HP-UX IP Address and Client Management Administrator's Guide HP-UX 11i v2, HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

3600 ; Retry after 1 hour

604800 ; Expire after 1 week

86400 ) ; Minimum ttl of 1 day

IN NS rabbit.div.inc.com.

IN NS denny.dept.inc.com.

IN NS sally.dept.inc.com.

rabbit.div.inc.com. 86400 IN A 15.19.8.119

denny.dept.inc.com. 86400 IN A 15.19.15.33

sally.doc.inc.com. 86400 IN A 15.19.9.17

; ; set ttl to 3 days ; inc.com. 259200 IN NS eduardo.inc.com.

2592 IN NS labs.inc.com.

15.in-addr.arpa. 259200 IN NS eduardo.inc.com.

259200 IN NS labs.inc.com.

eduardo.inc.com. 259200 IN A 15.19.11.2

labs.inc.com. 259200 IN A 15.19.13.7

BIND Logging System

The BIND logging system provides control over how the server logs events. The logging system

is configured using the logging statement in the /etc/named.conf file.

You can do the following using the logging system:

• Limit incoming messages to a given severity level.

• Place a limit on the size of the logging file.

• Manage multiple versions for the logging file (to maintain historic data).

• Direct the logging messages to any of the syslog facilities.

• Specify where messages belonging to specific categories are logged.

See the section “The logging Statement” (page 27) for more information and how to use the

logging statement.

The logging mechanism is established only after the entire configuration file is parsed. When

you start named with the -g option, the log messages regarding the configuration file syntax

errors are put in stderr.

BIND Security

This section discusses the security mechanisms implemented in BIND to secure DNS messages

and name servers. It discusses the following topics:

• “TSIG-Based Security” (page 85)

• “DNSSEC – A DNS Security Extension” (page 87)

TSIG-Based Security

Transaction signatures (TSIG) is a mechanism used to secure DNS messages and to provide

secure server-to-server communication. This includes zone transfer, notify, and recursive query

messages. TSIG uses shared secrets and a one-way hash function to authenticate DNS messages,

particularly responses and updates.

TSIG is simple to configure, lightweight for resolvers and name servers to use, and flexible to

secure DNS messages and dynamic updates. When you configure TSIG, a name server adds a

TSIG record to the additional data section of a DNS message. The TSIG record signs the DNS

message if the message’s sender had a cryptographic key shared with the receiver and if the

message was not modified after it left the sender.

One-Way Hash Function

TSIG uses a one-way hash function to provide authentication and data integrity. A one-way hash

function, or cryptographic checksum, computes a fixed-size hash value based on an arbitrary

large input. Each hash value bit depends on each bit of the input. A minor change to an input

BIND Logging System 85