HP-UX IP Address and Client Management Administrator's Guide HP-UX 11i v2, HP-UX 11i v3

# /usr/bin/dnssec-signzone example.com Kexample.com.+003+26160
Kexample.com.+003+26160 is the key identifier generated by the dnssec-keygen program.
dnssec-signzone creates a file named example.com.signed, the signed version of the
example.com zone. Now you can reference this file in a zone statement in /etc/named.conf
so that it can be loaded by the nameserver.
Configuring Servers
In contrast to BIND 8.1.2, BIND 9.2.0 does not verify data on load. Hence, you need not specify
the zone keys for the authoritative zones in the configuration file. The public key for any security
root must exist in the configuration file’s trusted-keys statement.
Compartmentalizing BIND
The UNIX operating system has traditionally used a single compartment model. The relatively
free access in traditional single compartment systems can lead to problems with malicious
software or with compromised programs. Intruders can gain considerable access to the system
if they discover a method to exploit the daemon process. If the daemon process runs with an
effective UID of 0 while being exploited, this can translate to complete system access. With the
use of compartments, you can limit access to only what the process needs. This reduces the
amount of damage malicious or exploited programs can cause to the system.
You can create one or more ASCII files in the /etc/cmpt directory to define compartments.
However, only file names ending with .rules are parsed for compartment definitions. When
the system boots up, the compartment configuration is read from the files in the /etc/cmpt
directory. The /etc/cmpt/*.rules files define compartments and compartment access rules
for local system objects. System objects with compartment access controls defined include file
system objects, inter-process communication objects, and network objects. For more information
on compartments, enter man 5 compartments or man 4 compartments at the HP-UX
prompt.
NOTE: The HP-UX Security Containment product is available in the core HP-UX operating
system.
Enabling Compartments in BIND
To enable compartments in BIND, complete the following steps:
1. Copy the sample /usr/examples/bind/named.rules file to the /etc/cmpts directory
on the system where you want to run BIND in compartments.
2. To check the rule files, enter the following command at the HP-UX prompt:
#setrules p
This command previews the setting of rules and parses the rule files. It checks the syntax
and semantic errors, but does not rectify the errors. Resolve errors, if any, in the /etc/
cmpts/named.rules file.
3. To enable compartments, enter the following command at the HP-UX prompt:
#cmpt_tune e r
If the r option is not included in the command, you must reboot the system manually.
During the reboot, the rules are set automatically; you need not enter the setrules command
to set the rules.
4. To set the compartment for named, enter the following command at the HP-UX prompt:
# setfileexsec c name /usr/sbin/named
This command enables the compartment specified in the /etc/cmpts/named.rules file
and starts /usr/sbin/named in that compartment.
88 Configuring and Administering the BIND Name Service