mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

ZYTRAX OPEN LOGO

DNS BIND Security Statements

This section describes the statements available in BIND 9.x relating to security. Full list of statements.

dnssec-enable

 dnssec-enable ( yes | no );
 dnssec-enable no;

dnssec-enable indicates that a secure DNS service is being used which may one, or more, of TSIG (for securing zone transfers or DDNS updates), SIG(0) (for securing DDNS updates) or DNSSEC. Since 9.5 the default value is dnssec-enable yes;. This statement may be used in a view or global options clause.

dnssec-validation

 dnssec-validation ( yes | no );
 dnssec-validation no;

dnssec-validation indicates that a resolver (a caching or caching-only name server) will attempt to validate replies from DNSSEC enabled (signed) zones. To perform this task the server alos needs either a valid trusted-keys clause (containing one or more trusted-anchors or a managed-keys clause. Since 9.5 the default value is dnssec-validation yes;. This statement may be used in a view or global options clause.

random-device

 random-device "path_to_device";
 random-device "/dev/random";

Defines a source or randomness (or entropy) within the system. Defaults to /dev/random. This device is needed for DNSSEC operations such as TKEY transactions and dynamic update of signed zones. Operations requiring entropy will fail when the specified source has been exhausted. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. This statement may only be used in a global options clause.

sig-validity-interval

 sig-validity-interval days ;
 sig-validity-interval 60 ;

sig-validity-interval Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates will expire. The default is 30 days. The maximum value is 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew. This statement may be used in a zone or a global options clause.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

web zytrax.com



Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux

Applications

OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

printer friendly

Print Page

SPF Record Conformant Domain Logo

Copyright © 1994 - 2012 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		site by zytrax
Hosted by super.net.sg		 web-master at zytrax
Page modified: July 11 2011.