# # File name: READ.ME # Product: VSI TCP/IP Services for OpenVMS # Version: V6.0-24 # # Copyright 2015-2021 VMS Software, Inc. # # 12/15/2021 --------------------------------- BIND9 Configuration File Template --------------------------------- There are 4 sample configuration files provided for a BIND server. [1]TCPIP$BIND.CONFCACHE DNS Cache Only Server [2]TCPIP$BIND.CONFFORWARD DNS Cache Only Server with Forwarder [3]TCPIP$BIND.CONFZONE DNS Server with single local zone [4]TCPIP$BIND.CONFDNSSEC DNS Server with DNSSEC signed zone 1. Common configuration among the 4 template files -------------------------------------------------- (1) RNDC related configurations RNDC command interface is enabled with all the configuration files. It is enabled by the those 2 blocks of configuration where RNDC uses UDP port 953 to communicate with a BIND Server and "hmac-md5". It allows only localhost, 127.0.0.1 is able to use this interface and it is controlled by "allow { 127.0.0.1; }". //RNDC Crypto Information key "rndc-key" { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; //RNDC Command Interface controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; This configuration blocks can be create by the setps below. +++++++++ + Step 1+ Create random files by "genrandom" +++++++++ $ genrandom -n 2 10 randforrndc $ dir randforrndc* Directory SYS$SPECIFIC:[TCPIP$BIND] RANDFORRNDC1.;1 RANDFORRNDC2.;1 Total of 2 files. +++++++++ + Step 2+ Create key by "rndc_confgen" +++++++++ $ rndc_confgen -r RANDFORRNDC1. # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "fos8icbAtwLvfqvb7crh+g=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in tcpip$bind.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "fos8icbAtwLvfqvb7crh+g=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of tcpip$bind.conf +++++++++ + Step 3+ Cut and paste the output from step 2 and edit rndc.conf +++++++++ Edit SYS$SPECIFIC:[ETC]rndc.conf file and replace key{} and options{} section with, # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "fos8icbAtwLvfqvb7crh+g=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf +++++++++ + Step 4+ Cut and paste the output from step 2 and edit tcpip$bind.conf +++++++++ key "rndc-key" { algorithm hmac-md5; secret "fos8icbAtwLvfqvb7crh+g=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; (2) Access control related configurations 4 configuration files also have host lists although it is not used with "allow-query" command. If it is modified like "allow-query { clients; }", access control feature will take effects. //Define Host list acl clients { localnets; };  (3) Log messages related configurations All the log messages are written to the file TCPIP$NAMED_RUN.LOG, which is configured by the statements below. The file name can be changed by replacing the file name in the statement. channel "default_log" { file "SYS$SPECIFIC:[TCPIP$BIND]TCPIP$NAMED_RUN.LOG"; print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level severity dynamic; }; If some of the log categories do not need to be written to the log file, comment out the ones you want to hide. category default { "default_log"; }; category config { "default_log"; }; category dispatch { "default_log"; }; category general { "default_log"; }; category queries { "default_log"; }; category resolver { "default_log"; }; category client { "default_log"; }; category database { "default_log"; }; category network { "default_log"; }; category security { "default_log"; }; category unmatched { "default_log"; }; category dnssec { "default_log"; }; category notify { "default_log"; }; category config { "default_log"; }; category xfer-in { "default_log"; }; category xfer-out { "default_log"; }; category update { "default_log"; }; category lame-servers { "default_log"; }; category update { "default_log"; }; category cname { "default_log"; }; 2. Specific Configurations in each template file ------------------------------------------------ [1] Cache Only DNS Server with no Forwarders In order to configure the BIND server as Cache Only DNS Server with no Forwarders, add the following statements to enable the BIND server to query root servers. zone "." IN { type hint; file "root.hint"; }; The file, "root.hint" has to be at the directory, "SYS$SPECIFIC:[TCPIP$BIND]" and the statements for "forwarder" configuration (See the section [2]) have to be commented out or deleted. [2] Cache Only DNS Serveer with Forwarders In order to enable BIND server to be a forwarder, these statement need to be added to tcpip$bind.con file. Either "forward first;" or "forward only;" must be specified. //forward first; //This option is only meaningful if the forwarders //list is not empty. forward only; //Force to forward a query to the forwarders. //Specifies the IP addresses to be used for forwarding. //The default is the empty list (no forwarding). forwarders { 8.8.8.8; 8.8.4.4; }; option: This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first b and if that doesn't answer the question, the server will then look for the answer itself so it will query the root servers. If "only" is specified, the server will only query the forwarders. [3] Create a local Zone Creatinga a local zone allows a BIND server to return a DNS response specic to the BIND server. For example, if a local FTP server is created, creating a local zone and define "ftp.local" allows DNS client query "ftp.local" and enables the access to the FTP server. (1) In order to create a zone to the BIND server configuration, the following statements need to be added. In this example, zone name, "local" is added to the BIND server as a master. zone "local" IN { type master; file "local.zone"; }; where file "local.zone" looke like below, $ type local.zone $ORIGIN local. $TTL 86400 @ IN SOA dns1.local. hostmaster.abcd.efgh.com. ( 2001072503 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.local. IN NS dns2.local. dns1 IN A 11.0.1.1 dns2 IN A 11.0.1.2 server1 IN A 11.0.1.5 server2 IN A 11.0.1.6 ftp IN A 11.0.1.3 IN A 11.0.1.4 mail IN A 11.0.1.5 mail2 IN A 11.0.1.6 www IN CNAME server1 (2) After adding the statements, BIND needs to be restarted or reloaded. a. Bounce BIND @SYS$STARTUP:TCPIP$BIND_SHUTDOWN @SYS$STARTUP:TCPIP$BIND_STARTUP b. Use RNDC to reload the BIND $rndc reload (3) Test the new zone, "local" by "dig" or "ping" command. As the output of the commands show, ftp.local was queried and the correct IP address was returned. $dig ftp.local ; <<>> DiG 9.11.24 <<>> ftp.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44344 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: c568b6eb5e713d915f62ee3561aa4e4cf6087633fe01ba56 (good) ;; QUESTION SECTION: ;ftp.local. IN A ;; ANSWER SECTION: ftp.local. 86400 IN A 11.0.1.3 ftp.local. 86400 IN A 11.0.1.4 ;; AUTHORITY SECTION: local. 86400 IN NS dns1.local. local. 86400 IN NS dns2.local. ;; ADDITIONAL SECTION: dns1.local. 86400 IN A 11.0.1.1 dns2.local. 86400 IN A 11.0.1.2 ;; Query time: 439 msec ;; SERVER: 10.10.116.187#53(10.10.116.187) ;; WHEN: Fri Dec 03 11:28:07 EST 2021 ;; MSG SIZE rcvd: 168 $ping ftp.local PING ftp.local (11.0.1.3): 56 data bytes [4] DNSSEC signed Local Zone (Master) To create a DNSSEC signed zone, please follow the steps below. (1) Create random files for "dnssec_keygen" command by "genrandom" command ("genrandom" creates 2 files with random characters) $ genrandom -n 2 10 randchar $ dir randchar* Directory SYS$SPECIFIC:[TCPIP$BIND] RANDCHAR1.;1 RANDCHAR2.;1 Total of 2 files. (2) Create zone keys by "dnssec_keygen" with the zone name, "local". $ dnssec_keygen -a RSASHA512 -b 1024 -r RANDCHAR1. -n ZONE local Generating key pair....+++++ ..........+++++ Klocal.010-35162 $ $ dnssec_keygen -a RSASHA512 -b 1024 -r RANDCHAR2. -n ZONE -f KSK local Generating key pair....+++++ ..........+++++ Klocal.010-35163 $ $ dir klocal.* Directory SYS$SPECIFIC:[TCPIP$BIND] KLOCAL.010-35162_KEY;1 KLOCAL.010-35162_PRIVATE;1 KLOCAL.010-35163_KEY;1 KLOCAL.010-35163_PRIVATE;1 Total of 4 files. (3) Use "dnssec_signzone" to sign a zone with DNSSEC keys created at the step (2) $ dnssec_signzone "-S" -o local -k Klocal.010-35163 local.zone Klocal.010-35162 Fetching ZSK 35162/RSASHA512 from key file. Fetching KSK 35163/RSASHA512 from key file. Verifying the zone using the following algorithms: RSASHA512. Zone fully signed: Algorithm: RSASHA512: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked local.zone_signed $ (4) Edit the zone definition of "local" zone of "tcpip$bind.conf" as below. zone "local" IN { type master; file "local.zone"; }; zone "local" IN { type master; file "local.zone_signed"; }; (5) Restart the BIND by either a. Bounce BIND @SYS$STARTUP:TCPIP$BIND_SHUTDOWN @SYS$STARTUP:TCPIP$BIND_STARTUP b. Use RNDC to reload the BIND $rndc reload