Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

196 Chapter 12. Berkeley Internet Name Domain (BIND)CautionSome of these advanced features, such as DNSSEC, TSIG, and IXFR, should only be used in net-work environments with nameservers that support the features. If the network environment includesnon-BIND or older BIND nameservers, verify that each advanced feature is supported before at-tempting to use it.All of the features mentioned are discussed in greater detail in the BIND 9 Administrator ReferenceManual referenced in Section 12.7.1 Installed Documentation.12.5.1. DNS Protocol EnhancementsBIND supports Incremental Zone Transfers (IXFR), where a slave nameserver only downloads the up-dated portions of a zone modified on a master nameserver. The standard transfer process requires thatthe entire zone be transferred to each slave nameserver for even the smallest change. For very populardomains with very lengthy zone files and many slave nameservers, IXFR makes the notification andupdate process much less resource intensive.Note that IXFR is only available when using dynamic updating to make changes to master zonerecords. If manually editing zone files to make changes, AXFR is used. More information on dynamicupdating is available in the BIND 9 Administrator Reference Manual. See Section 12.7.1 InstalledDocumentation for more information.12.5.2. Multiple ViewsThrough the use of the view statement in named.conf, BIND can present different informationdepending which network a request originates from.This is primarily used to deny sensitive DNS entries from clients outside of the local network, whileallowing queries from clients inside the local network.The view statement uses the match-clients option to match IP addresses or entire networks andgive them special options and zone data.12.5.3. SecurityBIND supports a number of different methods to protect the updating and transfer of zones, on bothmaster and slave nameservers:• DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signedwith a zone key.In this way, the information about a specific zone can be verified as coming from a nameserver thathas signed it with a particular private key, as long as the recipient has that nameserver’s public key.BIND version 9 also supports the SIG(0) public/private key method of message authentication.• TSIG — Short for Transaction SIGnatures, this feature allows a transfer from master to slave onlyafter verifying that a shared secret key exists on both nameservers.This feature strengthens the standard IP address-based method of transfer authorization. An attackerwould not only need to have access to the IP address to transfer the zone, but they would also needto know the secret key.BIND version 9 also supports TKEY, which is another shared secret key method of authorizingzone transfers.