When NAMED is configured, the following options allow security aspects to be taken into account when data is accessed:
The allow-query option of the options statement enables the authorization to send requests to the name server to be restricted to individual hosts.
The allow-transfer option of the options statement enables the authorization to receive zone data from the name server to be restricted to individual hosts.
The allow-update option of the zone statement enables the option of dynamic data update to be restricted to individual hosts on a zone-specific basis.
TSIG
A further security mechanism is provided by the Transaction SIGnatures (TSIG). These support server-to-server communication, including zone transfer, notify and recursive queries.
TSIG is key-based and is applied to communication between two DNS name servers. TSIG first generates a key (automatically or manually) which the two servers share. Transfer and use of the key is controlled by entries in the servers’ configuration files.
A detailed description of the function of TSIG is provided in the “BIND9 Administrator Reference Manual” of the Internet Software Consortium.
DNSSEC
DNS security (DNSSEC) extensions permit cryptographic authentication of the DNS information. They are defined in RFC 2535.
DNSSEC uses public keys for encryption. This enables zone administrators to sign the zone data digitally and authenticate themselves. Communication must be established between the administrators of the parent zone and/or the child zone in order to transfer the keys and signatures.
DNSSEC provides the following tools among other things:
dnssec-keygen for key generation
dnssec-signzone for signing a zone
A detailed description of the function of DNSSEC is provided in the “BIND9 Administrator Reference Manual” of the Internet Software Consortium.
Executing NAMED without root authorization
By default NAMED is executed with root authorization. To prevent an intruder gaining full access to the file system or being able to execute commands under the root ID in the event of any security problems with the software, it is also possible to run NAMED without root authorization. The /etc/default/TCP-IP-SV.named parameter USERID enables you to run NAMED under any user ID. We recommend that you specify the user ID with the lowest privilege for USERID.
The user ID defined in USERID must be assigned read and write permission for the working files for which the entries directory and pidfile were agreed in the configuration file named.conf.