HP OpenVMS Systems Documentation

Content starts here HP TCP/IP Services for OpenVMS

HP TCP/IP Services for OpenVMS
Management


Previous Contents Index

6.9.4 Resolver Search Behavior in Earlier Releases

In previous releases, the resolver performed lookups as follows:

  1. Appended the default domain to the host name and performed a lookup.
  2. If the previous lookup failed, the resolver removed the leftmost label from the default domain name, appended the result to the host name and performed the lookup.
  3. If that lookup failed, the resolver again removed the leftmost label from the default domain name, appended the result to the host name, and performed the lookup.

For each unsuccessful lookup, this procedure was repeated until only two labels remained in the resulting domain name.

If all these attempts failed, the resolver tried just the host name as typed (as long as it contained at least one dot).

For example, suppose you entered the following command:


TCPIP> SHOW HOST OWL

Assuming the default domain was ucx.ern.sea.com , the resolver performed lookups as follows:

  1. On owl.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searched for owl.ern.sea.com .
  3. If that lookup was unsuccessful, the resolver searched for owl.sea.com .
  4. Finally, if the preceding lookup was unsuccessful, the resolver searched for owl .

6.9.5 Setting the Resolver's Domain Search List

The search list is provided to make entering lookup commands easier by not requiring you to type fully qualified domain names. The search list consists of domain names that the resolver uses when performing lookups. By default, the search list consists of only the default domain, which is stored in the TCPIP$CONFIGURATION.DAT file.

You can change the elements in the search list by entering the SET NAME_SERVICE command, as shown in the following example:


TCPIP> SET NAME_SERVICE /PATH=(ucx.ern.sea.com,dux.sea.com,mux.ern.sea.com)/SYSTEM

For example, suppose you enter the following command:


TCPIP> SHOW HOST CANARY

The resolver performs lookups as follows:

  1. On canary.ucx.ern.sea.com .
  2. If the previous lookup was unsuccessful, the resolver searches for canary.dux.sea.com .
  3. If that lookup was unsuccessful, the resolver searches for canary.mux.ern.sea.com .
  4. If that lookup was unsuccessful, the resolver searches for canary .

In the following output of the SHOW NAME_SERVICE command, the PATH: label shows the search list information entered with the SET NAME_SERVICE /PATH command. This command displays systemwide information and process-specific information (if process-specific information is set).


TCPIP> SHOW NAME_SERVICE

BIND Resolver Parameters

Local domain: ucx.ern.sea.com

System

State:     Started, Enabled

Transport: UDP
Domain:    ucx.ern.sea.com
Retry:     4
Timeout:   4
Servers:   ucx, lemng, 16.99.0.10
Path:      ucx.ern.sea.com, dux.ern.sea.com, mux.ern.sea.com

Process

State:     Enabled
Transport:
Domain:
Retry:
Timeout:
Servers:
Path:
$

Any additions you make are appended to the end of the search list.

To remove an element from the search list, enter the following command:


TCPIP> SET NAME_SERVICE /NOPATH=dux.ern.sea.com /SYSTEM

Note

When you run TCPIP$CONFIG.COM after upgrading from UCX to TCP/IP Services for OpenVMS, the system creates a domain search list that is consistent with the UCX default lookup behavior. TCPIP$CONFIG.COM uses the default domain to create a search list consisting of each parent domain. For example, if the default domain is ucx.ern.sea.com , the resulting search list is ucx.ern.sea.com,ern.sea.com,sea.com . You can modify the current search list by using the SET CONFIGURATION NAME_SERVER /PATH command.

6.10 BIND Server Administrative Tools

The following administrative tools play an integral part in the management of a server.

  • The bind_checkconf utility checks the syntax of the BIND server configuration file.
  • The bind_checkzone utility checks a zone file for syntax and consistency.
  • The dnssec_keygen generates keys for DNSSEC (secure DNS) and TSIG (transaction signatures).
  • The dnssec_makekeyset utility generates a key set.
  • The dnssec_signkey utility signs a key set.
  • The dnssec_signzone utility signs a zone.
  • The rndc utility allows you to control the operation of a name server.
  • The rndc_confgen utility generates configuration files for the rndc utility.

To use these utilities, you must have system management privileges. Run the TCPIP$DEFINE_COMMANDS.COM procedure to define the commands described in the following reference sections.


bind_checkconf

Checks the syntax of a BIND server configuration file.


Format

bind_checkconf [-v] [-t directory] filename

description

The bind_checkconf utility checks the syntax, but not the semantics, of a BIND server configuration file.

Options

-t directory

Looks for filename in the specified directory. The default directory is SYS$SPECIFIC:[TCPIP$BIND].

-v

Displays only the version number of the bind_checkconf utility and exits.

filename

Specifies the name of the configuration file to be checked. The default file is SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND.CONF.

bind_checkzone

Checks a zone file for syntax and consistency.


Format

bind_checkzone [-d] [-q] [-v] [-c class] [-t directory] zonename filename

description

The bind_checkzone utility checks the syntax and integrity of a zone file. It performs the same checks as the BIND server does when it loads a zone. This makes bind_checkzone useful for checking zone files before configuring them into a name server.

Options

-d

Enables debugging mode.

-q

Enables quiet mode (exit code only).

-v

Displays the version number of bind_checkzone and exits.

-c class

Specifies the class of the zone. If not specified, the default is IN.

-t directory

Looks for the zone in the specified directory. The default directory is SYS$SYSPECIFIC:[TCPIP$BIND].

zonename

Specifies the name of the zone being checked.

filename

Specifies the name of the zone file.

dnssec_keygen

Generates keys for DNSSEC.


Format

dnssec_keygen -a algorithm -b keysize -n nametype [-c class] [-e] [-g generator] [-h]
[-p protocol] [-r randomfile] [-s strength] [-t type] [-v level] name

description

The dnssec_keygen utility generates keys for DNSSEC, as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

Parameters

name

Specifies the name of the domain.

Options

-a algorithm

Selects the cryptographic algorithm. The value of algorithm must be one of the following:
  • RSAMD5
  • RSA
  • DSA
  • DH (Diffie-Hellman)
  • HMAC-MD5

These values are not case sensitive.

-b keysize

Specifies the number of bits in the key. The choice of key size depends on the algorithm used:
  • RSA keys must be between 512 and 4096 bits.
  • DH keys must be between 128 and 4096 bits.
  • DSA keys must be between 512 and 1024 bits and must be an exact multiple of 64.
  • HMAC-MD5 keys must be between 1 and 512 bits.

-n nametype

Specifies the owner type of the key. The value of nametype must one of the following:
  • ZONE (for a DNSSEC zone key)
  • HOST or ENTITY (for a key associated with a host)
  • USER (for a key associated with a user)

These values are not case sensitive.

-c class

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.

-e

If generating an RSA key, specifies the use of a large exponent.

-g generator

If generating a Diffie-Hellman key, specifies the generator. Allowed values for generator are 2 and 5. If no generator is specified, a known prime from RFC 2539 is used, if possible; otherwise the default is 2.

-h

Displays a short summary of the options and arguments to the dnssec_keygen command.

-p protocol

Sets the protocol value for the generated key. The value of protocol is a number between 0 and 255. For keys of type USER, the default is 2 (e-mail). For all other key types, the default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-s strength

Specifies the strength value of the key. The value of strength is a number between 0 and 15. This option is currently not used.

-t type

Indicates the use of the key. The type must be one of the following:
  • AUTHCONF (authenticate and encrypt data)
  • NOAUTHCONF (do not authenticate and do not encrypt data)
  • NOAUTH (do not authenticate data)
  • NOCONF (do not encrypt data)

The default is AUTHCONF.

-v level

Sets the debugging level.

generated keys

When dnssec_keygen completes successfully, it displays a string of the following form to standard output:


Knnnn.aaa-iiiii

This is an identification string for the key it has generated. These strings can be used as arguments to the dnssec_makekeyset utility. The string is interpreted as follows:

  • nnnn is the key name.
  • aaa is the numeric representation of the algorithm.
  • iiiii is the key identifier (or footprint).

dnssec_keygen creates two files, with names based on the printed string. The file Knnnn.aaa-iiiii_KEY contains the public key, and Knnnn.aaa-iiiii_PRIVATE contains the private key.

The _KEY file contains a DNS KEY record that can be inserted into a zone file (either directly, or using an $INCLUDE statement).

The _PRIVATE file contains algorithm-specific fields. For security reasons, this file does not have general read permission.

Both _KEY and _PRIVATE files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.


Examples

To generate a 768-bit DSA key for the domain example.com , enter the following command:
#1

$ dnssec_keygen -a DSA -b 768 -n ZONE example.com

      

This command displays a string of the form:


Kexample_com.003-26160

In this example, dnssec_keygen creates the files KEXAMPLE_COM.003-26160_KEY and KEXAMPLE_COM.003-26160_PRIVATE.


dnssec_makekeyset

Generates signed key sets for DNSSEC.


Format

dnssec_makekeyset [-a] [-s start-time] [-e end-time] [-h] [-p] [-r randomfile] [-t ttl] [-v level] key...

description

The dnssec_makekeyset utility generates a key set from one or more keys created by the dnssec_keygen utility. It creates a file containing a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form KEYSET-name.DAT, where name is the zone name.

Options

-a

Verifies all generated signatures.

-s start-time

Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start time is specified, the current time is used.

-e end-time

Specifies the date and time when the generated SIG records expire. An absolute end time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.

-h

Displays a short summary of the options and arguments to the dnssec_makekeyset command.

-p

Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option is useful when signing large zones or when the entropy source is limited.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. The argument randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-t ttl

Specifies the time to live (TTL) value of the KEY and SIG records. The default is 3600 seconds.

-v level

Sets the debugging level.

Parameters

key

Specifies the list of keys to be included in the keyset file. These keys are expressed in the form Knnnn.aaa-iiiii, which was generated by the dnssec_keygen utility.

Examples

The following command generates a keyset containing the DSA key for example.com generated in the dnssec_keygen example.
#1

$ dnssec_makekeyset -t 86400 -s 20000701120000 -e +2592000 -
_$ Kexample.com.003-26160
      

In this example, dnssec_makekeyset creates the file KEYSET-EXAMPLE_COM.DAT. This file contains the specified key and a self-generated signature.

The DNS administrator for example.com could send KEYSET-EXAMPLE_COM.DAT to the DNS administrator for .com for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and for exchanging the keys and signatures securely.


dnssec_signkey

Signs keysets for DNSSEC.


Format

dnssec_signkey [-a] [-c class] [-s start-time] [-e end-time] [-h] [-p] [-r randomfile] [-v level] keyset key...

description

The dnssec_signkey utility signs a keyset. The keyset, generated by the dnssec_makekeyset utility, is for a child zone. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form SIGNEDKEY-name.DAT, where name is the zone name.

Parameters

keyset

Specifies the file containing the child's keyset.

key...

Specifies the keys used to sign the child's keyset.

Options

-a

Verifies all generated signatures.

-c class

Specifies the DNS class of the key sets.

-s start-time

Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time is used.

-e end-time

Specifies the date and time when the generated SIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.

-h

Displays a short summary of the options and arguments to the dnssec_signkey command.

-p

Use pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-v level

Sets the debugging level.

Examples

The DNS administrator for a DNSSEC-aware .com zone would use the following command to sign the keyset file for example.com created by the dnssec_makekeyset utility with a key generated by the dnssec_keygen utility:
#1

$ dnssec_signkey keyset-example.com. Kcom.003-51944
      

In this example, the dnssec_signkey utility creates the file SIGNEDKEY-EXAMPLE_COM.DAT, which contains the example.com keys and the signatures by the .com keys.


dnssec_signzone

Signs a zone.


Format

dnssec_signzone [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-h] [-i interval] [-n nthreads] [-o origin] [-p] [-r randomfile] [-t] [-v level] zonefile [key...]

description

The dnssec_signzone utility signs a zone. It generates NXT and SIG records and produces a signed version of the zone. If there is a signedkey file from the zone's parent, the parent's signatures are incorporated into the generated signed zone file. The security status of delegations from the signed zone (that is, whether or not the child zones are secure) is determined by the presence or absence of a signedkey file for each child zone.

Before signing the zone, you must add the KEY record to the zone database file by using the $INCLUDE statement. For example, in the zone file example_com.db, add:


$INCLUDE Kexample_com.003-26160_KEY

Parameters

zonefile

Specifies the file containing the zone to be signed.

key...

Specifies the keys used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.

Options

-a

Verifies all generated signatures.

-c class

Specifies the DNS class of the zone.

-d directory

Looks for signedkey files in the specified directory.

-s start-time

Specifies the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. 20000530144500 denotes 14:45:00 UTC on May 30, 2000. A relative start time is indicated by +N , which is N seconds from the current time. If no start time is specified, the current time is used.

-e end-time

Specifies the date and time when the generated SIG records expire. An absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated by +N , which is N seconds from the start time. A time relative to the current time is indicated by now+N . If no end time is specified, 30 days from the start time is used as a default.

-f output-file

Specifies the name of the output file containing the signed zone. The default is to append _SIGNED to the input file name.

-h

Displays a short summary of the options and arguments to the dnssec_signzone command.

-i interval

When a previously signed zone is passed as input, records may be signed again. The interval option specifies the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. Therefore, if neither the end time nor the start time is specified, the dnssec_signzone utility generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing SIG records are due to expire in less than 7.5 days, they are replaced.

-n nthreads

Specifies the number of threads to use. By default, one thread is started for each detected CPU.

-o origin

Specifies the zone origin. If this option is not specified, the name of the zone file is assumed to be the origin.

-p

Uses pseudorandom data when signing the zone. This is faster, but less secure, than using real random data. This option can be useful when signing large zones or when the entropy source is limited.

-r randomfile

Specifies the source of randomness. The default source of randomness is keyboard input. randomfile specifies the name of a file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

Note

When you use the keyboard to generate random data, you must input a large amount of data. Input requiring hundreds of lines of data is not unusual for some algorithms. The string "stop typing" appears when enough data has been input.

-t

Displays statistics at completion.

-v level

Sets the debugging level.

Examples

The following command signs the example.com zone with the DSA key generated by the dnssec_keygen utility. The zone's keys must be in the zone. If there are signedkey files associated with this zone or any child zones, they must be in the current directory.
#1

$ dnssec_signzone -o example.com example_com.db Kexample_com.003-26160

      

In this example, dnssec_signzone creates the file EXAMPLE_COM.DB_SIGNED. This file should be referenced in a zone statement in the TCPIP$BIND.CONF file. This command displays the following:


Previous Next Contents Index