|
HP OpenVMS Systems Documentation |
|
>
Compaq TCP/IP Services for OpenVMS
|
| Previous | Contents |
Generates signed key sets for DNSSEC.
dnssec_makekeyset [-a] [-s start-time] [-e end-time] [-h] [-p] [-r randomfile] [-t ttl] [-v level] key...
The dnssec_makekeyset utility generates a key set from one or more keys created by the dnssec_keygen utility. It creates a file containing a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form KEYSET-name.DAT, where name is the zone name.
-a
Verifies all generated signatures.-s start-time
Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start time is specified, the current time is used.-e end-time
Specifies the date and time when the generated SIG records expire. An absolute end time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.-h
Displays a short summary of the options and arguments to the dnssec_makekeyset command.-p
Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option is useful when signing large zones or when the entropy source is limited.-r randomfile
Specifies the source of randomness. The default source of randomness is keyboard input. The argument randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.
Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.-t ttl
Specifies the time to live (TTL) value of the KEY and SIG records. The default is 3600 seconds.-v level
Sets the debugging level.key
Specifies the list of keys to be included in the keyset file. These keys are expressed in the form Knnnn.aaa-iiiii, which was generated by the dnssec_keygen utility.
The following command generates a keyset containing the DSA key for example.com generated in the dnssec_keygen example.
| #1 |
|---|
$ dnssec_makekeyset -t 86400 -s 20000701120000 -e +2592000 -
_$ Kexample.com.003-26160
|
In this example, dnssec_makekeyset creates the file KEYSET-EXAMPLE_COM.DAT. This file contains the specified key and a self-generated signature.
The DNS administrator for example.com could send KEYSET-EXAMPLE_COM.DAT to the DNS administrator for .com for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and for exchanging the keys and signatures securely.
Signs keysets for DNSSEC.
dnssec_signkey [-a] [-c class] [-s start-time] [-e end-time] [-h] [-p] [-r randomfile] [-v level] keyset key...
The dnssec_signkey utility signs a keyset. The keyset, generated by the dnssec_makekeyset utility, is for a child zone. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form SIGNEDKEY-name.DAT, where name is the zone name.
keyset
Specifies the file containing the child's keyset.key...
Specifies the keys used to sign the child's keyset.
-a
Verifies all generated signatures.-c class
Specifies the DNS class of the key sets.-s start-time
Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time is used.-e end-time
Specifies the date and time when the generated SIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.-h
Displays a short summary of the options and arguments to the dnssec_signkey command.-p
Use pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.-r randomfile
Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.
Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.-v level
Sets the debugging level.
The DNS administrator for a DNSSEC-aware .com zone would use the following command to sign the keyset file for example.com created by the dnssec_makekeyset utility with a key generated by the dnssec_keygen utility:
| #1 |
|---|
$ dnssec_signkey keyset-example.com. Kcom.003-51944
|
In this example, the dnssec_signkey utility creates the file SIGNEDKEY-EXAMPLE_COM.DAT, which contains the example.com keys and the signatures by the .com keys.
Signs a zone.
dnssec_signzone [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-h] [-i interval] [-n nthreads] [-o origin] [-p] [-r randomfile] [-t] [-v level] zonefile [key...]
The dnssec_signzone utility signs a zone. It generates NXT and SIG records and produces a signed version of the zone. If there is a signedkey file from the zone's parent, the parent's signatures are incorporated into the generated signed zone file. The security status of delegations from the signed zone (that is, whether or not the child zones are secure) is determined by the presence or absence of a signedkey file for each child zone.Before signing the zone, you must add the KEY record to the zone database file by using the $INCLUDE statement. For example, in the zone file example_com.db, add:
$INCLUDE Kexample_com.003-26160_KEY
zonefile
Specifies the file containing the zone to be signed.key
Specifies the keys used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.
-a
Verifies all generated signatures.-c class
Specifies the DNS class of the zone.-d directory
Looks for signedkey files in the specified directory.-s start-time
Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time is used.-e end-time
Specifies the date and time when the generated SIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.-f output-file
Specifies the name of the output file containing the signed zone. The default is to append _SIGNED to the input file name.-h
Displays a short summary of the options and arguments to the dnssec_signzone command.-i interval
When a previously signed zone is passed as input, records may be signed again. The interval option specifies the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.The default cycle interval is one quarter of the difference between the signature end and start times. Therefore, if neither the end time nor the start time is specified, the dnssec_signzone utility generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing SIG records are due to expire in less than 7.5 days, they are replaced.
-n nthreads
Specifies the number of threads to use. By default, one thread is started for each detected CPU.-o origin
Specifies the zone origin. If this option is not specified, the name of the zone file is assumed to be the origin.-p
Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option can be useful when signing large zones or when the entropy source is limited.-r randomfile
Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.
Note
When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.-t
Displays statistics at completion.-v level
Sets the debugging level.
The following command signs the example.com zone with the DSA key generated by the dnssec_keygen utility. The zone's keys must be in the zone. If there are signedkey files associated with this zone or any child zones, they must be in the current directory.
| #1 |
|---|
dnssec_signzone -o example.com example_com.db Kexample_com.003-26160
|
In this example, dnssec_signzone creates the file EXAMPLE_COM.DB_SIGNED. This file should be referenced in a zone statement in the TCPIP$BIND.CONF file. This command displays the following:
example_com.db_signed
Controls the operation of the BIND server.
rndc [-c config] [-s server] [-p port] [-V] [-y key-id] command
The rndc utility controls the operation of a name server. rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. The only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.In BIND Version 9, rndc supports all the commands of the BIND Version 8 ndc utility except start , restart , and stop . Use the BIND startup and shutdown command procedures, as described in Section C.4, to accomplish these tasks.
The rndc utility reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for the rndc configuration file is TCPIP$ETC:RNDC.CONF, but an alternate location can be specified with the -c option. If the configuration file is not found, rndc also looks in TCPIP$ETC:RNDC.KEY. The RNDC.KEY file is generated by running rndc_confgen -a . This command provides basic functionality, but it offers less configuration flexibility than modifying the RNDC.CONF file.
Note
For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.
The configuration file for the rndc utility is TCPIP$ETC:RNDC.CONF. The structure of this file is similar to TCPIP$BIND.CONF. Statements are enclosed in braces and are terminated with semicolons. Clauses in the statements are also terminated with semicolons. For example:
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
key samplekey {
algorithm hmac-md5
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW";
};
|
Three statements are used in the RNDC.CONF file:
$ RNDC_CONFGEN |
reload
Reloads configuration file and zones.reload zone [class [view]]
Reload the given zone.refresh zone [class [view]]
Schedule zone maintenance for the given zone.reconfig
Reloads the configuration file and loads new zones, but does not reload existing zone files even if they have changed. This is faster than a full reload when there is a large number of zones because it avoids the need to examine the modification times of the zones files.stats
Writes server statistics to the statistics file, TCPIP$BIND.STATS.querylog
Toggles query logging. Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of TCPIP$BIND.CONF.dumpdb
Dumps the server's caches to the dump file, TCPIP$BIND_DUMP.DB.trace
Increments the servers debugging level by one.trace level
Sets the server's debugging level to an explicit value.notrace
Sets the server's debugging level to 0.flush
Flushes the server's cache.status
Displays the status of the server.flush-updates
Saves any pending dynamic updates being stored in the zone journal (_JNL) files to the master zone file. (This command is available on OpenVMS systems only.)
-c config-file
Uses config-file as the configuration file instead of the default, TCPIP$ETC:RNDC.CONF.-s server
Specifies the name or address of the server which matches a server statement in the configuration file for rndc . If no server is supplied on the command line, the host named by the default-server clause in the option statement of the configuration file is used.-p port
Send commands to the specified TCP port instead of the default control channel port, 953.-V
Enables verbose logging.-y keyid
Use the specified keyid from the configuration file specified with the -c option. If the configuration file was not specified on the command line, the rndc configuration file, RNDC.CONF, is used. The keyid must be known by the BIND server with the same algorithm and secret string in order for control message validation to succeed.If no keyid is specified, rndc first looks for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement.
Note that the configuration file contains shared secrets that are used to send authenticated control commands to name servers. Therefore, the file should not have general read or write access.
Generates the configuration files used by the rndc utility.
rndc_confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address]
The rndc_confgen utility generates configuration files for the rndc utility. It can be used as a convenient alternative to writing the RNDC.CONF file and the corresponding controls and key statements in TCPIP$BIND.CONF by hand. The utility can be run with the -a option to set up an RNDC.KEY file, thereby avoiding the need for an RNDC.CONF file and a controls statement.
-a
Configures rndc automatically. This option creates the file RNDC.KEY in TCPIP$ETC that is read by both rndc and the BIND server on startup. The RNDC.KEY file defines a default command channel and authentication key, allowing rndc to communicate with the BIND server with no further configuration.Using the -a option allows BIND Version 9 and rndc to be used as drop-in replacements for BIND Version 8 and ndc , with no changes to the existing TCPIP$BIND.CONF file.
Note
For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.-b keysize
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.-c keyfile
Used with the -a option to specify an alternate location for RNDC.KEY.-h
Prints a short summary of the options and arguments to rndc_confgen .-k keyname
Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key .-p port
Specifies the command channel port where the BIND server listens for connections from rndc . The default is 953.-r randomfile
Specifies a source of random data for generating the authorization. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.-s address
Specifies the IP address where the BIND server listens for command channel connections from rndc . The default is the loopback address 127.0.0.1.
| Previous | Next | Contents |