Manualshelf

HP-UX IP Address and Client Management Administrator's Guide (October 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
919293949596979899100
The output of this command is a file named example.com.signedkey, which contains the
keys for the domain example.com signed by the com zone’s zone key.
Signing the Zone
Use the /usr/bin/dnssec-signzone program to sign a zone.
A sample directive to invoke the dnssec-signzone to sign the zone example.com follows:
# /usr/bin/dnssec-signzone example.com Kexample.com.+003+26160
Kexample.com.+003+26160 is the key identifier generated by the dnssec-keygen program.
dnssec-signzone creates a file named example.com.signed, the signed version of the
example.com zone. Now you can reference this file in a zone statement in /etc/named.conf
so that it can be loaded by the nameserver.
Configuring Servers
In contrast to BIND 8.1.2, BIND 9.2.0 does not verify data on load. Hence, you need not specify
the zone keys for the authoritative zones in the configuration file. The public key for any security
root must exist in the configuration file’s trusted-keys statement.
Compartmentalizing BIND
The UNIX operating system has traditionally used a single compartment model. The relatively
free access in traditional single compartment systems can lead to problems with malicious
software or with compromised programs. Intruders can gain considerable access to the system
if they discover a method to exploit the daemon process. If the daemon process runs with an
effective UID of 0 while being exploited, this can translate to complete system access. With the
use of compartments, you can limit access to only what the process needs. This reduces the
amount of damage malicious or exploited programs can cause to the system.
You can create one or more ASCII files in the /etc/cmpt directory to define compartments.
However, only file names ending with .rules are parsed for compartment definitions. When
the system boots up, the compartment configuration is read from the files in the /etc/cmpt
directory. The /etc/cmpt/*.rules files define compartments and compartment access rules
for local system objects. System objects with compartment access controls defined include file
system objects, inter-process communication objects, and network objects. For more information
on compartments, enter man 5 compartments or man 4 compartments at the HP-UX
prompt.
NOTE: The HP-UX Security Containment product is available in the core HP-UX operating
system.
Enabling Compartments in BIND
To enable compartments in BIND, complete the following steps:
1. Copy the sample /usr/examples/bind/named.rules file to the /etc/cmpts directory
on the system where you want to run BIND in compartments.
2. To check the rule files, enter the following command at the HP-UX prompt:
#setrules p
This command previews the setting of rules and parses the rule files. It checks the syntax
and semantic errors, but does not rectify the errors. Resolve errors, if any, in the /etc/
cmpts/named.rules file.
3. To enable compartments, enter the following command at the HP-UX prompt:
#cmpt_tune e r
BIND Security 91