Manualshelf

HP-UX IP Address and Client Management Administrator's Guide (October 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
81828384858687888990
zone div.inc.com {
type master;
file db.div
allow-transfer { key venus-moon.div.inc.com.; };
};
venus.div.inc.com also signs the zone transfer that allows moon.div.inc.com to verify
it. For more information on the dnssec-keygen program, type man 1 dnssec-keygen at
the HP-UX prompt.
The nsupdate program with the -k and -y options provide the shared secret required to
generate the TSIG record for authenticating a dynamic DNS update request. For more information
on the -k and -y options, type man 1M nsupdate at the HP-UX prompt.
DNSSEC A DNS Security Extension
Authentication of DNS information in a zone is possible through the DNS Security (DNSSEC)
extensions defined in RFC 2535 (Domain Name System Security Extensions). BIND provides
several tools to set up a DNSSEC secure zone.
There must be communication with administrators of the parent and the child zone to transmit
keys and signatures. To trust its data, the parent zone for a DNSSEC-capable resolver must
indicate a zone’s security status. For other servers to trust data in this zone, they must either be
statically configured with this zone’s zone key or with the zone key of another zone above this
on in the DNS tree.
Validation for wildcard records in secure zones is not fully supported. In particular, a name
does not exist response validates successfully even if it does not contain the NXT records
to prove the existence of a matching wildcard.
You must generate the key files using the dnssec-keygen program. See “Creating a Keyset”
(page 90) for a description of how to generate these key files.
NOTE: For using DNSSEC Public Key Cryptography functionality, the OpenSSL library must
be installed. However, named continues to run without the OpenSSL library.
The OpenSSL libraries are available as part of the core operating system.
Creating a Keyset
Use the /usr/bin/dnssec-makekeyset program to create a keyset from one or more keys.
A sample directive to invoke the dnssec-makekeyset for the key Kexample.com.+003+26160
(generated by the dnssec-keygen program) follows:
# /usr/bin/dnssec-makekeyset -t 86400 -s 20007011200000 -e +2592000
Kexample.com+003+26160
The output of this command is a file named example.com.keyset, containing a SIG and KEY
record for the ZONE example.com.
The option -t is used to specify the TTL value that is assigned to the assembled KEY and SIG
records in the output file. The options -s and -e are used to indicate the start time and the end
time or expiry date for the SIG records, respectively.
For a detailed description of the options, type man 1 dnssec-makekeyset at the HP-UX
prompt.
Signing the Child’s Keyset
Use the /usr/bin/dnssec-signkey program to sign a keyset for a child zone. To sign a keyset
for a child zone example.com, type the following at the HP-UX prompt:
# /usr/bin/dnssec-signkey example.com.keyset Kcom.+003+51944
90 Configuring and Administering the BIND Name Service