub.foo.bar - some.bar some.bar - - Notice the differences between simple_test/test.boot and - /tmp/test.boot. The pubkey directive are required for correct - behavior of new named. - - To check the if named can read the new zone files and verify - the signatures run following commands - % cd ../named - % make test - - Exit/error code 66 indicates that program completed normally - in "load-only" mode (new -l flag). - - If you want to load up named run same command as make test does - without -l flag. (the -d 3 flag is to make sure the process - does not do a fork). - % ./named -p 12345 -b /tmp/test.boot -d 3 - - % cd ../tools - % ./dig @localhost snore.foo.bar. -p 12345 - This should return an A record + SIG(A) record - % ./dig @localhost no_such_name.foo.bar. -p 12345 - This should return a NXT record +SIG(NXT) for *.foo.bar. - - You can also test against our nameserver for zone sd-bogus.tis.com - the host is uranus.hq.tis.com(192.94.214.95) - % ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa - will return the SOA and SIG(SOA) + KEY - % ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb - will return NXT for sd-bogus.tis.com - % ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns - will NS +KEY for foo.sd-bog.tis.com. - -5. Converting your setup to secure DNS zones. - need to create a key for your zone. - If you have a copy of the last release of sec_bind the key file - format has changed and you need to regenerate all your keys, Sorry. - The new format for private key files is portable between - different architectures and operating systems, the encryption - of the key file is compatible with the des program. - - To generate key use sec_bind/signer/key_gen. To generate zone key - for name you.bar, with 512 bit modulus and exponent of 3, - execute following command - - % cd signer - % ./key_gen -z -g 512 you.bar - - key_gen will ask for an encryption password for the private - key file, if you do not want to encrypt the key hit . - The program will output resource record suitable for zone file. - key_gen creates two files you.bar.priv and foo.bar.public. - - If you want, at any time, to display the public key for foo.bar - run key_gen without the -g flag or cat file foo.bar.public. - key_gen without any flags will print out the usage information. - key_gen has extensive error checking on flags. - - To modify the flags field for an existing key run key_gen with - the new flags but without the -g flag. - - Note: The key above is suitable for signing records but not for - encrypting data. - -6. Send problems, fixes and suggestions to dns-security@tis.com. diff --git a/contrib/bind/doc/secure/readme.txt b/contrib/bind/doc/secure/readme.txt deleted file mode 100644 index d7b422ab1caa..000000000000 --- a/contrib/bind/doc/secure/readme.txt +++ /dev/null @@ -1,93 +0,0 @@ - - Secure DNS (TIS/DNSSEC) - September 1996 - -Copyright (C) 1995,1996 Trusted Information Systems, Incorporated - -Trusted Information Systems, Inc. has received approval from the -United States Government for export and reexport of TIS/DNSSEC -software from the United States of America under the provisions of -the Export Administration Regulations (EAR) General Software Note -(GSN) license exception for mass market software. Under the -provisions of this license, this software may be exported or -reexported to all destinations except for the embargoed countries of -Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export -or reexport of TIS/DNSSEC software to the embargoed countries -requires additional, specific licensing approval from the United -States Government. - -Trusted Information Systems, Inc., is pleased to -provide a reference implementation of the secure Domain Name System -(TIS/DNSSEC). In order to foster acceptance of secure DNS and provide -the community with a usable, working version of this technology, -TIS/DNSSEC is being made available for broad use on the following basis. - -- Trusted Information Systems makes no representation about the - suitability of this software for any purpose. It is provided "as is" - without express or implied warranty. - -- TIS/DNSSEC is distributed in source code form, with all modules written - in the C programming language. It runs on many UNIX derived platforms - and is integrated with the Bind implementation of the DNS protocol. - -- This beta version of TIS/DNSSEC may be used, copied, and modified for - testing and evaluation purposes without fee during the beta test - period, provided that this notice appears in supporting documentation - and is retained in all software modules in which it appears. Any other - use requires specific, written prior permission from Trusted Information - Systems. - -TIS maintains the email distribution list dns-security@tis.com for -discussion of secure DNS. To join, send email to - dns-security-request@tis.com. - -TIS/DNSSEC technical questions and bug reports should be addressed to - dns-security@tis.com. - -To reach the maintainers of TIS/DNSSEC send mail to - tisdnssec-support@tis.com - -TIS/DNSSEC is a product of Trusted Information Systems, Inc. - -This is an beta version of Bind with secure DNS extensions it uses -RSAREF which you must obtain separately. - -Implemented and tested in this version: - Portable key storage format. - Improved authentication API - Support for using different authentication packages. - All Security RRs including KEY SIG, NXT, and support for wild cards - tool for generating KEYs - tool for signing RRs in boot files - verification of RRs on load - verification of RRs over the wire - transmission of SIG RRs - returns NXT when name and/or type does not exist - storage of NXT, KEY, and SIG RRs with CNAME RR - AD/ID bits added to header and setting of these bits - key storage and retrieval - dig and nslookup can display new header bits and RRs - AXFR signature RR - keyfile directive - $SIGNER directive (to turn on and off signing) - adding KEY to answers with NS or SOA - SOA sequence numbers are now set each time zone is signed - SIG AXFR ignores label count of names - generation and inclusion of .PARENT files - Returns only one NXT at delegation points unless two are required - Expired SIG records are now returned in response to query - -Implemented but not fully tested: - -Known bugs: - -Not implemented: - ROUND_ROBIN behaviour - zone transfer in SIG(AXFR) sort order. - transaction SIGs - verification in resolver. (stub resolvers must trust local servers - resolver library is to low level to implement security) - knowing when to trust the AD bit in responses - -Read files INSTALL_SEC and USAGE_SEC for installation and user -instructions, respectively. diff --git a/contrib/bind/doc/secure/usage.txt b/contrib/bind/doc/secure/usage.txt deleted file mode 100644 index aa8eebc670aa..000000000000 --- a/contrib/bind/doc/secure/usage.txt +++ /dev/null @@ -1,215 +0,0 @@ - - USAGE_SEC - Secure DNS (TIS/DNSSEC) - September 1996 - -This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version -BETA-1.3. This looks like a standard named distribution, with -the following exceptions - - this version is coded against BIND-4.9.4-P1 - - there are three new directories in this distribution - dnssec_lib - signer - rsaref - - - rsaref/ is place holder directory for RSAREF distribution. - You must get RSAREF on your own. - - signer/ contains two applications needed by DNSSEC: - signer: tool to sign zones - key_gen: tool to generate keys - dnssec_lib/ contains common library routines that are used by - named, key_gen and signer. - This is where most of the DNSSEC work is done. - -Before compiling you need to do your standard configurations for named -and the edits explained in INSTALL_SEC. This version has been tested -on SUNOS4.1.3. This version includes portability fixes from previous -beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD. - -CHANGES TO BIND - -res/ - - There are minor changes to the files in the res directory. Most of - the changes have to do with displaying NXT - records. There are also some changes related to translating - domain names into uncompressed lower case names upon request. - -tools/ - Minor changes to recognize NXT records and display them. - -named/ - Added code to read and write new record types. - Added code to do signature validation on read. - Added code to return appropriate SIG records. - Added security flags to databuf and zoneinfo structures. - Names can now have CNAME record and security RR's. - Records are stored and transmitted in DNS SEC sort order. - -conf/ - - Turned off ROUND_ROBIN option and installed new sorting required - for signature verification. - -signer/ - NXT record generation. - Key generation - Signing of zones - Converting data records to format required for signatures. - -dnssec_lib/ - Interfacing with Crypto library. - Verifying signatures, - preparing data for signing and verification - -The role of .PARENT files: - -DNSSEC specification requires change who is authorative for certain -resource records. In order to support certification hierarchy each -zone KEY RR must be signed by parent zone. The parent signed KEY RR -must be distributed by the zone itself as it is the most authorative -for its own records. - -To facilitate this TIS/DNSSEC signer program creates a .PARENT -file for every name in a zone that has a NS record. This file contains -the KEY records stored under this name and -NXT record and corresponding SIG records. If no KEY record is found -for a name with a NS record a NULL-KEY record is generated to indicate -that the child is INSECURE. - -Each .PARENT file must be sent via an out of band mechanism to -the appropriate primary for the zone, for inclusion. signer program -adds an $INCLUDE .PARENT command at the end of each zone file, -if no file exists an warning message is printed. - -Potential PROBLEM: It is likely that the parent and child are on a -different signing schedule. If new .PARENT file is put on the -primary, due to the fact that the zone data changed but the SOA did -not, it may take a long time for new records to propagate to the -secondaries. This is only a problem if zone has added/deleted a KEY -or if the the signatures will expire in the near future. To overcome -this problem, resign your zone when any of above conditions is true. -DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future. - -TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of -zone data to secondaries, signer takes over the management of SOA -serial numbers. Each time signer signs a zone it sets the serial -number to a value reflecting the time the zone was signed, in standard -Unix time seconds since 1970/1/1 0:0:0 GMT. - -How to configure a secure zone. - Create a directory to contain your zone files. - Create a output directory for the signer output. - Put in a boot file that includes the files from that zone. - Create a KEY for the zone by running key_gen, Name the key . - - Run signer on your zone writing to the output directory . - Signer will rewrite the boot file to include new directive - "pubkey" of the key used to sign the file. If there where - any pubkey declarations in the input boot file they will be - deleted. - Signer generates files that correspond to the load files specified. - - In case of load file that $INCLUDEs another load file, signer will - merge them to the output file. - You will notice that the output files are significantly larger. - The output files will be in a different order than the input files, - all records are sorted into DNSSEC sort order. - NXT and SIG records have been added. - - If there are any NS records for a name other than the zone name of - each input file you will see messages that NULL KEY records - have been created, if this is not correct behavior, add - the correct KEY RRs. - For each domain name that has a NS record but is not a zone name - of load file you will see a file named .PARENT, - this file contains the KEY record for that name and an - NXT record + 2 SIG records. - This file needs to be sent to the nameserver that is primary for that - zone. There are two reasons for this: - 1. To support Certification Hierarchy, each zone key is - signed by the parent zone key. - 2. Zone is the most trustworthy source for itself unless - these records are loaded into the primary server for - the zone, the records may not get propagated. - -how to run SEC_NAMED: - -Included in the distribution there is a small test setup: - -# run signer -./signer boot-f simple_test/test.boot [out-dir /tmp] -# or -make test -# This takes few minutes to run depending on your machine and the size -# of the key selected -# all output files will be stored in /tmp unless out-dir is specified - -# -# Now we are ready to run named -cd ../named -./named -p 12345 -b /tmp/test.boot.save [-d x] - -# -# you can now check for data in the data base -# using the new dig. -# -cd ../tools -./dig @yourhost snore.foo.bar. any in -p 12345 - -# -# Output from new dig will be something like this -# -; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p -; (1 server found) -;; res options: init recurs defnam dnsrch -;; got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 -;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1 -;; QUESTIONS: -;; snore.foo.bar, type = ANY, class = IN - -;; ANSWERS: -snore.foo.bar. 259200 A 10.17.3.20 -snore.foo.bar. 259200 SIG A ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0= - ) ; END Signature -snore.foo.bar. 259200 MX 96 who.foo.bar. -snore.foo.bar. 259200 MX 100 foo.bar. -snore.foo.bar. 259200 MX 120 xxx.foo.bar. -snore.foo.bar. 259200 MX 130 maGellan.foo.bar. -snore.foo.bar. 259200 MX 140 bozo.foo.bar. -snore.foo.bar. 259200 SIG MX ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8= - ) ; END Signature -snore.foo.bar. 259200 NXT xxx.foo.bar. -snore.foo.bar. 259200 SIG NXT ( - 1 3; alg labels - 259200 ; TTL - 19950506200636 ; Signature expiration - 19950406200659 ; time signed - 47437 ; Key foot print - foo.bar. ; Signers name - eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE= - ) ; END Signature - -;; Total query time: 195 msec -;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1 -;; WHEN: Thu Apr 6 16:20:32 1995 -;; MSG SIZE sent: 31 rcvd: 662