HP TCP/IP Services for OpenVMS
Management


Previous Contents Index


bind_checkconf

Checks the syntax of a BIND server configuration file.


Format

bind_checkconf [-v] [-j] [-t directory] filename [-z]

description

The bind_checkconf utility checks the syntax, but not the semantics, of a BIND server configuration file.

Options

-j

When loading a zonefile, read the journal if it exists.

-z

Perform a test load of the master zonefiles found in TCPIP$BIND.CONF.

-t directory

Looks for filename in the specified directory. The default directory is SYS$SPECIFIC:[TCPIP$BIND].

-v

Displays only the version number of the bind_checkconf utility and exits.

filename

Specifies the name of the configuration file to be checked. The default file is SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND.CONF.

bind_checkzone

Checks a zone file for syntax and consistency.


Format

bind_checkzone [-d] [-j] [-q] [-v] [-c class] [-k mode] [-n mode] [-o filename] [-t directory] [-w directory] [-D] zonename filename

description

The bind_checkzone utility checks the syntax and integrity of a zone file. It performs the same checks as the BIND server does when it loads a zone. This makes bind_checkzone useful for checking zone files before configuring them into a name server.

Options

-d

Enables debugging mode.

-j

When loading the zonefile, read the journal if it exists.

-q

Enables quiet mode (exit code only).

-v

Displays the version number of bind_checkzone and exits.

-c class

Specifies the class of the zone. If not specified, the default is IN.

-k mode

Perform "check-name" checks with the specified failure mode. Possible modes are:

-n mode

Specify whether NS records should be checked to see if they are addresses. Possible modes are:

-o filename

Write zone output to the specified file. Only valid when used with the -D option.

-t directory

Looks for the zone in the specified directory. The default directory is SYS$SYSPECIFIC:[TCPIP$BIND].

-w directory

Change directory so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in the TCPIP$BIND.CONF configuration file.

-D

Dump zone file information in canonical format.

zonename

Specifies the name of the zone being checked.

filename

Specifies the name of the zone file.

dnssec_keygen

Generates keys for DNSSEC.


Format

dnssec_keygen -a algorithm -b keysize -n nametype [-c class] [-e] [-f flag] [-g generator] [-h] [-k]
[-p protocol] [-r randomfile] [-s strength] [-t type] [-v level] name

description

The dnssec_keygen utility generates keys for DNSSEC, as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

Parameters

name

Specifies the name of the domain.

Options

-a algorithm

Selects the cryptographic algorithm. The value of algorithm must be one of the following:

These values are not case sensitive. HMAC-MD5 and DH automatically set the -k option.

-b keysize

Specifies the number of bits in the key. The choice of key size depends on the algorithm used:

-n nametype

Specifies the owner type of the key. The value of nametype must one of the following:

These values are not case sensitive.

-c class

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.

-e

If generating an RSAMD5/RSASHA1 key, specifies the use of a large exponent.

-f flag

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.

-g generator

If generating a Diffie-Hellman key, specifies the generator. Allowed values for generator are 2 and 5. If no generator is specified, a known prime from RFC 2539 is used, if possible; otherwise the default is 2.

-h

Displays a short summary of the options and arguments to the dnssec_keygen command.

-k

Generate KEY records rather than DNSKEY records.

-p protocol

Sets the protocol value for the generated key. The value of protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-s strength

Specifies the strength value of the key. The value of strength is a number between 0 and 15. This option is currently not used.

-t type

Indicates the use of the key. The type must be one of the following:

The default is AUTHCONF.

-v level

Sets the debugging level.

generated keys

When dnssec_keygen completes successfully, it displays a string of the following form to standard output:


Knnnn.aaa-iiiii

This is an identification string for the key it has generated. These strings can be used as arguments to the dnssec_makekeyset utility. The string is interpreted as follows:

dnssec_keygen creates two files, with names based on the printed string. The file Knnnn.aaa-iiiii_KEY contains the public key, and Knnnn.aaa-iiiii_PRIVATE contains the private key.

The _KEY file contains a DNS KEY record that can be inserted into a zone file (either directly, or using an $INCLUDE statement).

The _PRIVATE file contains algorithm-specific fields. For security reasons, this file does not have general read permission.

Both _KEY and _PRIVATE files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.


Examples

To generate a 768-bit DSA key for the domain example.com , enter the following command:
#1

$ dnssec_keygen -a DSA -b 768 -n ZONE example.com 
 
      

This command displays a string of the form:


Kexample_com.003-26160 

In this example, dnssec_keygen creates the files KEXAMPLE_COM.003-26160_KEY and KEXAMPLE_COM.003-26160_PRIVATE.


dnssec_signzone

Signs a zone.


Format

dnssec_signzone [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-g] [-h] [-i interval] [-k key] [-l domain] [-n nthreads] [-o origin] [-p] [-r randomfile] [-t] [-v level] [-z] zonefile [key...]

description

The dnssec_signzone utility signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone.

Before signing the zone, you must add the KEY record to the zone database file by using the $INCLUDE statement. HP recommends the use of a Zone Signing Key (ZSK) and a Key Signing Key (KSK), in which case you must add two $INCLUDE statements, one for each key. For example, in the zone file example_com.db , add:


$INCLUDE Kexample_com.003-26160_KEY  ; ZSK 
$INCLUDE Kexample_com.003-26161_KEY  ; KSK 


Parameters

zonefile

Specifies the file containing the zone to be signed.

key...

Specifies the keys used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.

Options

-a

Verifies all generated signatures.

-c class

Specifies the DNS class of the zone.

-d directory

Looks for signedkey files in the specified directory.

-s start-time

Specifies the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. For example, 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time minus one hour (to allow for clock skew) is used.

-e end-time

Specifies the date and time when the generated RRSIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.

-f output-file

Specifies the name of the output file containing the signed zone. The default is to append _SIGNED to the input file name.

-g

Generate DS records for child zones from keyset file. Existing DS records will be removed.

-h

Displays a short summary of the options and arguments to the dnssec_signzone command.

-i interval

When a previously signed zone is passed as input, records may be signed again. The interval option specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. Therefore, if neither the end time nor the start time is specified, the dnssec_signzone utility generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they are replaced.

-k key

Treat specified key as a key signing key, ignoring any key flags. This option can be specified multiple times.

-l domain

Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

-n nthreads

Specifies the number of threads to use. By default, one thread is started for each detected CPU.

-o origin

Specifies the zone origin. If this option is not specified, the name of the zone file is assumed to be the origin.

-p

Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option can be useful when signing large zones or when the entropy source is limited.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-t

Displays statistics at completion.

-v level

Sets the debugging level.

-z

Ignore KSK flag on key when determining what to sign.

Examples

The following command signs the example.com zone with the DSA key generated by the dnssec_keygen utility. The zone's keys must be in the zone. If there are keyset files associated with the child zones, they must be in the current directory.
#1

$ dnssec_signzone -o example.com example_com.db Kexample_com.003-26160 
 
      

In this example, dnssec_signzone creates the file EXAMPLE_COM.DB_SIGNED. This file should be referenced in a zone statement in the TCPIP$BIND.CONF file. This command displays the following:


example_com.db_signed 


rndc

Controls the operation of the BIND server.


Format

rndc [-c config] [-k keyfile] [-s server] [-p port] ["-V"] [-y key-id] command

description

The rndc utility controls the operation of a name server. rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. The only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.

In BIND Version 9, rndc supports all the commands of the BIND Version 8 ndc utility except start , restart , and stop . Use the BIND startup and shutdown command procedures, as described in Section 6.4, to accomplish these tasks.

The rndc utility reads a configuration file to determine how to contact the name server and to decide what algorithm and key it should use.

A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret. The default location for the rndc configuration file is TCPIP$ETC:RNDC.CONF, but an alternate location can be specified with the -c option. If the configuration file is not found, rndc also looks in TCPIP$ETC:RNDC.KEY. The RNDC.KEY file is generated by running rndc_confgen -a . This command provides basic functionality, but it offers less configuration flexibility than modifying the RNDC.CONF file.

Note

For the BIND server to recognize a newly generated RNDC.KEY file, you must stop and restart the BIND server.

Format of the RNDC.CONF File

The configuration file for the rndc utility is TCPIP$ETC:RNDC.CONF. The structure of this file is similar to TCPIP$BIND.CONF. Statements are enclosed in braces and are terminated with semicolons. Clauses in the statements are also terminated with semicolons. For example:


options { 
    default-server    localhost; 
    default-key       samplekey; 
}; 
 
server localhost { 
    key               samplekey; 
}; 
 
key samplekey { 
    algorithm         hmac-md5 
    secret            "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW"; 
}; 

Three statements are used in the RNDC.CONF file:


Commands

reload

Reloads configuration file and zones.

reload zone [class [view]]

Reload the given zone.

refresh zone [class [view]]

Schedule zone maintenance for the given zone.

retransfer zone [class [view]]

Retransfer the specified zone from the master.

freeze zone [class [view]]

Suspend updates to a dynamic zone. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synchronized into the master and the journal file to be removed. All dynamic update attempts will be refused while the zone is frozen.

unfreeze zone [class [view]]

Enable updates to a frozen dynamic zone. This causes the server to reload the zone from disk, and re-enables dynamic updates after the load has completed. After a zone is unfrozen, dynamic updates will no longer be refused.

reconfig

Reloads the configuration file and loads new zones, but does not reload existing zone files even if they have changed. This is faster than a full reload when there is a large number of zones because it avoids the need to examine the modification times of the zones files.

stats

Writes server statistics to the statistics file, TCPIP$BIND.STATS.

querylog

Toggles query logging. Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of TCPIP$BIND.CONF.

dumpdb

Dumps the server's caches to the dump file, TCPIP$BIND_DUMP.DB.

trace

Increments the servers debugging level by one.

trace level

Sets the server's debugging level to an explicit value.

notrace

Sets the server's debugging level to 0.

flush

Flushes the server's cache.

flush-updates

Saves any pending dynamic updates being stored in the zone journal (_JNL) files to the master zone files. (This command is available on OpenVMS systems only.)

status

Displays the status of the server. The number of zones includes the internal /CH zone, and the default ./IN hint zone if no root zone has been explicitly configured.

Options

-c config-file

Uses config-file as the configuration file instead of the default, TCPIP$ETC:RNDC.CONF.

-k keyfile

Use the specified keyfile instead of the default (TCPIP$ETC:RNDC.KEY). If the configuration file does not exist, the key from TCPIP$ETC:RNDC.KEY will be used instead.

-s server

Specifies the name or address of the server which matches a server statement in the configuration file for rndc . If no server is supplied on the command line, the host named by the default-server clause in the option statement of the configuration file is used.

-p port

Send commands to the specified TCP port instead of the default control channel port, 953.

"-V"

Enables verbose logging. Use quotation marks to preserve uppercase options.

-y keyid

Use the specified keyid from the configuration file specified with the -c option. If the configuration file was not specified on the command line, the rndc configuration file, RNDC.CONF, is used. The keyid must be known by the BIND server with the same algorithm and secret string in order for control message validation to succeed.

If no keyid is specified, rndc first looks for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement.

Note that the configuration file contains shared secrets that are used to send authenticated control commands to name servers. Therefore, the file should not have general read or write access.


Previous Next Contents Index