dnssec-configure

Langue: en

Version: 10 December 2008 (fedora - 06/07/09)

Section: 8 (Commandes administrateur)

NAME

dnssec-configure - update recursive nameserver configuration options and keys for DNSSEC and DLV. Currently Bind (named) and Unbound are supported.

SYNOPSIS

dnssec-configure [-u] [-b] --dnssec=on | off --dlv=on | off | <dlvzone> [--basedir=<dir>] [--norestart] [--nocheck] [--production] [--testing] [--harvest] [--root]
dnssec-configure --show [-u] [-b]
dnssec-configure -u | -b --set=secion:optname:optval
dnssec-configure -u | -b --query=secion:optname:optval

DESCRIPTION

dnssec-configure shows or rewrites the configuration files of the Bind (named) and/or the Unbound nameservers. It verifies the configuration before rewriting it, and restarts the nameserver(s) if neccessary.

OPTIONS

-b (-n)

Update the Bind (named) nameserver configuration.

-u

Update the Unbound nameserver configuration.

If neither options are specified, -b -u is assumed.

--show

Show the current configuration(s) and do not rewrite any configuration files. All other options below are ignored.

--set=<section:optname:optvalue>

Set the options optname to value in the specified section of the configuration file. This option cannot be used with --dnssec, --dlv, --query or --show. This option can be specified multiple times to set more then one option at once.

--set=<section:optname:optvalue>

Query the setting optname in the specified section of the configuration file. This option cannot be used with --dnssec, --dlv, --set or --show. This option can be specified multiple times to query more then one option at once.

--dnssec=<on|off>

This option will enable or disable all DNSSEC processing by the nameserver. When enabled, detected spoofed or otherwise verifiably false DNS answers will not be returned. Instead, a SERVFAIL is returned. The application is responsible for further investigation. When disabled, classic DNS services run without any advanced protection.

--dlv=<on|off|dlvzone>

This option will enable or disable DLV, or "DNSSEC Lookaside Verification" (RFC 5074). This is a method for using DNSSEC in TLD's that themselves do not support DNSSEC. It works by offloading DNS queries for all TLD's for which no DNSSEC keys are loaded to a DLV Registry. The Trusted Key for the DLV Registry must be available. The default DLV Registry (when using the value on, is the ISC DLV (http://dlv.isc.org/)i. The ISC DLV Key is pre-installed with this software. You can specify your own DLV Registry, but you must make sure the dlvzone's key is installed in /etc/pki/dnssec/dlv/dlvzone.key.

--basedir<dir>

The basedir for Trusted Key files. The default is /etc/pki/dnssec-keys/. NOT YET IMPLEMENTED

--norestart

Do not attempt to restart any running DNS resolving nameservers. This is for use within initscripts, where dnssec-configure is called to update the settings from within a DNS server initscript. Otherwise this would cause a loop.

--nocheck

Do not attempt to run unbound-checkconf or bind-checkconf. This is required for calls within package managers such as RPM where at least for unbound, we are still missing keys/certs and unbound-checkconf would return an error. We cannot generate keys before running unbound-checkconf, as we might not have enough entropy resulting in a stalled partial install.

The following options determine which Trusted Keys to preload with the nameserver software. Without Trusted Keys, no DNSSEC verification is possible. At some point, when the Root is signed, only one key would need to be preloaded. This is not yet the case.

--production

Include Trusted Keys that are in full production. These keys have been analysed by people in the DNS community or have been publicly announced by their TLD to be production ready. If no Trusted Keys options are specified, only this setting will be enabled. These keys can be found in /etc/pki/dnssec-keys/production.conf.

--testing

Include Trusted Keys that are in testing mode. These keys tend to be reasonably stable, or have been found and verified but not officially announced by its TLD. These are not included per default. These keys can be found in /etc/pki/dnssec-keys/testing.conf.

--harvest

Include Trusted Keys that are harvested and/or added by the local system administrator themselves. These keys can be found in /etc/pki/dnssec-keys/harvest.conf.

--root

Include the Trusted Keys for the Root Zone. Currently the root is not signed, and there is no root key available. A test Root key is available from IANA, but this requires using a separate resolver at IANA's. Do not use this option.

EXAMPLES

Enable DNSSEC with production keys and ISC's DLV Registry for all nameserver software found on the machine

# dnssec-configure --dnssec=on --dlv=on

For the Unbound nameserver, enable DNSSEC with production and testing keys, and use dlv.xelerance.com as the DLV Registry

# dnssec-configure -u --dnssec=on --dlv=dlv.xelerance.com --production --testing

For the Bind nameserver, disable dnssec

# dnssec-configure -b --dnssec=off

REQUIREMENTS

One or both of the known DNSSEC capable nameservers, Bind and Unbound, is required. To support RFC 5011 style automatic key updates, the autotrust software is needed along with a cron daemon.

TRUSTED KEYS

The format of the key files is carefully chosen to be compatible with both Bind and Unbound. Key files are stored in individual files so that they can be easilly verified and updated by autotrust. The keys are grouped in their respective categories production, testing and harvest. If you have local DNSSEC keys you wish to preload, you can add these to one of these three directories and re-run dnssec-configure to rebuild the production.conf, testing.conf and harvest.conf files based which are based on the contents of the /etc/pki/dnssec-keys/{production,testing,harvest} directories. If you wish to use another DLV, add the key for the DLV zone to /etc/pki/dnssec-keys/dlv/dlvzone.domain.key.

SEE ALSO

dnskey-pull(1), unbound-host(1), system-config-dnssec(8), autotrust(8), named.conf(8), unbound.conf(8).

AUTHOR

Paul Wouters <paul@xelerance.com>