SK-DNSSEC Installation instructions
===================================

Contents:
---------

1- Introduction
2- Requirements
3- Building BIND with SK-DNSSEC support
4- Basic steps on compiling BIND9 with SK-DNSSEC support
5- named.conf settings

1- Introduction

	This is the first relase of the SK-DNSSEC code.
	It has not been thoroughly tested and contains plenty
	of known and unknow bugs that will be fixed in the next
	releases.
	We therefore consider this code to be in ALPHA phase and
	thus its use on a regular basis is strongly discouraged.

	The official page for the SK-DNSSEC project is:
	http://skdnssec.isi.jhu.edu

	This guide is not intended to be a comprehensive guide on
	how to configure and install a DNS server with BIND.

2- Requirements

	The code we release is a patch you need to apply to BIND
	(version 9.2.1). It should compile and work on the same
	systems where BIND is supposed to work (check BIND README
	file).
	In order to be able to test this code you need to download,
	compile and install the following software (instructions
	are in the next section) :

		- ISC's BIND 9.2.1 (http://www.isc.org/products/BIND/)
		  (a link can be found also on the official SK-DNSSEC
		   website: http://skdnssec.isi.jhu.edu).
		  A list of MIRROS can be found here:
		   ftp://frp.isc.org/isc/MIRRORS

		- OpenSSL 0.9.7 and later (http://www.openssl.org)

		  Note: At this moment SK-DNSSEC only supports the AES
			encryption alghoritm that is available in OpenSSL
			starting from version 0.9.7.

		- A C compiler. BIND does not support building with gcc
		  unless it is the vendor's usual compiler.

		  Note: SK-DNSSEC code MAY work with other combination of
		  BIND9 and OpenSSL versions, although it has only been
		  tested with BIND 9.2.1 and OpenSSL 0.9.7c.


4- Basic steps on compiling BIND9 with SK-DNSSEC support

	We assume that all the necessary files have been downloaded in a
	directory named 'build' (you can use your own).

	- Install the OpenSSL library and header files following the
	instructions provided in the OpenSSL package. You may need root
	permissions in order to install it.  (This little guide is not
	intended to help you through this process)

	- Unpack BIND9 package:
		cd build
		tar xfz bind-9.2.1.tar.gz

	- Apply the SK-DNSSEC patch:
		patch -p0 -N < bind-9.2.1-patch

	- Configure and compile BIND9:
		cd bind-9.2.1
		./configure --with-openssl=/path/to/openssl
		make
		make install (optional, root permissions needed in most cases)

5- named.conf settings

	This section (and the next one) DOES not cover how to configure
	a name server. We give a few hints on how to set up a SK-DNSSEC
	aware name server.

	Here is a list of the SK-DNSSEC directives for the named.conf
	file (you may want to check the example named.conf present in
	the distributed package):

	options {
	...
	sk-certificate-ttl <seconds>;	TTL in seconds of a newly generated
					symmetric certificate.
					OPTIONAL. Default 300 seconds.

	sk-ip-address <IP>;		The main IP address of the name
					server. (This directive is
					temporary.  It will be removed and
					the IP address will be autodetected
					in future versions) REQUIRED.
					No default value.
	...
	};

	sk-private-key {		This is the private key
		<type> "filename";	for this name server.
	};				<type> is the algorythm used for
					public key encryption. Right now the 
					only supported value is 1, 
					corresponding to RSA. 
					REQUIRED for a DNS root server. 
					No default value.

	sk-shared-keys {		This is the list of keys shared with
		<ip> "filename";	children name servers and with the
		...;			parent in the DNS hierarchy.
					A small utility to generate these keys
					is provided. 
	};				REQUIRED. No default value.

	If you are configuring a root name server you need to provide
	the private key by means of the sk-private-key directive.
	For each child zone you need to provide the key shared with
	the name server authoritative for that zone (along with its IP
	address) by means of the sk-shared-keys.
	The root name server also needs to be configured with its own
	(not shared with anyone) symmetric key. The sk-shared-keys
	directive can be used to load it.
	The child name server needs to provide the same shared key by
	means of the same sk-shared-keys directive
	(but this time with the parent's IP address).

	Note on the sk-ip-address directive:
		If the name server has more than one network interface,
		this option should be set to the IP address by which the
		host is known by on the DNS tree
		(the A record associated with the NS record of the domain
		it is authoritative for).
		For example suppose that ns.domain.com is the name server
		authoritative for domain.com zone and it has two network
		interfaces with IP addresses: 192.168.0.1 and 10.0.2.1
		If "dig NS domain.com" returns 192.168.0.1 as the IP
		address of ns.domain.com, then this is the IP address
		to be used in sk-ip-address statement.
		Specifying the IP address as a statement in the configuration
		file is temporary and will be removed in the next release.