This section describes the statements available in BIND 9.x relating to security. Full list of statements.
disable-algorithms domain { algorithm; ...; }; disable-algorithms "." { "NSECRSASHA1"; "DH"; }; // disables NSECRSASHA1 and DH algorithms for all domains
disable-algorithms is only applicable to recursive name servers (full service resolvers) and allows the user to inhibit the use of one or more algorithms when validating RRSIG RR(s). The domain parameter defines the scope, for example, "." indicates all domains, "net" would cover all domains in the net TLD and "example.com" would cover a single domain. Multiple disable-algorithms statements may be included. algorithm may take one of the currently supported algorithms from the list RSAMD5, RSA, DH, DSA, NSEC3DSA, ECC, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384. If the disabled algorithm is the only one supported by any signed zone then the zone will not be validated and the zone's results will be marked "insecure". This statement may only be used in a global options clause.
disable-ds-digests domain { digest; ...; }; disable-ds-digests "net" { "SHA-256"; }; // disables the SHA-256 digest for .net TLD only
disable-ds-digests is only applicable to recursive name servers (full service resolvers) and allows the user to inhibit the use of one or more digests when validating a DS (or DLV) RR(s). The domain parameter defines the scope, for example, "." indicates all domains, "net" would cover all domains in the net TLD and "example.com" would cover a single domain. Multiple disable-ds-digests statements may be included. digest may take one of the currently supported algorithms from the list SHA-1, SHA-256, GOST, SHA-384. If the disabled digest is the only one supported by any signed zone then verifying secure delegation for the zone is not possible and the zone's results will be marked "insecure". This statement may only be used in a global options clause.
dnssec-enable ( yes | no ); dnssec-enable no;
dnssec-enable indicates that a secure DNS service is being used which may be one, or more, of TSIG (for securing zone transfers or DDNS updates), SIG(0) (for securing DDNS updates) or DNSSEC. Since BIND9.5 the default value is dnssec-enable yes;. This statement may be used in a view or global options clause.
dnssec-validation ( yes | no ); dnssec-validation no;
dnssec-validation indicates that a resolver (a caching or caching-only name server) will attempt to validate replies from DNSSEC enabled (signed) zones. To perform this task the server also needs either a valid trusted-keys clause (containing one or more trusted-anchors or a managed-keys clause. Since 9.5 the default value is dnssec-validation yes;. This statement may be used in a view or global options clause.
max-rsa-exponent-size bits; max-rsa-exponent-size 2048; // allows maximum RSA keys of 2048 bits
max-rsa-exponent-size is only applicable to recursive name servers (full service resolvers) and allows the user to define the maximum number of bits in the RSA key when validating RRSIG RR(s). bits may be in the range 35 to 4096, with the value 0 (the default) indicating 4096. If any signed zone uses an RSA algorithm with a key size greater than bits then the zone will not be validated and the zone's results will be marked "insecure". This statement may only be used in a global options clause.
random-device "path_to_device"; random-device "/dev/random";
Defines a source or randomness (or entropy) within the system. Defaults to /dev/random. This device is needed for DNSSEC operations such as TKEY transactions and dynamic update of signed zones. Operations requiring entropy will fail when the specified source has been exhausted. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. This statement may only be used in a global options clause.
sig-validity-interval days ; sig-validity-interval 60 ;
sig-validity-interval Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates will expire. The default is 30 days. The maximum value is 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew. This statement may be used in a zone or a global options clause.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
Contents
tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log
This work is licensed under a
Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox
Search
Share
Page
Resources
Systems
FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux
Software
LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns
Organizations
Open Source Initiative
Creative Commons
Misc.
Ibiblio - Library
Open Book Project
Open Directory
Wikipedia
Site
Copyright © 1994 - 2024 ZyTrax, Inc. All rights reserved. Legal and Privacy |
site by zytrax hosted by javapipe.com |
web-master at zytrax Page modified: January 20 2022. |