mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-20 15:43:16 +00:00
Files gone from 8.2.2.p5
This commit is contained in:
parent
0e460bd389
commit
bf49e5ccac
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=53917
@ -1,28 +0,0 @@
|
||||
/*
|
||||
* Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS
|
||||
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION
|
||||
* SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
||||
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
||||
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
||||
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
||||
* SOFTWARE.
|
||||
*
|
||||
* Trusted Information Systems, Inc. has received approval from the
|
||||
* United States Government for export and reexport of TIS/DNSSEC
|
||||
* software from the United States of America under the provisions of
|
||||
* the Export Administration Regulations (EAR) General Software Note
|
||||
* (GSN) license exception for mass market software. Under the
|
||||
* provisions of this license, this software may be exported or
|
||||
* reexported to all destinations except for the embargoed countries of
|
||||
* Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
|
||||
* or reexport of TIS/DNSSEC software to the embargoed countries
|
||||
* requires additional, specific licensing approval from the United
|
||||
* States Government.
|
||||
*/
|
@ -1,155 +0,0 @@
|
||||
|
||||
INSTALL_SEC
|
||||
|
||||
Bind with Secure DNS (TIS/DNSSEC)
|
||||
Version 1.3.0 Beta
|
||||
September 1996
|
||||
|
||||
This version has been compiled and tested on SUNOS 4.1.3,
|
||||
FreeBSD-2.1.5-REL and Linux 2.0.11.
|
||||
There may be still be portability problems.
|
||||
If you have access to other hardware platforms please let us know if
|
||||
there are any problems porting and send us patches, to include in
|
||||
future releases.
|
||||
|
||||
This version of secure Bind uses RSAREF-2.0 library from RSA,
|
||||
First you should get/read the RSAREF FAQ
|
||||
http://www.consensus.com/rsaref-faq.html
|
||||
Then you can copy RSAREF from
|
||||
ftp://ftp.rsa.com/rsaref/README
|
||||
|
||||
You need to read this README file carefully for further instructions.
|
||||
|
||||
Installation: (this version is based on 4.9.4-REL-P1).
|
||||
|
||||
1. The tar ball will create a directory sec_bind in the current directory
|
||||
untar the archive
|
||||
The content of the sec_bind directory has the same directory
|
||||
structure as bind distribution with the addition of the directories
|
||||
dnssec_lib/ and signer/, some named directories have been
|
||||
deleted from the distribution.
|
||||
|
||||
dnssec_lib/ contains the library files for signature generation
|
||||
signer/ contains tools for signing bind boot files and
|
||||
generating keys.
|
||||
|
||||
In addition, there is a new file, "res/res_sign.c", which
|
||||
contains library routines that are required in the resolver
|
||||
for displaying new RR types.
|
||||
|
||||
You need to tailor sec_bind/Makefile to your system as you do
|
||||
with bind distributions.
|
||||
|
||||
The sec_bind distribution expects to find RSAREF in the
|
||||
rsaref/ subdirectory. If you install RSAREF in a different
|
||||
place you can place a pointer to the RSAREF installation
|
||||
directory in place of sec_bind/rsaref.
|
||||
|
||||
sec_bind/Makefile expects to find the RSAREF library file
|
||||
at sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution
|
||||
does not contain that directory. If you are installing RSAREF
|
||||
for the first time create that directory copy the correct
|
||||
Makefile from the appropriate rsaref/install/ subdirectory.
|
||||
Sec_bind will compile RSAREF for you.
|
||||
|
||||
We recommend that you use an ANSI C compliant compiler to
|
||||
compile this distribution.
|
||||
|
||||
2. Follow Bind installation guidelines on your system
|
||||
|
||||
Set your normal configuration in conf/options.h with the
|
||||
following exceptions/additions:
|
||||
ROUND_ROBIN must be OFF (for right now)
|
||||
DNS_SECURITY must be ON
|
||||
RSAREF must be ON if you have a copy of RSAREF.
|
||||
This version of sec_bind does not work well without RSAREF.
|
||||
|
||||
3. make
|
||||
If you are going to use make install everything will work right
|
||||
out of the box. If you are going to run programs out of the
|
||||
sec_bind directory you need to set the DESTEXEC variables
|
||||
accordingly.
|
||||
|
||||
4. Once everything compiles you can run the simple test that is include in
|
||||
the distribution.
|
||||
|
||||
First you need to edit the file signer/simple_test/test.boot to
|
||||
set directory directive to the full path of the directory this
|
||||
file is in.
|
||||
|
||||
Now the signer program can be run to sign the simple_test data.
|
||||
The signed zone will be written to /tmp
|
||||
% cd sec_bind/signer
|
||||
% make test
|
||||
The passwords for the keys in the distribution are:
|
||||
Key: Password:
|
||||
foo.bar foo.bar
|
||||
mobile.foo.bar mobile
|
||||
fix.foo.bar fix.foo.bar
|
||||
sub.foo.bar sub.foo.bar
|
||||
some.bar some.bar
|
||||
|
||||
Notice the differences between simple_test/test.boot and
|
||||
/tmp/test.boot. The pubkey directive are required for correct
|
||||
behavior of new named.
|
||||
|
||||
To check the if named can read the new zone files and verify
|
||||
the signatures run following commands
|
||||
% cd ../named
|
||||
% make test
|
||||
|
||||
Exit/error code 66 indicates that program completed normally
|
||||
in "load-only" mode (new -l flag).
|
||||
|
||||
If you want to load up named run same command as make test does
|
||||
without -l flag. (the -d 3 flag is to make sure the process
|
||||
does not do a fork).
|
||||
% ./named -p 12345 -b /tmp/test.boot -d 3
|
||||
|
||||
% cd ../tools
|
||||
% ./dig @localhost snore.foo.bar. -p 12345
|
||||
This should return an A record + SIG(A) record
|
||||
% ./dig @localhost no_such_name.foo.bar. -p 12345
|
||||
This should return a NXT record +SIG(NXT) for *.foo.bar.
|
||||
|
||||
You can also test against our nameserver for zone sd-bogus.tis.com
|
||||
the host is uranus.hq.tis.com(192.94.214.95)
|
||||
% ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa
|
||||
will return the SOA and SIG(SOA) + KEY
|
||||
% ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb
|
||||
will return NXT for sd-bogus.tis.com
|
||||
% ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns
|
||||
will NS +KEY for foo.sd-bog.tis.com.
|
||||
|
||||
5. Converting your setup to secure DNS zones.
|
||||
need to create a key for your zone.
|
||||
If you have a copy of the last release of sec_bind the key file
|
||||
format has changed and you need to regenerate all your keys, Sorry.
|
||||
The new format for private key files is portable between
|
||||
different architectures and operating systems, the encryption
|
||||
of the key file is compatible with the des program.
|
||||
|
||||
To generate key use sec_bind/signer/key_gen. To generate zone key
|
||||
for name you.bar, with 512 bit modulus and exponent of 3,
|
||||
execute following command
|
||||
|
||||
% cd signer
|
||||
% ./key_gen -z -g 512 you.bar
|
||||
|
||||
key_gen will ask for an encryption password for the private
|
||||
key file, if you do not want to encrypt the key hit <Return>.
|
||||
The program will output resource record suitable for zone file.
|
||||
key_gen creates two files you.bar.priv and foo.bar.public.
|
||||
|
||||
If you want, at any time, to display the public key for foo.bar
|
||||
run key_gen without the -g flag or cat file foo.bar.public.
|
||||
key_gen without any flags will print out the usage information.
|
||||
key_gen has extensive error checking on flags.
|
||||
|
||||
To modify the flags field for an existing key run key_gen with
|
||||
the new flags but without the -g flag.
|
||||
|
||||
Note: The key above is suitable for signing records but not for
|
||||
encrypting data.
|
||||
|
||||
6. Send problems, fixes and suggestions to dns-security@tis.com.
|
@ -1,93 +0,0 @@
|
||||
|
||||
Secure DNS (TIS/DNSSEC)
|
||||
September 1996
|
||||
|
||||
Copyright (C) 1995,1996 Trusted Information Systems, Incorporated
|
||||
|
||||
Trusted Information Systems, Inc. has received approval from the
|
||||
United States Government for export and reexport of TIS/DNSSEC
|
||||
software from the United States of America under the provisions of
|
||||
the Export Administration Regulations (EAR) General Software Note
|
||||
(GSN) license exception for mass market software. Under the
|
||||
provisions of this license, this software may be exported or
|
||||
reexported to all destinations except for the embargoed countries of
|
||||
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
|
||||
or reexport of TIS/DNSSEC software to the embargoed countries
|
||||
requires additional, specific licensing approval from the United
|
||||
States Government.
|
||||
|
||||
Trusted Information Systems, Inc., is pleased to
|
||||
provide a reference implementation of the secure Domain Name System
|
||||
(TIS/DNSSEC). In order to foster acceptance of secure DNS and provide
|
||||
the community with a usable, working version of this technology,
|
||||
TIS/DNSSEC is being made available for broad use on the following basis.
|
||||
|
||||
- Trusted Information Systems makes no representation about the
|
||||
suitability of this software for any purpose. It is provided "as is"
|
||||
without express or implied warranty.
|
||||
|
||||
- TIS/DNSSEC is distributed in source code form, with all modules written
|
||||
in the C programming language. It runs on many UNIX derived platforms
|
||||
and is integrated with the Bind implementation of the DNS protocol.
|
||||
|
||||
- This beta version of TIS/DNSSEC may be used, copied, and modified for
|
||||
testing and evaluation purposes without fee during the beta test
|
||||
period, provided that this notice appears in supporting documentation
|
||||
and is retained in all software modules in which it appears. Any other
|
||||
use requires specific, written prior permission from Trusted Information
|
||||
Systems.
|
||||
|
||||
TIS maintains the email distribution list dns-security@tis.com for
|
||||
discussion of secure DNS. To join, send email to
|
||||
dns-security-request@tis.com.
|
||||
|
||||
TIS/DNSSEC technical questions and bug reports should be addressed to
|
||||
dns-security@tis.com.
|
||||
|
||||
To reach the maintainers of TIS/DNSSEC send mail to
|
||||
tisdnssec-support@tis.com
|
||||
|
||||
TIS/DNSSEC is a product of Trusted Information Systems, Inc.
|
||||
|
||||
This is an beta version of Bind with secure DNS extensions it uses
|
||||
RSAREF which you must obtain separately.
|
||||
|
||||
Implemented and tested in this version:
|
||||
Portable key storage format.
|
||||
Improved authentication API
|
||||
Support for using different authentication packages.
|
||||
All Security RRs including KEY SIG, NXT, and support for wild cards
|
||||
tool for generating KEYs
|
||||
tool for signing RRs in boot files
|
||||
verification of RRs on load
|
||||
verification of RRs over the wire
|
||||
transmission of SIG RRs
|
||||
returns NXT when name and/or type does not exist
|
||||
storage of NXT, KEY, and SIG RRs with CNAME RR
|
||||
AD/ID bits added to header and setting of these bits
|
||||
key storage and retrieval
|
||||
dig and nslookup can display new header bits and RRs
|
||||
AXFR signature RR
|
||||
keyfile directive
|
||||
$SIGNER directive (to turn on and off signing)
|
||||
adding KEY to answers with NS or SOA
|
||||
SOA sequence numbers are now set each time zone is signed
|
||||
SIG AXFR ignores label count of names
|
||||
generation and inclusion of .PARENT files
|
||||
Returns only one NXT at delegation points unless two are required
|
||||
Expired SIG records are now returned in response to query
|
||||
|
||||
Implemented but not fully tested:
|
||||
|
||||
Known bugs:
|
||||
|
||||
Not implemented:
|
||||
ROUND_ROBIN behaviour
|
||||
zone transfer in SIG(AXFR) sort order.
|
||||
transaction SIGs
|
||||
verification in resolver. (stub resolvers must trust local servers
|
||||
resolver library is to low level to implement security)
|
||||
knowing when to trust the AD bit in responses
|
||||
|
||||
Read files INSTALL_SEC and USAGE_SEC for installation and user
|
||||
instructions, respectively.
|
@ -1,215 +0,0 @@
|
||||
|
||||
USAGE_SEC
|
||||
Secure DNS (TIS/DNSSEC)
|
||||
September 1996
|
||||
|
||||
This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version
|
||||
BETA-1.3. This looks like a standard named distribution, with
|
||||
the following exceptions
|
||||
|
||||
this version is coded against BIND-4.9.4-P1
|
||||
|
||||
there are three new directories in this distribution
|
||||
dnssec_lib
|
||||
signer
|
||||
rsaref
|
||||
|
||||
|
||||
rsaref/ is place holder directory for RSAREF distribution.
|
||||
You must get RSAREF on your own.
|
||||
|
||||
signer/ contains two applications needed by DNSSEC:
|
||||
signer: tool to sign zones
|
||||
key_gen: tool to generate keys
|
||||
dnssec_lib/ contains common library routines that are used by
|
||||
named, key_gen and signer.
|
||||
This is where most of the DNSSEC work is done.
|
||||
|
||||
Before compiling you need to do your standard configurations for named
|
||||
and the edits explained in INSTALL_SEC. This version has been tested
|
||||
on SUNOS4.1.3. This version includes portability fixes from previous
|
||||
beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD.
|
||||
|
||||
CHANGES TO BIND
|
||||
|
||||
res/
|
||||
|
||||
There are minor changes to the files in the res directory. Most of
|
||||
the changes have to do with displaying NXT
|
||||
records. There are also some changes related to translating
|
||||
domain names into uncompressed lower case names upon request.
|
||||
|
||||
tools/
|
||||
Minor changes to recognize NXT records and display them.
|
||||
|
||||
named/
|
||||
Added code to read and write new record types.
|
||||
Added code to do signature validation on read.
|
||||
Added code to return appropriate SIG records.
|
||||
Added security flags to databuf and zoneinfo structures.
|
||||
Names can now have CNAME record and security RR's.
|
||||
Records are stored and transmitted in DNS SEC sort order.
|
||||
|
||||
conf/
|
||||
|
||||
Turned off ROUND_ROBIN option and installed new sorting required
|
||||
for signature verification.
|
||||
|
||||
signer/
|
||||
NXT record generation.
|
||||
Key generation
|
||||
Signing of zones
|
||||
Converting data records to format required for signatures.
|
||||
|
||||
dnssec_lib/
|
||||
Interfacing with Crypto library.
|
||||
Verifying signatures,
|
||||
preparing data for signing and verification
|
||||
|
||||
The role of <zone>.PARENT files:
|
||||
|
||||
DNSSEC specification requires change who is authorative for certain
|
||||
resource records. In order to support certification hierarchy each
|
||||
zone KEY RR must be signed by parent zone. The parent signed KEY RR
|
||||
must be distributed by the zone itself as it is the most authorative
|
||||
for its own records.
|
||||
|
||||
To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT
|
||||
file for every name in a zone that has a NS record. This file contains
|
||||
the KEY records stored under this name and
|
||||
NXT record and corresponding SIG records. If no KEY record is found
|
||||
for a name with a NS record a NULL-KEY record is generated to indicate
|
||||
that the child is INSECURE.
|
||||
|
||||
Each <zone>.PARENT file must be sent via an out of band mechanism to
|
||||
the appropriate primary for the zone, for inclusion. signer program
|
||||
adds an $INCLUDE <zone>.PARENT command at the end of each zone file,
|
||||
if no file exists an warning message is printed.
|
||||
|
||||
Potential PROBLEM: It is likely that the parent and child are on a
|
||||
different signing schedule. If new <zone>.PARENT file is put on the
|
||||
primary, due to the fact that the zone data changed but the SOA did
|
||||
not, it may take a long time for new records to propagate to the
|
||||
secondaries. This is only a problem if zone has added/deleted a KEY
|
||||
or if the the signatures will expire in the near future. To overcome
|
||||
this problem, resign your zone when any of above conditions is true.
|
||||
DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future.
|
||||
|
||||
TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of
|
||||
zone data to secondaries, signer takes over the management of SOA
|
||||
serial numbers. Each time signer signs a zone it sets the serial
|
||||
number to a value reflecting the time the zone was signed, in standard
|
||||
Unix time seconds since 1970/1/1 0:0:0 GMT.
|
||||
|
||||
How to configure a secure zone.
|
||||
Create a directory <zone> to contain your zone files.
|
||||
Create a output directory <outdir> for the signer output.
|
||||
Put in <zone> a boot file that includes the files from that zone.
|
||||
Create a KEY for the zone by running key_gen, Name the key <domain>.
|
||||
|
||||
Run signer on your zone writing to the output directory <outdir>.
|
||||
Signer will rewrite the boot file to include new directive
|
||||
"pubkey" of the key used to sign the file. If there where
|
||||
any pubkey declarations in the input boot file they will be
|
||||
deleted.
|
||||
Signer generates files that correspond to the load files specified.
|
||||
|
||||
In case of load file that $INCLUDEs another load file, signer will
|
||||
merge them to the output file.
|
||||
You will notice that the output files are significantly larger.
|
||||
The output files will be in a different order than the input files,
|
||||
all records are sorted into DNSSEC sort order.
|
||||
NXT and SIG records have been added.
|
||||
|
||||
If there are any NS records for a name other than the zone name of
|
||||
each input file you will see messages that NULL KEY records
|
||||
have been created, if this is not correct behavior, add
|
||||
the correct KEY RRs.
|
||||
For each domain name that has a NS record but is not a zone name
|
||||
of load file you will see a file named <name>.PARENT,
|
||||
this file contains the KEY record for that name and an
|
||||
NXT record + 2 SIG records.
|
||||
This file needs to be sent to the nameserver that is primary for that
|
||||
zone. There are two reasons for this:
|
||||
1. To support Certification Hierarchy, each zone key is
|
||||
signed by the parent zone key.
|
||||
2. Zone is the most trustworthy source for itself unless
|
||||
these records are loaded into the primary server for
|
||||
the zone, the records may not get propagated.
|
||||
|
||||
how to run SEC_NAMED:
|
||||
|
||||
Included in the distribution there is a small test setup:
|
||||
|
||||
# run signer
|
||||
./signer boot-f simple_test/test.boot [out-dir /tmp]
|
||||
# or
|
||||
make test
|
||||
# This takes few minutes to run depending on your machine and the size
|
||||
# of the key selected
|
||||
# all output files will be stored in /tmp unless out-dir is specified
|
||||
|
||||
#
|
||||
# Now we are ready to run named
|
||||
cd ../named
|
||||
./named -p 12345 -b /tmp/test.boot.save [-d x]
|
||||
|
||||
#
|
||||
# you can now check for data in the data base
|
||||
# using the new dig.
|
||||
#
|
||||
cd ../tools
|
||||
./dig @yourhost snore.foo.bar. any in -p 12345
|
||||
|
||||
#
|
||||
# Output from new dig will be something like this
|
||||
#
|
||||
; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p
|
||||
; (1 server found)
|
||||
;; res options: init recurs defnam dnsrch
|
||||
;; got answer:
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
|
||||
;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1
|
||||
;; QUESTIONS:
|
||||
;; snore.foo.bar, type = ANY, class = IN
|
||||
|
||||
;; ANSWERS:
|
||||
snore.foo.bar. 259200 A 10.17.3.20
|
||||
snore.foo.bar. 259200 SIG A (
|
||||
1 3; alg labels
|
||||
259200 ; TTL
|
||||
19950506200636 ; Signature expiration
|
||||
19950406200659 ; time signed
|
||||
47437 ; Key foot print
|
||||
foo.bar. ; Signers name
|
||||
FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0=
|
||||
) ; END Signature
|
||||
snore.foo.bar. 259200 MX 96 who.foo.bar.
|
||||
snore.foo.bar. 259200 MX 100 foo.bar.
|
||||
snore.foo.bar. 259200 MX 120 xxx.foo.bar.
|
||||
snore.foo.bar. 259200 MX 130 maGellan.foo.bar.
|
||||
snore.foo.bar. 259200 MX 140 bozo.foo.bar.
|
||||
snore.foo.bar. 259200 SIG MX (
|
||||
1 3; alg labels
|
||||
259200 ; TTL
|
||||
19950506200636 ; Signature expiration
|
||||
19950406200659 ; time signed
|
||||
47437 ; Key foot print
|
||||
foo.bar. ; Signers name
|
||||
EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8=
|
||||
) ; END Signature
|
||||
snore.foo.bar. 259200 NXT xxx.foo.bar.
|
||||
snore.foo.bar. 259200 SIG NXT (
|
||||
1 3; alg labels
|
||||
259200 ; TTL
|
||||
19950506200636 ; Signature expiration
|
||||
19950406200659 ; time signed
|
||||
47437 ; Key foot print
|
||||
foo.bar. ; Signers name
|
||||
eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE=
|
||||
) ; END Signature
|
||||
|
||||
;; Total query time: 195 msec
|
||||
;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1
|
||||
;; WHEN: Thu Apr 6 16:20:32 1995
|
||||
;; MSG SIZE sent: 31 rcvd: 662
|
Loading…
Reference in New Issue
Block a user