Bind9 Security
From: https://www.zytrax.com/books/dns/ch7/security.html
DNS BIND Security Statements
This section describes the statements available in BIND 9.x relating to
security. Full list of statements.
disable-algorithms
disable-algorithms domain { algorithm; ...; };
disable-algorithms "." { "NSECRSASHA1"; "DH"; };
// disables NSECRSASHA1 and DH algorithms for all domains
disable-algorithms is only applicable to recursive name servers (full service
resolvers) and allows the user to inhibit the use of one or more algorithms when
validating RRSIG RR(s). The domain parameter defines the scope, for example, "."
indicates all domains, "net" would cover all domains in the net TLD and
"example.com" would cover a single domain. Multiple disable-algorithms
statements may be included. algorithm may take one of the currently supported
algorithms from the list RSAMD5, RSA, DH, DSA, NSEC3DSA, ECC, RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384.
If the disabled algorithm is the only one supported by any signed zone then the
zone will not be validated and the zone's results will be marked "insecure".
This statement may only be used in a global options clause.
disable-ds-digests
disable-ds-digests domain { digest; ...; };
disable-ds-digests "net" { "SHA-256"; };
// disables the SHA-256 digest for .net TLD only
disable-ds-digests is only applicable to recursive name servers (full service
resolvers) and allows the user to inhibit the use of one or more digests when
validating a DS (or DLV) RR(s). The domain parameter defines the scope, for
example, "." indicates all domains, "net" would cover all domains in the net TLD
and "example.com" would cover a single domain. Multiple disable-ds-digests
statements may be included. digest may take one of the currently supported
algorithms from the list SHA-1, SHA-256, GOST, SHA-384. If the disabled digest
is the only one supported by any signed zone then verifying secure delegation
for the zone is not possible and the zone's results will be marked "insecure".
This statement may only be used in a global options clause.
dnssec-enable
dnssec-enable ( yes | no );
dnssec-enable no;
dnssec-enable indicates that a secure DNS service is being used which may be
one, or more, of TSIG (for securing zone transfers or DDNS updates), SIG(0) (for
securing DDNS updates) or DNSSEC. Since BIND9.5 the default value is
dnssec-enable yes;. This statement may be used in a view or global options clause.
dnssec-validation
dnssec-validation ( yes | no );
dnssec-validation no;
dnssec-validation indicates that a resolver (a caching or caching-only name
server) will attempt to validate replies from DNSSEC enabled (signed) zones. To
perform this task the server also needs either a valid trusted-keys clause
(containing one or more trusted-anchors or a managed-keys clause. Since 9.5 the
default value is dnssec-validation yes;. This statement may be used in a view or
global options clause.
max-rsa-exponent-size
max-rsa-exponent-size bits;
max-rsa-exponent-size 2048;
// allows maximum RSA keys of 2048 bits
max-rsa-exponent-size is only applicable to recursive name servers (full service
resolvers) and allows the user to define the maximum number of bits in the RSA
key when validating RRSIG RR(s). bits may be in the range 35 to 4096, with the
value 0 (the default) indicating 4096. If any signed zone uses an RSA algorithm
with a key size greater than bits then the zone will not be validated and the
zone's results will be marked "insecure". This statement may only be used in a
global options clause.
random-device
random-device "path_to_device";
random-device "/dev/random";
Defines a source or randomness (or entropy) within the system. Defaults to
/dev/random. This device is needed for DNSSEC operations such as TKEY
transactions and dynamic update of signed zones. Operations requiring entropy
will fail when the specified source has been exhausted. The random-device option
takes effect during the initial configuration load at server startup time and is
ignored on subsequent reloads. This statement may only be used in a global
options clause.
sig-validity-interval
sig-validity-interval days ;
sig-validity-interval 60 ;
sig-validity-interval Specifies the number of days into the future when DNSSEC
signatures automatically generated as a result of dynamic updates will expire.
The default is 30 days. The maximum value is 10 years (3660 days). The signature
inception time is unconditionally set to one hour before the current time to
allow for a limited amount of clock skew. This statement may be used in a zone
or a global options clause.