Manualshelf

HP-UX IP Address and Client Management Administrator's Guide HP-UX 11i v2, HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
81828384858687888990
The nsupdate program with the -k and -y options provide the shared secret required to
generate the TSIG record for authenticating a dynamic DNS update request. For more information
on the -k and -y options, type man 1M nsupdate at the HP-UX prompt.
DNSSEC A DNS Security Extension
Authentication of DNS information in a zone is possible through the DNS Security (DNSSEC)
extensions defined in RFC 2535 (Domain Name System Security Extensions). BIND provides
several tools to set up a DNSSEC secure zone.
There must be communication with administrators of the parent and the child zone to transmit
keys and signatures. To trust its data, the parent zone for a DNSSEC-capable resolver must
indicate a zone’s security status. For other servers to trust data in this zone, they must either be
statically configured with this zone’s zone key or with the zone key of another zone above this
on in the DNS tree.
Validation for wildcard records in secure zones is not fully supported. In particular, a name
does not exist response validates successfully even if it does not contain the NXT records
to prove the existence of a matching wildcard.
You must generate the key files using the dnssec-keygen program. See “Creating a Keyset”
(page 87) for a description of how to generate these key files.
NOTE: For using DNSSEC Public Key Cryptography functionality, the OpenSSL library must
be installed. However, named continues to run without the OpenSSL library.
The OpenSSL libraries are available as part of the core operating system.
Creating a Keyset
Use the /usr/bin/dnssec-makekeyset program to create a keyset from one or more keys.
A sample directive to invoke the dnssec-makekeyset for the key Kexample.com.+003+26160
(generated by the dnssec-keygen program) follows:
# /usr/bin/dnssec-makekeyset
-t 86400 -s 20007011200000 -e +2592000
Kexample.com+003+26160
The output of this command is a file named example.com.keyset, containing a SIG and KEY
record for the ZONE example.com.
The option -t is used to specify the TTL value that is assigned to the assembled KEY and SIG
records in the output file. The options -s and -e are used to indicate the start time and the end
time or expiry date for the SIG records, respectively.
For a detailed description of the options, type man 1 dnssec-makekeyset at the HP-UX
prompt.
Signing the Child’s Keyset
Use the /usr/bin/dnssec-signkey program to sign a keyset for a child zone. To sign a keyset
for a child zone example.com, type the following at the HP-UX prompt:
# /usr/bin/dnssec-signkey example.com.keyset
Kcom.+003+51944
The output of this command is a file named example.com.signedkey, which contains the
keys for the domain example.com signed by the com zone’s zone key.
Signing the Zone
Use the /usr/bin/dnssec-signzone program to sign a zone.
A sample directive to invoke the dnssec-signzone to sign the zone example.com follows:
BIND Security 87