Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on

final release.

Obtained from:  ftp.isc.org

4 files changed, 491 insertions, 0 deletions

diff --git a/contrib/bind/doc/secure/copyright.txt b/contrib/bind/doc/secure/copyright.txt
new file mode 100644
index 0000000..cc38356
--- /dev/null
+++ b/contrib/bind/doc/secure/copyright.txt
@@ -0,0 +1,28 @@
+/*
+ * Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION 
+ * SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ *
+ * Trusted Information Systems, Inc. has received approval from the
+ * United States Government for export and reexport of TIS/DNSSEC
+ * software from the United States of America under the provisions of
+ * the Export Administration Regulations (EAR) General Software Note
+ * (GSN) license exception for mass market software.  Under the
+ * provisions of this license, this software may be exported or
+ * reexported to all destinations except for the embargoed countries of
+ * Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.  Any export
+ * or reexport of TIS/DNSSEC software to the embargoed countries
+ * requires additional, specific licensing approval from the United
+ * States Government. 
+ */
diff --git a/contrib/bind/doc/secure/install.txt b/contrib/bind/doc/secure/install.txt
new file mode 100644
index 0000000..bb5bc94
--- /dev/null
+++ b/contrib/bind/doc/secure/install.txt
@@ -0,0 +1,155 @@
+
+INSTALL_SEC
+
+		 Bind with Secure DNS (TIS/DNSSEC)
+			Version 1.3.0 Beta
+			  September 1996
+
+This version has been compiled and tested on SUNOS 4.1.3,
+FreeBSD-2.1.5-REL and Linux 2.0.11.
+There may be still be portability problems. 
+If you have access to other hardware platforms please let us know if
+there are any problems porting and send us patches, to include in
+future releases. 
+
+This version of secure Bind uses RSAREF-2.0 library from RSA,
+First you should get/read the RSAREF FAQ 
+		http://www.consensus.com/rsaref-faq.html
+Then you can copy RSAREF from 
+		ftp://ftp.rsa.com/rsaref/README
+
+You need to read this README file carefully for further instructions.
+
+Installation: (this version is based on 4.9.4-REL-P1). 
+
+1. The tar ball will create a directory sec_bind in the current	directory 
+	untar the archive
+	The content of the sec_bind directory has the same directory 
+	structure as bind distribution with the addition of the directories 
+	dnssec_lib/ and signer/, some named directories have been 
+	deleted from the distribution. 
+
+	dnssec_lib/ contains the library files for signature generation 
+	signer/     contains tools for signing bind boot files and 
+	            generating keys.  
+
+	In addition, there is a new file, "res/res_sign.c", which 
+	contains library routines that are required in the resolver
+	for displaying new RR types. 
+
+	You need to tailor sec_bind/Makefile to your system as you do
+	with bind distributions.  
+
+	The sec_bind distribution expects to find RSAREF in the
+	rsaref/ subdirectory. If you install RSAREF in a different
+	place you can place a pointer to the RSAREF installation
+	directory in place of sec_bind/rsaref. 
+
+	sec_bind/Makefile expects to find the RSAREF library file
+	at  sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution 
+	does not contain that directory. If you are installing RSAREF
+	for the first time create that directory copy the correct
+	Makefile from the appropriate rsaref/install/ subdirectory.  
+	Sec_bind will compile RSAREF for you. 	
+
+	We recommend that you use an ANSI C compliant compiler to
+	compile this distribution. 
+
+2. Follow Bind installation guidelines on your system 
+
+	Set your normal configuration in conf/options.h with the
+	following exceptions/additions:
+		ROUND_ROBIN  must be OFF  (for right now)
+		DNS_SECURITY must be ON 
+		RSAREF       must be ON if you have a copy of RSAREF.
+	This version of sec_bind does not work well without RSAREF. 
+
+3. make
+	If you are going to use make install everything will work right 
+	out of the box. If you are going to run programs out of the
+	sec_bind directory you need to set the DESTEXEC variables
+	accordingly. 
+
+4. Once everything compiles you can run the simple test that is include in
+	the distribution. 
+	
+	First you need to edit the file signer/simple_test/test.boot to
+	set directory directive to the full path of the directory this
+	file is in.
+
+	Now the signer program can be run to sign the simple_test data.
+	The signed zone will be	written to /tmp
+		% cd sec_bind/signer
+		% make test
+	The passwords for the keys in the distribution are:
+		Key:			Password:
+		foo.bar			foo.bar
+		mobile.foo.bar		mobile
+		fix.foo.bar		fix.foo.bar
+		sub.foo.bar		sub.foo.bar
+		some.bar		some.bar
+
+	Notice the differences between simple_test/test.boot and
+	/tmp/test.boot. The pubkey directive are required for correct
+	behavior of new named.  	
+
+	To check the if named can read the new zone files and verify
+	the signatures run following commands 
+		% cd ../named
+		% make test
+
+	Exit/error code 66 indicates that program completed normally
+	in "load-only" mode (new -l flag).  
+
+	If you want to load up named run same command as make test does 
+	without -l flag. (the -d 3 flag is to make sure the process
+	does not do a fork). 
+		% ./named -p 12345 -b /tmp/test.boot  -d 3
+	
+		% cd ../tools
+		% ./dig @localhost snore.foo.bar. -p 12345
+	This should return an A record + SIG(A) record 
+		% ./dig @localhost no_such_name.foo.bar. -p 12345
+	This should return a NXT record +SIG(NXT) for *.foo.bar.
+
+	You can also test against our nameserver for zone sd-bogus.tis.com
+		the host is uranus.hq.tis.com(192.94.214.95)
+		% ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa 
+	will return the SOA and SIG(SOA) + KEY
+		% ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb    
+	will return NXT   for sd-bogus.tis.com
+		% ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns 
+	will NS +KEY for foo.sd-bog.tis.com. 
+
+5. Converting your setup to secure DNS zones. 
+	need to create a key for your zone.
+	If you have a copy of the last release of sec_bind the key file 
+	format has changed and you need to regenerate all your keys, Sorry.
+	The new format for private key files is portable between
+	different architectures and operating systems, the encryption
+	of the key file is compatible with the des program.
+	
+	To generate key use sec_bind/signer/key_gen.  To generate zone key
+	for name you.bar, with 512 bit modulus and exponent of 3, 
+	execute following command
+
+		% cd signer
+		% ./key_gen -z -g 512 you.bar
+
+	key_gen will ask for an encryption password for the private
+	key file, if you do not want to encrypt the key hit <Return>.
+	The program will output resource record suitable for zone file.
+	key_gen creates two files you.bar.priv and foo.bar.public. 
+
+	If you want, at any time, to display the public key for foo.bar
+	run key_gen without the -g flag or cat file foo.bar.public. 
+	key_gen without any flags will print out the usage information.  
+	key_gen has extensive error checking on flags.
+
+	To modify the flags field for an existing key run key_gen with
+	the new flags but without the -g flag. 
+	
+	Note: The key above is suitable for signing records but not for
+	encrypting data.
+
+6. Send problems, fixes and suggestions to dns-security@tis.com. 
diff --git a/contrib/bind/doc/secure/readme.txt b/contrib/bind/doc/secure/readme.txt
new file mode 100644
index 0000000..d7b422a
--- /dev/null
+++ b/contrib/bind/doc/secure/readme.txt
@@ -0,0 +1,93 @@
+
+			Secure DNS (TIS/DNSSEC)
+			    September 1996
+
+Copyright (C) 1995,1996 Trusted Information Systems, Incorporated
+
+Trusted Information Systems, Inc. has received approval from the
+United States Government for export and reexport of TIS/DNSSEC
+software from the United States of America under the provisions of
+the Export Administration Regulations (EAR) General Software Note
+(GSN) license exception for mass market software.  Under the
+provisions of this license, this software may be exported or
+reexported to all destinations except for the embargoed countries of
+Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.  Any export
+or reexport of TIS/DNSSEC software to the embargoed countries
+requires additional, specific licensing approval from the United
+States Government.
+
+Trusted Information Systems, Inc., is pleased to
+provide a reference implementation of the secure Domain Name System
+(TIS/DNSSEC).  In order to foster acceptance of secure DNS and provide
+the community with a usable, working version of this technology,
+TIS/DNSSEC is being made available for broad use on the following basis.
+
+- Trusted Information Systems makes no representation about the
+  suitability of this software for any purpose.  It is provided "as is"
+  without express or implied warranty.
+
+- TIS/DNSSEC is distributed in source code form, with all modules written
+  in the C programming language.  It runs on many UNIX derived platforms
+  and is integrated with the Bind implementation of the DNS protocol.
+
+- This beta version of TIS/DNSSEC may be used, copied, and modified for
+  testing and evaluation purposes without fee during the beta test
+  period, provided that this notice appears in supporting documentation
+  and is retained in all software modules in which it appears.  Any other
+  use requires specific, written prior permission from Trusted Information
+  Systems.
+
+TIS maintains the email distribution list dns-security@tis.com for
+discussion of secure DNS.  To join, send email to
+	dns-security-request@tis.com.
+
+TIS/DNSSEC technical questions and bug reports should be addressed to
+	dns-security@tis.com. 
+
+To reach the maintainers of TIS/DNSSEC send mail to
+	tisdnssec-support@tis.com
+
+TIS/DNSSEC is a product of Trusted Information Systems, Inc.
+
+This is an beta version of Bind with secure DNS extensions it uses 
+RSAREF which you must obtain separately.
+
+Implemented and tested in this version:
+	Portable key storage format. 
+	Improved authentication API 
+	Support for using different authentication packages.
+	All Security RRs including KEY SIG, NXT, and support for wild cards
+	tool for generating KEYs 
+	tool for signing RRs in boot files
+	verification of RRs on load 
+	verification of RRs over the wire
+	transmission of SIG RRs
+	returns NXT when name and/or type does not exist
+	storage of NXT, KEY, and SIG RRs with CNAME RR
+	AD/ID bits added to header and setting of these bits
+	key storage and retrieval
+	dig and nslookup can display new header bits and RRs
+	AXFR signature RR
+	keyfile directive 
+	$SIGNER directive (to turn on and off signing)
+	adding KEY to answers with NS or SOA
+	SOA sequence numbers are now set each time zone is signed
+	SIG AXFR ignores label count of names
+	generation and inclusion of .PARENT files
+	Returns only one NXT at delegation points unless two are required
+	Expired SIG records are now returned in response to query
+	
+Implemented but not fully tested:
+
+Known bugs:
+	
+Not implemented:
+	ROUND_ROBIN behaviour 
+	zone transfer in SIG(AXFR) sort order. 
+	transaction SIGs
+	verification in resolver. (stub resolvers must trust local servers
+		resolver library is to low level to implement security)
+	knowing when to trust the AD bit in responses
+
+Read files INSTALL_SEC and USAGE_SEC for installation and user
+instructions, respectively.
diff --git a/contrib/bind/doc/secure/usage.txt b/contrib/bind/doc/secure/usage.txt
new file mode 100644
index 0000000..aa8eebc
--- /dev/null
+++ b/contrib/bind/doc/secure/usage.txt
@@ -0,0 +1,215 @@
+
+			   USAGE_SEC
+			Secure DNS (TIS/DNSSEC)
+			   September 1996
+
+This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version
+BETA-1.3.  This looks like a standard named distribution, with
+the following exceptions
+
+	this version is coded against BIND-4.9.4-P1
+
+	there are three new directories in this distribution
+		dnssec_lib
+		signer
+		rsaref
+		
+
+	rsaref/ is place holder directory for RSAREF distribution.
+	You must get RSAREF on your own. 
+
+	signer/  contains two applications needed by DNSSEC: 
+		signer:  tool to sign zones
+		key_gen: tool to generate keys
+	dnssec_lib/ contains common library routines that are used by
+		named, key_gen and signer. 
+		This is where most of the DNSSEC work is done. 
+
+Before compiling you need to do your standard configurations for named
+and the edits explained in INSTALL_SEC.  This version has been tested
+on SUNOS4.1.3. This version includes portability fixes from previous
+beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD.
+
+CHANGES TO BIND
+
+res/
+
+	There are minor changes to the files in the res directory.  Most of
+	the changes have to do with displaying NXT
+	records. There are also some changes related to translating
+	domain names into uncompressed lower case names upon request.
+
+tools/
+	Minor changes to recognize NXT records and display them.
+
+named/
+	Added code to read and write new record types. 
+	Added code to do signature validation on read. 
+	Added code to return appropriate SIG records.
+	Added security flags to databuf and zoneinfo structures. 
+	Names can now have CNAME record and security RR's. 
+	Records are stored and transmitted in DNS SEC sort order.
+
+conf/
+
+	Turned off ROUND_ROBIN option and installed new sorting required
+	for signature verification. 
+
+signer/
+	NXT record generation.
+	Key generation
+	Signing of zones
+	Converting data records to format required for signatures.
+
+dnssec_lib/
+	Interfacing with Crypto library.
+	Verifying signatures, 
+	preparing data for signing and verification
+
+The role of <zone>.PARENT files:
+
+DNSSEC specification requires change who is authorative for certain
+resource records. In order to support certification hierarchy each
+zone KEY RR must be signed by parent zone. The parent signed KEY RR
+must be distributed by the zone itself as it is the most authorative
+for its own records. 
+
+To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT
+file for every name in a zone that has a NS record. This file contains
+the KEY records stored under this name and 
+NXT record and corresponding SIG records. If no KEY record is found
+for a name with a NS record a NULL-KEY record is generated to indicate
+that the child is INSECURE. 
+
+Each <zone>.PARENT file must be sent via an out of band mechanism to
+the appropriate primary for the zone, for inclusion.  signer program
+adds an $INCLUDE <zone>.PARENT command at the end of each zone file,
+if no file exists an warning message is printed.
+
+Potential PROBLEM: It is likely that the parent and child are on a
+different signing schedule. If new <zone>.PARENT file is put on the
+primary, due to the fact that the zone data changed but the SOA did
+not, it may take a long time for new records to propagate to the
+secondaries.  This is only a problem if zone has added/deleted a KEY
+or if the the signatures will expire in the near future. To overcome
+this problem, resign your zone when any of above conditions is true.
+DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future.
+
+TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of
+zone data to secondaries, signer takes over the management of SOA
+serial numbers. Each time signer signs a zone it sets the serial
+number to a value reflecting the time the zone was signed, in standard
+Unix time seconds since 1970/1/1 0:0:0 GMT.
+
+How to configure a secure zone. 
+	Create a directory <zone> to contain your zone files.
+	Create a output directory <outdir> for the signer output.
+	Put in <zone> a boot file that includes the files from that zone.
+	Create a KEY for the zone by running key_gen, Name the key <domain>.
+
+	Run signer on your zone writing to the output directory <outdir>. 
+	Signer will rewrite the boot file to include new directive 
+		"pubkey" of the key used to sign the file. If there where
+		any pubkey declarations in the input boot file they will be
+		deleted. 
+	Signer generates files that correspond to the load files specified.
+
+	In case of load file that $INCLUDEs another load file, signer will 
+		merge them to the output file. 
+	You will notice that the output files are significantly larger. 
+	The output files will be in a different order than the input files,
+		all records are sorted into DNSSEC sort order. 
+	NXT and SIG records have been added. 
+
+	If there are any NS records for a name other than the zone name of
+		each input file you will see messages that NULL KEY records 
+		have been created, if this is not correct behavior, add 
+		the correct KEY RRs.
+	For each domain name that has a NS record but is not a zone name 
+		of load file you will see a file named  <name>.PARENT, 
+		this file contains the KEY record for that name and an 
+		NXT record + 2 SIG records. 
+	This file needs to be sent to the nameserver that is primary for that
+		zone. There are two reasons for this: 
+		1. To support Certification Hierarchy, each zone key is 
+	        signed by the parent zone key. 
+		2. Zone is the most trustworthy source for itself unless 
+		these records are loaded into the primary server for
+		the zone, the records may not get propagated.
+
+how to run SEC_NAMED:
+
+Included in the distribution there is a small test setup:
+
+# run signer 
+./signer boot-f simple_test/test.boot [out-dir /tmp] 
+# or 
+make test
+# This takes few minutes to run depending on your machine and the size
+# of the key selected 
+# all output files will be stored in /tmp unless out-dir is specified
+
+# 
+# Now we are ready to run named 
+cd ../named
+./named -p 12345 -b /tmp/test.boot.save [-d x] 
+
+# 
+# you can now check for data in the data base
+# using the new dig. 
+#
+cd ../tools
+./dig @yourhost snore.foo.bar. any in -p 12345 
+
+#
+# Output from new dig will be something like this
+#
+; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p 
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
+;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1
+;; QUESTIONS:
+;;      snore.foo.bar, type = ANY, class = IN
+
+;; ANSWERS:
+snore.foo.bar.  259200  A       10.17.3.20
+snore.foo.bar.  259200  SIG     A (
+                 1 3; alg labels
+        259200  ; TTL
+        19950506200636  ; Signature expiration
+        19950406200659  ; time signed 
+        47437   ; Key foot print
+        foo.bar.        ; Signers name  
+                FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0=
+        ) ; END Signature
+snore.foo.bar.  259200  MX      96 who.foo.bar.
+snore.foo.bar.  259200  MX      100 foo.bar.
+snore.foo.bar.  259200  MX      120 xxx.foo.bar.
+snore.foo.bar.  259200  MX      130 maGellan.foo.bar.
+snore.foo.bar.  259200  MX      140 bozo.foo.bar.
+snore.foo.bar.  259200  SIG     MX (
+                 1 3; alg labels
+        259200  ; TTL
+        19950506200636  ; Signature expiration
+        19950406200659  ; time signed 
+        47437   ; Key foot print
+        foo.bar.        ; Signers name
+                EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8=
+        ) ; END Signature
+snore.foo.bar.  259200  NXT     xxx.foo.bar.
+snore.foo.bar.  259200  SIG     NXT (
+                 1 3; alg labels
+        259200  ; TTL
+        19950506200636  ; Signature expiration
+        19950406200659  ; time signed 
+        47437   ; Key foot print
+        foo.bar.        ; Signers name
+                eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE=
+        ) ; END Signature
+
+;; Total query time: 195 msec
+;; FROM: dnssrv to SERVER: dnssrv  10.17.3.1
+;; WHEN: Thu Apr  6 16:20:32 1995
+;; MSG SIZE  sent: 31  rcvd: 662