Dns Security; For More Information - Novell LINUX ENTERPRISE SERVER 11 - ADMINISTRATION Administration Manual

Add TSIG keys for any ACLs (access control lists, not to be confused with file system
ACLs) that are defined for IP addresses and address ranges to enable transaction secu-
rity. The corresponding entry could look like this:
allow-update { key host1-host2. ;};
This topic is discussed in more detail in the BIND Administrator Reference Manual
under update-policy.

21.9 DNS Security

DNSSEC, or DNS security, is described in RFC 2535. The tools available for DNSSEC
are discussed in the BIND Manual.
A zone considered secure must have one or several zone keys associated with it. These
are generated with dnssec-keygen, just like the host keys. The DSA encryption
algorithm is currently used to generate these keys. The public keys generated should
be included in the corresponding zone file with an $INCLUDE rule.
With the command dnssec-makekeyset, all keys generated are packaged into one
set, which must then be transferred to the parent zone in a secure manner. On the parent,
the set is signed with dnssec-signkey. The files generated by this command are
then used to sign the zones with dnssec-signzone, which in turn generates the
files to include for each zone in /etc/named.conf.

21.10 For More Information

For additional information, refer to the BIND Administrator Reference Manual from
package bind-doc, which is installed under /usr/share/doc/packages/
bind/. Consider additionally consulting the RFCs referenced by the manual and the
manual pages included with BIND. /usr/share/doc/packages/bind/README
.SuSE contains up-to-date information about BIND in SUSE Linux Enterprise Server.
302 Administration Guide