ISC Logo

In-depth details on the tools and "Smart Sign" functionality in Bind 9.7.0

The last article discussed the basics of the BIND 9.7.0 "Smart Sign" feature. In this article, we expose additional functionality that has been incorporated into the software to make it much simpler to sign, operate, and maintain DNSSEC signed zones.  This article will help tie in some of the information provided in the previous article, Bind 9.7.0 - Part 2, New DNSSEC key metadata.  Bind 9.7.0 takes an interesting approach to automating DNSSEC key lifecycle maintenance, leveraging local Dynamic DNS enabled zo...

Read More...

DNSSEC Improved Smart Signing

/ DNS, DNSSEC, BIND, BIND 9.7

ISC Logo

DNSSEC keys are now automatically imported directly into the zone using the new Smart Signing feature introduced in BIND 9.7.0

In our previous article, we covered how BIND 9.7.0 embeds timing metadata directly in DNSSEC keys as its method for DNSSEC key lifecycle management. In this article, we discuss the new BIND 9.7.0 Smart Signing feature and how it improves and simplifies the process of signing a single zone. 

With all the DNSSEC related changes in BIND 9.7.0, it should come as no surprise that many of the BIND-provided utilities have been updated, and a few new ones have been a...

Read More...

DNSSEC new key metadata

/ DNS, DNSSEC, BIND, BIND 9.7

ISC Logo

DNSSEC private key file format has been extended to contain key timing metadata, allowing the administrator to schedule when a key will be scheduled, published, and revoked.

One of the most glaring new features to Bind 9.7.0 is in the area of DNSSEC key lifecycle management, which includes the generation, publication, revocation, and eventual deletion of DNSSEC keys as it pertains to signing zones and performing DNSSEC key rollover. Presently, there are a number of different DNSSEC tools frameworks such as DNSSEC-TOOLS and OpenDNSSEC which have their own suite of scripts, services, and...

Read More...

DNSSEC Overview

/ DNS, DNSSEC, BIND, BIND 9.7

ISC BIND Logo

The release of BIND 9.7.0 has been called the "DNSSEC for Humans" because it offers significant leaps in functionality and automation that is more simple to use.

To date, implementing DNSSEC using ISC Bind was manually intensive and complicated at best.  Following the general availability of Bind 9.7.0 on 02-16-2010, the task is not nearly as daunting. In this article we review at a high level, some of the new changes, features, and enhancements that have been incorporated in Bind 9.7.0 in support of DNSSEC.  This several part series will cover:

  • New DNSSEC key metadata and lifecycl...

Read More...

Perl Programming Language Logo

Eight (8) Log::Log4perl recipes that can be used to enhance debugging, reporting and visibility of your Perl scripts.

The Log::Log4perl is a Perl logging API port of the Log4J Java logging API. It's very comprehensive and is used in a large number of the scripts, tools, and applications that have been developed by Netlinx, Inc. In this article, we provide recipes for the following:

  1. Initializing Log4perl with a config file vs in-line
  2. Output messages to file and screen using appenders
  3. Log events and messages to a database
  4. Logging messages to Syslog
  5. Have different applications...

Read More...

Anycast DNS - Using BGP

/ DNS, BIND, Anycast, DDI

Anycast DNS

In this fifth article on Anycast DNS, we provide some examples of deploying Anycast using Border Gateway Protocol or BGP, the core routing protocol of the Internet.

While BGP is mostly used by Internet Service Providers (ISPs), it is also used in some of the larger enterprise environments that must interconnect networks that span geographical and/or administrative regions and boundaries. Since BGP is a very complex routing protocol, we will provide only a basic recipe using Cisco and Quagga host-based routing software. A detailed discussion of the BGP protocol is beyond the scope of th...

Read More...

Anycast DNS

In this continuation of the fourth article, we improve the design with enhanced security, performance, and efficiency.

Our configuration consists of two OSPF areas 51 and 52, containing an Anycast DNS server, and pair of Cisco Routers connected to the backbone area 0.0.0.0. The Anycast DNS servers are configured with Quagga, running the OSPF routing protocol engine, this is used to advertise our two (2) Anycast DNS VIPs, 192.168.0.1/32 and 192.168.1.1/32 into the OSPF routed network. The diagram below focuses on our "fictitious" area 51:

Anycast DNS using OSPF layout

As mentioned, we'll provide additional "...

Read More...

Anycast DNS Using OSPF

/ DNS, BIND, Anycast, DDI

Anycast DNS

The fourth article in our Anycast DNS series covers Anycast DNS using Open Shortest Path First or OSPF routing protocol.

OSPF is a dynamic routing protocol used to build larger scale IP networks. It differs from RIP, because it is a link-state routing protocol and falls into the group of Interior Gateway Protocols that operate within a single Autonomous System or AS. OSPF is a link-state routing protocol that runs Dijkstra's algorithm to calculate the shortest path to other networks. Taking the bandwidth of the network links into account, it uses cost as its metric. OSPF works by devel...

Read More...