41
43
<chapter id="Bv9ARM.ch01">
42
<title>Introduction </title>
43
<para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
44
to specify the names of entities in the Internet in a hierarchical
45
manner, the rules used for delegating authority over names, and the
46
system implementation that actually maps names to Internet
47
addresses. <acronym>DNS</acronym> data is maintained in a group of distributed
48
hierarchical databases.</para>
51
<title>Scope of Document</title>
53
<para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
54
domain name server for a number of operating systems. This
55
document provides basic information about the installation and
56
care of the Internet Software Consortium (<acronym>ISC</acronym>)
57
<acronym>BIND</acronym> version 9 software package for system
58
administrators.</para>
60
<para>This version of the manual corresponds to BIND version 9.3.</para>
63
<sect1><title>Organization of This Document</title>
64
<para>In this document, <emphasis>Section 1</emphasis> introduces
65
the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
66
describes resource requirements for running <acronym>BIND</acronym> in various
67
environments. Information in <emphasis>Section 3</emphasis> is
68
<emphasis>task-oriented</emphasis> in its presentation and is
69
organized functionally, to aid in the process of installing the
70
<acronym>BIND</acronym> 9 software. The task-oriented section is followed by
71
<emphasis>Section 4</emphasis>, which contains more advanced
72
concepts that the system administrator may need for implementing
73
certain options. <emphasis>Section 5</emphasis>
74
describes the <acronym>BIND</acronym> 9 lightweight
75
resolver. The contents of <emphasis>Section 6</emphasis> are
76
organized as in a reference manual to aid in the ongoing
77
maintenance of the software. <emphasis>Section 7
78
</emphasis>addresses security considerations, and
79
<emphasis>Section 8</emphasis> contains troubleshooting help. The
80
main body of the document is followed by several
81
<emphasis>Appendices</emphasis> which contain useful reference
82
information, such as a <emphasis>Bibliography</emphasis> and
83
historic information related to <acronym>BIND</acronym> and the Domain Name
86
<sect1><title>Conventions Used in This Document</title>
88
<para>In this document, we use the following general typographic
93
<colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
94
<colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
44
<title>Introduction</title>
46
The Internet Domain Name System (<acronym>DNS</acronym>)
47
consists of the syntax
48
to specify the names of entities in the Internet in a hierarchical
49
manner, the rules used for delegating authority over names, and the
50
system implementation that actually maps names to Internet
51
addresses. <acronym>DNS</acronym> data is maintained in a
53
hierarchical databases.
57
<title>Scope of Document</title>
60
The Berkeley Internet Name Domain
61
(<acronym>BIND</acronym>) implements a
62
domain name server for a number of operating systems. This
63
document provides basic information about the installation and
64
care of the Internet Systems Consortium (<acronym>ISC</acronym>)
65
<acronym>BIND</acronym> version 9 software package for
66
system administrators.
70
This version of the manual corresponds to BIND version 9.5.
75
<title>Organization of This Document</title>
77
In this document, <emphasis>Section 1</emphasis> introduces
78
the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
79
describes resource requirements for running <acronym>BIND</acronym> in various
80
environments. Information in <emphasis>Section 3</emphasis> is
81
<emphasis>task-oriented</emphasis> in its presentation and is
82
organized functionally, to aid in the process of installing the
83
<acronym>BIND</acronym> 9 software. The task-oriented
84
section is followed by
85
<emphasis>Section 4</emphasis>, which contains more advanced
86
concepts that the system administrator may need for implementing
87
certain options. <emphasis>Section 5</emphasis>
88
describes the <acronym>BIND</acronym> 9 lightweight
89
resolver. The contents of <emphasis>Section 6</emphasis> are
90
organized as in a reference manual to aid in the ongoing
91
maintenance of the software. <emphasis>Section 7</emphasis> addresses
92
security considerations, and
93
<emphasis>Section 8</emphasis> contains troubleshooting help. The
94
main body of the document is followed by several
95
<emphasis>appendices</emphasis> which contain useful reference
96
information, such as a <emphasis>bibliography</emphasis> and
97
historic information related to <acronym>BIND</acronym>
103
<title>Conventions Used in This Document</title>
106
In this document, we use the following general typographic
112
<colspec colname="1" colnum="1" colwidth="3.000in"/>
113
<colspec colname="2" colnum="2" colwidth="2.625in"/>
99
describe:</emphasis></para></entry>
100
<entry colname = "2">
101
<para><emphasis>We use the style:</emphasis></para></entry>
104
<entry colname = "1">
105
<para>a pathname, filename, URL, hostname,
106
mailing list name, or new term or concept</para></entry>
107
<entry colname = "2"><para><filename>Fixed width</filename></para></entry>
110
<entry colname = "1"><para>literal user
112
<entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
115
<entry colname = "1"><para>program output</para></entry>
116
<entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
118
<emphasis>To describe:</emphasis>
123
<emphasis>We use the style:</emphasis>
130
a pathname, filename, URL, hostname,
131
mailing list name, or new term or concept
136
<filename>Fixed width</filename>
149
<userinput>Fixed Width Bold</userinput>
161
<computeroutput>Fixed Width</computeroutput>
122
<para>The following conventions are used in descriptions of the
123
<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
124
<tgroup cols = "2" colsep = "0" rowsep = "0"
125
tgroupstyle = "2Level-table">
126
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
127
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
130
<entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
131
describe:</emphasis></para></entry>
132
<entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
135
<entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
136
<entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
139
<entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
140
<entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
143
<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
144
<entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
147
</tgroup></informaltable></para></sect1>
148
<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
149
<para>The purpose of this document is to explain the installation
150
and upkeep of the <acronym>BIND</acronym> software package, and we
151
begin by reviewing the fundamentals of the Domain Name System
152
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
156
<title>DNS Fundamentals</title>
158
<para>The Domain Name System (DNS) is the hierarchical, distributed
159
database. It stores information for mapping Internet host names to IP
160
addresses and vice versa, mail routing information, and other data
161
used by Internet applications.</para>
163
<para>Clients look up information in the DNS by calling a
164
<emphasis>resolver</emphasis> library, which sends queries to one or
165
more <emphasis>name servers</emphasis> and interprets the responses.
166
The <acronym>BIND</acronym> 9 software distribution contains a
167
name server, <command>named</command>, and two resolver
168
libraries, <command>liblwres</command> and <command>libbind</command>.
172
<title>Domains and Domain Names</title>
174
<para>The data stored in the DNS is identified by <emphasis>domain
175
names</emphasis> that are organized as a tree according to
176
organizational or administrative boundaries. Each node of the tree,
177
called a <emphasis>domain</emphasis>, is given a label. The domain name of the
178
node is the concatenation of all the labels on the path from the
179
node to the <emphasis>root</emphasis> node. This is represented
180
in written form as a string of labels listed from right to left and
181
separated by dots. A label need only be unique within its parent
184
<para>For example, a domain name for a host at the
185
company <emphasis>Example, Inc.</emphasis> could be
186
<literal>mail.example.com</literal>,
187
where <literal>com</literal> is the
188
top level domain to which
189
<literal>ourhost.example.com</literal> belongs,
190
<literal>example</literal> is
191
a subdomain of <literal>com</literal>, and
192
<literal>ourhost</literal> is the
193
name of the host.</para>
195
<para>For administrative purposes, the name space is partitioned into
196
areas called <emphasis>zones</emphasis>, each starting at a node and
197
extending down to the leaf nodes or to nodes where other zones start.
198
The data for each zone is stored in a <emphasis>name
199
server</emphasis>, which answers queries about the zone using the
200
<emphasis>DNS protocol</emphasis>.
203
<para>The data associated with each domain name is stored in the
204
form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
205
Some of the supported resource record types are described in
206
<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
208
<para>For more detailed information about the design of the DNS and
209
the DNS protocol, please refer to the standards documents listed in
210
<xref linkend="rfcs"/>.</para>
213
<sect2><title>Zones</title>
214
<para>To properly operate a name server, it is important to understand
215
the difference between a <emphasis>zone</emphasis>
216
and a <emphasis>domain</emphasis>.</para>
218
<para>As we stated previously, a zone is a point of delegation in
219
the <acronym>DNS</acronym> tree. A zone consists of
220
those contiguous parts of the domain
221
tree for which a name server has complete information and over which
222
it has authority. It contains all domain names from a certain point
223
downward in the domain tree except those which are delegated to
224
other zones. A delegation point is marked by one or more
225
<emphasis>NS records</emphasis> in the
226
parent zone, which should be matched by equivalent NS records at
227
the root of the delegated zone.</para>
229
<para>For instance, consider the <literal>example.com</literal>
230
domain which includes names
231
such as <literal>host.aaa.example.com</literal> and
232
<literal>host.bbb.example.com</literal> even though
233
the <literal>example.com</literal> zone includes
234
only delegations for the <literal>aaa.example.com</literal> and
235
<literal>bbb.example.com</literal> zones. A zone can map
236
exactly to a single domain, but could also include only part of a
237
domain, the rest of which could be delegated to other
238
name servers. Every name in the <acronym>DNS</acronym> tree is a
239
<emphasis>domain</emphasis>, even if it is
240
<emphasis>terminal</emphasis>, that is, has no
241
<emphasis>subdomains</emphasis>. Every subdomain is a domain and
242
every domain except the root is also a subdomain. The terminology is
243
not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
244
gain a complete understanding of this difficult and subtle
247
<para>Though <acronym>BIND</acronym> is called a "domain name server",
248
it deals primarily in terms of zones. The master and slave
249
declarations in the <filename>named.conf</filename> file specify
250
zones, not domains. When you ask some other site if it is willing to
251
be a slave server for your <emphasis>domain</emphasis>, you are
252
actually asking for slave service for some collection of zones.</para>
255
<sect2><title>Authoritative Name Servers</title>
257
<para>Each zone is served by at least
258
one <emphasis>authoritative name server</emphasis>,
259
which contains the complete data for the zone.
260
To make the DNS tolerant of server and network failures,
261
most zones have two or more authoritative servers.
264
<para>Responses from authoritative servers have the "authoritative
265
answer" (AA) bit set in the response packets. This makes them
266
easy to identify when debugging DNS configurations using tools like
267
<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
269
<sect3><title>The Primary Master</title>
272
The authoritative server where the master copy of the zone data is maintained is
273
called the <emphasis>primary master</emphasis> server, or simply the
274
<emphasis>primary</emphasis>. It loads the zone contents from some
275
local file edited by humans or perhaps generated mechanically from
276
some other local file which is edited by humans. This file is called
277
the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
280
<sect3><title>Slave Servers</title>
281
<para>The other authoritative servers, the <emphasis>slave</emphasis>
282
servers (also known as <emphasis>secondary</emphasis> servers) load
283
the zone contents from another server using a replication process
284
known as a <emphasis>zone transfer</emphasis>. Typically the data are
285
transferred directly from the primary master, but it is also possible
286
to transfer it from another slave. In other words, a slave server
287
may itself act as a master to a subordinate slave server.</para>
290
<sect3><title>Stealth Servers</title>
292
<para>Usually all of the zone's authoritative servers are listed in
293
NS records in the parent zone. These NS records constitute
294
a <emphasis>delegation</emphasis> of the zone from the parent.
295
The authoritative servers are also listed in the zone file itself,
296
at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
297
of the zone. You can list servers in the zone's top-level NS
298
records that are not in the parent's NS delegation, but you cannot
299
list servers in the parent's delegation that are not present at
300
the zone's top level.</para>
302
<para>A <emphasis>stealth server</emphasis> is a server that is
303
authoritative for a zone but is not listed in that zone's NS
304
records. Stealth servers can be used for keeping a local copy of a
305
zone to speed up access to the zone's records or to make sure that the
306
zone is available even if all the "official" servers for the zone are
309
<para>A configuration where the primary master server itself is a
310
stealth server is often referred to as a "hidden primary"
311
configuration. One use for this configuration is when the primary master
312
is behind a firewall and therefore unable to communicate directly
313
with the outside world.</para>
320
<title>Caching Name Servers</title>
322
<para>The resolver libraries provided by most operating systems are
323
<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
324
performing the full DNS resolution process by themselves by talking
325
directly to the authoritative servers. Instead, they rely on a local
326
name server to perform the resolution on their behalf. Such a server
327
is called a <emphasis>recursive</emphasis> name server; it performs
328
<emphasis>recursive lookups</emphasis> for local clients.</para>
330
<para>To improve performance, recursive servers cache the results of
331
the lookups they perform. Since the processes of recursion and
332
caching are intimately connected, the terms
333
<emphasis>recursive server</emphasis> and
334
<emphasis>caching server</emphasis> are often used synonymously.</para>
336
<para>The length of time for which a record may be retained in
337
in the cache of a caching name server is controlled by the
338
Time To Live (TTL) field associated with each resource record.
341
<sect3><title>Forwarding</title>
343
<para>Even a caching name server does not necessarily perform
344
the complete recursive lookup itself. Instead, it can
345
<emphasis>forward</emphasis> some or all of the queries
346
that it cannot satisfy from its cache to another caching name server,
347
commonly referred to as a <emphasis>forwarder</emphasis>.
350
<para>There may be one or more forwarders,
351
and they are queried in turn until the list is exhausted or an answer
352
is found. Forwarders are typically used when you do not
353
wish all the servers at a given site to interact directly with the rest of
354
the Internet servers. A typical scenario would involve a number
355
of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
356
to pass packets through the firewall would forward to the server
357
that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
358
on the internal server's behalf. An added benefit of using the forwarding
359
feature is that the central machine develops a much more complete
360
cache of information that all the clients can take advantage
366
<sect2><title>Name Servers in Multiple Roles</title>
368
<para>The <acronym>BIND</acronym> name server can simultaneously act as
369
a master for some zones, a slave for other zones, and as a caching
370
(recursive) server for a set of local clients.</para>
372
<para>However, since the functions of authoritative name service
373
and caching/recursive name service are logically separate, it is
374
often advantageous to run them on separate server machines.
376
A server that only provides authoritative name service
377
(an <emphasis>authoritative-only</emphasis> server) can run with
378
recursion disabled, improving reliability and security.
380
A server that is not authoritative for any zones and only provides
381
recursive service to local
382
clients (a <emphasis>caching-only</emphasis> server)
383
does not need to be reachable from the Internet at large and can
384
be placed inside a firewall.</para>
391
<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
394
<title>Hardware requirements</title>
396
<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
397
For many installations, servers that have been pensioned off from
398
active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
399
<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
400
CPU intensive however, so organizations that make heavy use of these
401
features may wish to consider larger systems for these applications.
402
<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
403
multiprocessor systems for installations that need it.</para></sect1>
404
<sect1><title>CPU Requirements</title>
405
<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
406
for serving of static zones without caching, to enterprise-class
407
machines if you intend to process many dynamic updates and DNSSEC
408
signed zones, serving many thousands of queries per second.</para></sect1>
410
<sect1><title>Memory Requirements</title>
411
<para>The memory of the server has to be large enough to fit the
412
cache and zones loaded off disk. The <command>max-cache-size</command>
413
option can be used to limit the amount of memory used by the cache,
414
at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
415
traffic. It is still good practice to have enough memory to load
416
all zone and cache data into memory — unfortunately, the best way
417
to determine this for a given installation is to watch the name server
418
in operation. After a few weeks the server process should reach
419
a relatively stable size where entries are expiring from the cache as
420
fast as they are being inserted.</para></sect1>
422
<sect1><title>Name Server Intensive Environment Issues</title>
423
<para>For name server intensive environments, there are two alternative
424
configurations that may be used. The first is where clients and
425
any second-level internal name servers query a main name server, which
426
has enough memory to build a large cache. This approach minimizes
427
the bandwidth used by external name lookups. The second alternative
428
is to set up second-level internal name servers to make queries independently.
429
In this configuration, none of the individual machines needs to
430
have as much memory or CPU power as in the first alternative, but
431
this has the disadvantage of making many more external queries,
432
as none of the name servers share their cached data.</para></sect1>
434
<sect1><title>Supported Operating Systems</title>
435
<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
436
of Unix-like operating system and on Windows NT / 2000. For an up-to-date
437
list of supported systems, see the README file in the top level directory
438
of the BIND 9 source distribution.</para>
442
<chapter id="Bv9ARM.ch03">
443
<title>Name Server Configuration</title>
444
<para>In this section we provide some suggested configurations along
445
with guidelines for their use. We also address the topic of reasonable
446
option setting.</para>
448
<sect1 id="sample_configuration">
449
<title>Sample Configurations</title>
451
<title>A Caching-only Name Server</title>
452
<para>The following sample configuration is appropriate for a caching-only
453
name server for use by clients internal to a corporation. All queries
454
from outside clients are refused using the <command>allow-query</command>
455
option. Alternatively, the same effect could be achieved using suitable
456
firewall rules.</para>
170
The following conventions are used in descriptions of the
171
<acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
172
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
173
<colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
174
<colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
177
<entry colname="1" colsep="1" rowsep="1">
179
<emphasis>To describe:</emphasis>
182
<entry colname="2" rowsep="1">
184
<emphasis>We use the style:</emphasis>
189
<entry colname="1" colsep="1" rowsep="1">
194
<entry colname="2" rowsep="1">
196
<literal>Fixed Width</literal>
201
<entry colname="1" colsep="1" rowsep="1">
206
<entry colname="2" rowsep="1">
208
<varname>Fixed Width</varname>
213
<entry colname="1" colsep="1">
220
<optional>Text is enclosed in square brackets</optional>
230
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
232
The purpose of this document is to explain the installation
233
and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
234
Name Domain) software package, and we
235
begin by reviewing the fundamentals of the Domain Name System
236
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
240
<title>DNS Fundamentals</title>
243
The Domain Name System (DNS) is a hierarchical, distributed
244
database. It stores information for mapping Internet host names to
246
addresses and vice versa, mail routing information, and other data
247
used by Internet applications.
251
Clients look up information in the DNS by calling a
252
<emphasis>resolver</emphasis> library, which sends queries to one or
253
more <emphasis>name servers</emphasis> and interprets the responses.
254
The <acronym>BIND</acronym> 9 software distribution
256
name server, <command>named</command>, and two resolver
257
libraries, <command>liblwres</command> and <command>libbind</command>.
261
<title>Domains and Domain Names</title>
264
The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
265
organizational or administrative boundaries. Each node of the tree,
266
called a <emphasis>domain</emphasis>, is given a label. The domain
268
node is the concatenation of all the labels on the path from the
269
node to the <emphasis>root</emphasis> node. This is represented
270
in written form as a string of labels listed from right to left and
271
separated by dots. A label need only be unique within its parent
276
For example, a domain name for a host at the
277
company <emphasis>Example, Inc.</emphasis> could be
278
<literal>ourhost.example.com</literal>,
279
where <literal>com</literal> is the
280
top level domain to which
281
<literal>ourhost.example.com</literal> belongs,
282
<literal>example</literal> is
283
a subdomain of <literal>com</literal>, and
284
<literal>ourhost</literal> is the
289
For administrative purposes, the name space is partitioned into
290
areas called <emphasis>zones</emphasis>, each starting at a node and
291
extending down to the leaf nodes or to nodes where other zones
293
The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
294
<emphasis>DNS protocol</emphasis>.
298
The data associated with each domain name is stored in the
299
form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
300
Some of the supported resource record types are described in
301
<xref linkend="types_of_resource_records_and_when_to_use_them"/>.
305
For more detailed information about the design of the DNS and
306
the DNS protocol, please refer to the standards documents listed in
307
<xref linkend="rfcs"/>.
314
To properly operate a name server, it is important to understand
315
the difference between a <emphasis>zone</emphasis>
316
and a <emphasis>domain</emphasis>.
320
As stated previously, a zone is a point of delegation in
321
the <acronym>DNS</acronym> tree. A zone consists of
322
those contiguous parts of the domain
323
tree for which a name server has complete information and over which
324
it has authority. It contains all domain names from a certain point
325
downward in the domain tree except those which are delegated to
326
other zones. A delegation point is marked by one or more
327
<emphasis>NS records</emphasis> in the
328
parent zone, which should be matched by equivalent NS records at
329
the root of the delegated zone.
333
For instance, consider the <literal>example.com</literal>
334
domain which includes names
335
such as <literal>host.aaa.example.com</literal> and
336
<literal>host.bbb.example.com</literal> even though
337
the <literal>example.com</literal> zone includes
338
only delegations for the <literal>aaa.example.com</literal> and
339
<literal>bbb.example.com</literal> zones. A zone can
341
exactly to a single domain, but could also include only part of a
342
domain, the rest of which could be delegated to other
343
name servers. Every name in the <acronym>DNS</acronym>
345
<emphasis>domain</emphasis>, even if it is
346
<emphasis>terminal</emphasis>, that is, has no
347
<emphasis>subdomains</emphasis>. Every subdomain is a domain and
348
every domain except the root is also a subdomain. The terminology is
349
not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
351
gain a complete understanding of this difficult and subtle
356
Though <acronym>BIND</acronym> is called a "domain name
358
it deals primarily in terms of zones. The master and slave
359
declarations in the <filename>named.conf</filename> file
361
zones, not domains. When you ask some other site if it is willing to
362
be a slave server for your <emphasis>domain</emphasis>, you are
363
actually asking for slave service for some collection of zones.
368
<title>Authoritative Name Servers</title>
371
Each zone is served by at least
372
one <emphasis>authoritative name server</emphasis>,
373
which contains the complete data for the zone.
374
To make the DNS tolerant of server and network failures,
375
most zones have two or more authoritative servers, on
380
Responses from authoritative servers have the "authoritative
381
answer" (AA) bit set in the response packets. This makes them
382
easy to identify when debugging DNS configurations using tools like
383
<command>dig</command> (<xref linkend="diagnostic_tools"/>).
387
<title>The Primary Master</title>
390
The authoritative server where the master copy of the zone
391
data is maintained is called the
392
<emphasis>primary master</emphasis> server, or simply the
393
<emphasis>primary</emphasis>. Typically it loads the zone
394
contents from some local file edited by humans or perhaps
395
generated mechanically from some other local file which is
396
edited by humans. This file is called the
397
<emphasis>zone file</emphasis> or
398
<emphasis>master file</emphasis>.
402
In some cases, however, the master file may not be edited
403
by humans at all, but may instead be the result of
404
<emphasis>dynamic update</emphasis> operations.
409
<title>Slave Servers</title>
411
The other authoritative servers, the <emphasis>slave</emphasis>
412
servers (also known as <emphasis>secondary</emphasis> servers)
414
the zone contents from another server using a replication process
415
known as a <emphasis>zone transfer</emphasis>. Typically the data
417
transferred directly from the primary master, but it is also
419
to transfer it from another slave. In other words, a slave server
420
may itself act as a master to a subordinate slave server.
425
<title>Stealth Servers</title>
428
Usually all of the zone's authoritative servers are listed in
429
NS records in the parent zone. These NS records constitute
430
a <emphasis>delegation</emphasis> of the zone from the parent.
431
The authoritative servers are also listed in the zone file itself,
432
at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
433
of the zone. You can list servers in the zone's top-level NS
434
records that are not in the parent's NS delegation, but you cannot
435
list servers in the parent's delegation that are not present at
436
the zone's top level.
440
A <emphasis>stealth server</emphasis> is a server that is
441
authoritative for a zone but is not listed in that zone's NS
442
records. Stealth servers can be used for keeping a local copy of
444
zone to speed up access to the zone's records or to make sure that
446
zone is available even if all the "official" servers for the zone
452
A configuration where the primary master server itself is a
453
stealth server is often referred to as a "hidden primary"
454
configuration. One use for this configuration is when the primary
456
is behind a firewall and therefore unable to communicate directly
457
with the outside world.
465
<title>Caching Name Servers</title>
468
- Terminology here is inconsistent. Probably ought to
469
- convert to using "recursive name server" everywhere
470
- with just a note about "caching" terminology.
474
The resolver libraries provided by most operating systems are
475
<emphasis>stub resolvers</emphasis>, meaning that they are not
477
performing the full DNS resolution process by themselves by talking
478
directly to the authoritative servers. Instead, they rely on a
480
name server to perform the resolution on their behalf. Such a
482
is called a <emphasis>recursive</emphasis> name server; it performs
483
<emphasis>recursive lookups</emphasis> for local clients.
487
To improve performance, recursive servers cache the results of
488
the lookups they perform. Since the processes of recursion and
489
caching are intimately connected, the terms
490
<emphasis>recursive server</emphasis> and
491
<emphasis>caching server</emphasis> are often used synonymously.
495
The length of time for which a record may be retained in
496
the cache of a caching name server is controlled by the
497
Time To Live (TTL) field associated with each resource record.
501
<title>Forwarding</title>
504
Even a caching name server does not necessarily perform
505
the complete recursive lookup itself. Instead, it can
506
<emphasis>forward</emphasis> some or all of the queries
507
that it cannot satisfy from its cache to another caching name
509
commonly referred to as a <emphasis>forwarder</emphasis>.
513
There may be one or more forwarders,
514
and they are queried in turn until the list is exhausted or an
516
is found. Forwarders are typically used when you do not
517
wish all the servers at a given site to interact directly with the
519
the Internet servers. A typical scenario would involve a number
520
of internal <acronym>DNS</acronym> servers and an
521
Internet firewall. Servers unable
522
to pass packets through the firewall would forward to the server
523
that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
524
on the internal server's behalf.
531
<title>Name Servers in Multiple Roles</title>
534
The <acronym>BIND</acronym> name server can
535
simultaneously act as
536
a master for some zones, a slave for other zones, and as a caching
537
(recursive) server for a set of local clients.
541
However, since the functions of authoritative name service
542
and caching/recursive name service are logically separate, it is
543
often advantageous to run them on separate server machines.
545
A server that only provides authoritative name service
546
(an <emphasis>authoritative-only</emphasis> server) can run with
547
recursion disabled, improving reliability and security.
549
A server that is not authoritative for any zones and only provides
550
recursive service to local
551
clients (a <emphasis>caching-only</emphasis> server)
552
does not need to be reachable from the Internet at large and can
553
be placed inside a firewall.
561
<chapter id="Bv9ARM.ch02">
562
<title><acronym>BIND</acronym> Resource Requirements</title>
565
<title>Hardware requirements</title>
568
<acronym>DNS</acronym> hardware requirements have
569
traditionally been quite modest.
570
For many installations, servers that have been pensioned off from
571
active duty have performed admirably as <acronym>DNS</acronym> servers.
574
The DNSSEC features of <acronym>BIND</acronym> 9
575
may prove to be quite
576
CPU intensive however, so organizations that make heavy use of these
577
features may wish to consider larger systems for these applications.
578
<acronym>BIND</acronym> 9 is fully multithreaded, allowing
580
multiprocessor systems for installations that need it.
584
<title>CPU Requirements</title>
586
CPU requirements for <acronym>BIND</acronym> 9 range from
588
for serving of static zones without caching, to enterprise-class
589
machines if you intend to process many dynamic updates and DNSSEC
590
signed zones, serving many thousands of queries per second.
595
<title>Memory Requirements</title>
597
The memory of the server has to be large enough to fit the
598
cache and zones loaded off disk. The <command>max-cache-size</command>
599
option can be used to limit the amount of memory used by the cache,
600
at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
602
Additionally, if additional section caching
603
(<xref linkend="acache"/>) is enabled,
604
the <command>max-acache-size</command> option can be used to
606
of memory used by the mechanism.
607
It is still good practice to have enough memory to load
608
all zone and cache data into memory — unfortunately, the best
610
to determine this for a given installation is to watch the name server
611
in operation. After a few weeks the server process should reach
612
a relatively stable size where entries are expiring from the cache as
613
fast as they are being inserted.
616
- Add something here about leaving overhead for attacks?
617
- How much overhead? Percentage?
622
<title>Name Server Intensive Environment Issues</title>
624
For name server intensive environments, there are two alternative
625
configurations that may be used. The first is where clients and
626
any second-level internal name servers query a main name server, which
627
has enough memory to build a large cache. This approach minimizes
628
the bandwidth used by external name lookups. The second alternative
629
is to set up second-level internal name servers to make queries
631
In this configuration, none of the individual machines needs to
632
have as much memory or CPU power as in the first alternative, but
633
this has the disadvantage of making many more external queries,
634
as none of the name servers share their cached data.
639
<title>Supported Operating Systems</title>
641
ISC <acronym>BIND</acronym> 9 compiles and runs on a large
643
of Unix-like operating system and on NT-derived versions of
644
Microsoft Windows such as Windows 2000 and Windows XP. For an
646
list of supported systems, see the README file in the top level
648
of the BIND 9 source distribution.
653
<chapter id="Bv9ARM.ch03">
654
<title>Name Server Configuration</title>
656
In this section we provide some suggested configurations along
657
with guidelines for their use. We suggest reasonable values for
658
certain option settings.
661
<sect1 id="sample_configuration">
662
<title>Sample Configurations</title>
664
<title>A Caching-only Name Server</title>
666
The following sample configuration is appropriate for a caching-only
667
name server for use by clients internal to a corporation. All
669
from outside clients are refused using the <command>allow-query</command>
670
option. Alternatively, the same effect could be achieved using
459
676
// Two corporate subnets we wish to allow queries from.
508
729
masters { 192.168.4.12; };
510
731
</programlisting>
515
<title>Load Balancing</title>
517
<para>A primitive form of load balancing can be achieved in
518
the <acronym>DNS</acronym> by using multiple A records for one name.</para>
520
<para>For example, if you have three WWW servers with network addresses
521
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
522
following means that clients will connect to each machine one third
525
<informaltable colsep = "0" rowsep = "0">
526
<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
527
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
528
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
529
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
530
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
531
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
534
<entry colname = "1"><para>Name</para></entry>
535
<entry colname = "2"><para>TTL</para></entry>
536
<entry colname = "3"><para>CLASS</para></entry>
537
<entry colname = "4"><para>TYPE</para></entry>
538
<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
541
<entry colname = "1"><para><literal>www</literal></para></entry>
542
<entry colname = "2"><para><literal>600</literal></para></entry>
543
<entry colname = "3"><para><literal>IN</literal></para></entry>
544
<entry colname = "4"><para><literal>A</literal></para></entry>
545
<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
548
<entry colname = "1"><para></para></entry>
549
<entry colname = "2"><para><literal>600</literal></para></entry>
550
<entry colname = "3"><para><literal>IN</literal></para></entry>
551
<entry colname = "4"><para><literal>A</literal></para></entry>
552
<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
555
<entry colname = "1"><para></para></entry>
556
<entry colname = "2"><para><literal>600</literal></para></entry>
557
<entry colname = "3"><para><literal>IN</literal></para></entry>
558
<entry colname = "4"><para><literal>A</literal></para></entry>
559
<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
564
<para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
565
them and respond to the query with the records in a different
566
order. In the example above, clients will randomly receive
567
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
568
will use the first record returned and discard the rest.</para>
569
<para>For more detail on ordering responses, check the
570
<command>rrset-order</command> substatement in the
571
<command>options</command> statement, see
572
<xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
573
This substatement is not supported in
574
<acronym>BIND</acronym> 9, and only the ordering scheme described above is
580
<title>Name Server Operations</title>
583
<title>Tools for Use With the Name Server Daemon</title>
584
<para>There are several indispensable diagnostic, administrative
585
and monitoring tools available to the system administrator for controlling
586
and debugging the name server daemon. We describe several in this
588
<sect3 id="diagnostic_tools">
589
<title>Diagnostic Tools</title>
590
<para>The <command>dig</command>, <command>host</command>, and
591
<command>nslookup</command> programs are all command line tools
592
for manually querying name servers. They differ in style and
598
<term id="dig"><command>dig</command></term>
600
<para>The domain information groper (<command>dig</command>)
601
is the most versatile and complete of these lookup tools.
602
It has two modes: simple interactive
603
mode for a single query, and batch mode which executes a query for
604
each in a list of several query lines. All query options are accessible
605
from the command line.</para>
606
<cmdsynopsis label="Usage">
607
<command>dig</command>
608
<arg>@<replaceable>server</replaceable></arg>
609
<arg choice="plain"><replaceable>domain</replaceable></arg>
610
<arg><replaceable>query-type</replaceable></arg>
611
<arg><replaceable>query-class</replaceable></arg>
612
<arg>+<replaceable>query-option</replaceable></arg>
613
<arg>-<replaceable>dig-option</replaceable></arg>
614
<arg>%<replaceable>comment</replaceable></arg>
616
<para>The usual simple use of dig will take the form</para>
617
<simpara><command>dig @server domain query-type query-class</command></simpara>
618
<para>For more information and a list of available commands and
619
options, see the <command>dig</command> man page.</para>
624
<term><command>host</command></term>
626
<para>The <command>host</command> utility emphasizes simplicity
627
and ease of use. By default, it converts
628
between host names and Internet addresses, but its functionality
629
can be extended with the use of options.</para>
630
<cmdsynopsis label="Usage">
631
<command>host</command>
633
<arg>-c <replaceable>class</replaceable></arg>
634
<arg>-N <replaceable>ndots</replaceable></arg>
635
<arg>-t <replaceable>type</replaceable></arg>
636
<arg>-W <replaceable>timeout</replaceable></arg>
637
<arg>-R <replaceable>retries</replaceable></arg>
638
<arg choice="plain"><replaceable>hostname</replaceable></arg>
639
<arg><replaceable>server</replaceable></arg>
641
<para>For more information and a list of available commands and
642
options, see the <command>host</command> man page.</para>
647
<term><command>nslookup</command></term>
649
<para><command>nslookup</command> has two modes: interactive
650
and non-interactive. Interactive mode allows the user to query name servers
651
for information about various hosts and domains or to print a list
652
of hosts in a domain. Non-interactive mode is used to print just
653
the name and requested information for a host or domain.</para>
654
<cmdsynopsis label="Usage">
655
<command>nslookup</command>
656
<arg rep="repeat">-option</arg>
658
<arg><replaceable>host-to-find</replaceable></arg>
659
<arg>- <arg>server</arg></arg>
662
<para>Interactive mode is entered when no arguments are given (the
663
default name server will be used) or when the first argument is a
664
hyphen (`-') and the second argument is the host name or Internet address
665
of a name server.</para>
666
<para>Non-interactive mode is used when the name or Internet address
667
of the host to be looked up is given as the first argument. The
668
optional second argument specifies the host name or address of a name server.</para>
669
<para>Due to its arcane user interface and frequently inconsistent
670
behavior, we do not recommend the use of <command>nslookup</command>.
671
Use <command>dig</command> instead.</para>
678
<sect3 id="admin_tools">
679
<title>Administrative Tools</title>
680
<para>Administrative tools play an integral part in the management
683
<varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
684
<term><command>named-checkconf</command></term>
686
<para>The <command>named-checkconf</command> program
687
checks the syntax of a <filename>named.conf</filename> file.</para>
688
<cmdsynopsis label="Usage">
689
<command>named-checkconf</command>
691
<arg>-t <replaceable>directory</replaceable></arg>
692
<arg><replaceable>filename</replaceable></arg>
696
<varlistentry id="named-checkzone" xreflabel="Zone Checking application">
697
<term><command>named-checkzone</command></term>
699
<para>The <command>named-checkzone</command> program checks a master file for
700
syntax and consistency.</para>
701
<cmdsynopsis label="Usage">
702
<command>named-checkzone</command>
704
<arg>-c <replaceable>class</replaceable></arg>
705
<arg>-o <replaceable>output</replaceable></arg>
706
<arg>-t <replaceable>directory</replaceable></arg>
707
<arg>-w <replaceable>directory</replaceable></arg>
708
<arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
709
<arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
710
<arg choice="plain"><replaceable>zone</replaceable></arg>
711
<arg><replaceable>filename</replaceable></arg>
715
<varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
716
<term><command>rndc</command></term>
718
<para>The remote name daemon control
719
(<command>rndc</command>) program allows the system
720
administrator to control the operation of a name server.
721
If you run <command>rndc</command> without any options
722
it will display a usage message as follows:</para>
723
<cmdsynopsis label="Usage">
724
<command>rndc</command>
725
<arg>-c <replaceable>config</replaceable></arg>
726
<arg>-s <replaceable>server</replaceable></arg>
727
<arg>-p <replaceable>port</replaceable></arg>
728
<arg>-y <replaceable>key</replaceable></arg>
729
<arg choice="plain"><replaceable>command</replaceable></arg>
730
<arg rep="repeat"><replaceable>command</replaceable></arg>
732
<para><command>command</command> is one of the following:</para>
736
<varlistentry><term><userinput>reload</userinput></term>
737
<listitem><para>Reload configuration file and zones.</para></listitem>
740
<varlistentry><term><userinput>reload <replaceable>zone</replaceable>
741
<optional><replaceable>class</replaceable>
742
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
743
<listitem><para>Reload the given zone.</para></listitem>
746
<varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
747
<optional><replaceable>class</replaceable>
748
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
749
<listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
752
<varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
753
<optional><replaceable>class</replaceable>
754
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
755
<listitem><para>Retransfer the given zone from the master.</para></listitem>
758
<varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
759
<optional><replaceable>class</replaceable>
760
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
761
<listitem><para>Suspend updates to a dynamic zone. If no zone is specified
762
then all zones are suspended. This allows manual
763
edits to be made to a zone normally updated by dynamic update. It
764
also causes changes in the journal file to be synced into the master
765
and the journal file to be removed. All dynamic update attempts will
766
be refused while the zone is frozen.</para></listitem>
769
<varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable>
770
<optional><replaceable>class</replaceable>
771
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
772
<listitem><para>Enable updates to a frozen dynamic zone. If no zone is
773
specified then all frozen zones are enabled. This causes
774
the server to reload the zone from disk, and re-enables dynamic updates
775
after the load has completed. After a zone is thawed, dynamic updates
776
will no longer be refused.</para></listitem>
779
<varlistentry><term><userinput>notify <replaceable>zone</replaceable>
780
<optional><replaceable>class</replaceable>
781
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
782
<listitem><para>Resend NOTIFY messages for the zone</para></listitem></varlistentry>
784
<varlistentry><term><userinput>reconfig</userinput></term>
785
<listitem><para>Reload the configuration file and load new zones,
786
but do not reload existing zone files even if they have changed.
787
This is faster than a full <command>reload</command> when there
788
is a large number of zones because it avoids the need to examine the
789
modification times of the zones files.
793
<varlistentry><term><userinput>stats</userinput></term>
794
<listitem><para>Write server statistics to the statistics file.</para></listitem>
797
<varlistentry><term><userinput>querylog</userinput></term>
798
<listitem><para>Toggle query logging. Query logging can also be enabled
799
by explicitly directing the <command>queries</command>
800
<command>category</command> to a <command>channel</command> in the
801
<command>logging</command> section of
802
<filename>named.conf</filename>.</para></listitem></varlistentry>
804
<varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
805
<listitem><para>Dump the server's caches (default) and / or zones to the
806
dump file for the specified views. If no view is specified all
807
views are dumped.</para></listitem></varlistentry>
809
<varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
810
<listitem><para>Stop the server, making sure any recent changes
811
made through dynamic update or IXFR are first saved to the master files
812
of the updated zones. If -p is specified named's process id is returned.</para></listitem></varlistentry>
814
<varlistentry><term><userinput>halt <optional>-p</optional></userinput></term>
815
<listitem><para>Stop the server immediately. Recent changes
816
made through dynamic update or IXFR are not saved to the master files,
817
but will be rolled forward from the journal files when the server
818
is restarted. If -p is specified named's process id is returned.</para></listitem></varlistentry>
820
<varlistentry><term><userinput>trace</userinput></term>
821
<listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
823
<varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
824
<listitem><para>Sets the server's debugging level to an explicit
825
value.</para></listitem></varlistentry>
827
<varlistentry><term><userinput>notrace</userinput></term>
828
<listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
830
<varlistentry><term><userinput>flush</userinput></term>
831
<listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
833
<varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
834
<listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry>
836
<varlistentry><term><userinput>status</userinput></term>
837
<listitem><para>Display status of the server.
838
Note the number of zones includes the internal <command>bind/CH</command> zone
839
and the default <command>./IN</command> hint zone if there is not a
840
explicit root zone configured.</para></listitem></varlistentry>
842
<varlistentry><term><userinput>recursing</userinput></term>
843
<listitem><para>Dump the list of queries named is currently recursing
845
</para></listitem></varlistentry>
849
<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
850
supports all the commands of the BIND 8 <command>ndc</command>
851
utility except <command>ndc start</command> and
852
<command>ndc restart</command>, which were also
853
not supported in <command>ndc</command>'s channel mode.</para>
855
<para>A configuration file is required, since all
856
communication with the server is authenticated with
857
digital signatures that rely on a shared secret, and
858
there is no way to provide that secret other than with a
859
configuration file. The default location for the
860
<command>rndc</command> configuration file is
861
<filename>/etc/rndc.conf</filename>, but an alternate
862
location can be specified with the <option>-c</option>
863
option. If the configuration file is not found,
864
<command>rndc</command> will also look in
865
<filename>/etc/rndc.key</filename> (or whatever
866
<varname>sysconfdir</varname> was defined when
867
the <acronym>BIND</acronym> build was configured).
868
The <filename>rndc.key</filename> file is generated by
869
running <command>rndc-confgen -a</command> as described in
870
<xref linkend="controls_statement_definition_and_usage"/>.</para>
872
<para>The format of the configuration file is similar to
873
that of <filename>named.conf</filename>, but limited to
874
only four statements, the <command>options</command>,
875
<command>key</command>, <command>server</command> and
876
<command>include</command>
877
statements. These statements are what associate the
878
secret keys to the servers with which they are meant to
879
be shared. The order of statements is not
882
<para>The <command>options</command> statement has three clauses:
883
<command>default-server</command>, <command>default-key</command>,
884
and <command>default-port</command>.
885
<command>default-server</command> takes a
886
host name or address argument and represents the server that will
887
be contacted if no <option>-s</option>
888
option is provided on the command line.
889
<command>default-key</command> takes
890
the name of a key as its argument, as defined by a <command>key</command> statement.
891
<command>default-port</command> specifies the port to which
892
<command>rndc</command> should connect if no
893
port is given on the command line or in a
894
<command>server</command> statement.</para>
896
<para>The <command>key</command> statement defines an key to be used
897
by <command>rndc</command> when authenticating with
898
<command>named</command>. Its syntax is identical to the
899
<command>key</command> statement in named.conf.
900
The keyword <userinput>key</userinput> is
901
followed by a key name, which must be a valid
902
domain name, though it need not actually be hierarchical; thus,
903
a string like "<userinput>rndc_key</userinput>" is a valid name.
904
The <command>key</command> statement has two clauses:
905
<command>algorithm</command> and <command>secret</command>.
906
While the configuration parser will accept any string as the argument
907
to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
908
has any meaning. The secret is a base-64 encoded string.</para>
910
<para>The <command>server</command> statement associates a key
911
defined using the <command>key</command> statement with a server.
912
The keyword <userinput>server</userinput> is followed by a
913
host name or address. The <command>server</command> statement
914
has two clauses: <command>key</command> and <command>port</command>.
915
The <command>key</command> clause specifies the name of the key
916
to be used when communicating with this server, and the
917
<command>port</command> clause can be used to
918
specify the port <command>rndc</command> should connect
919
to on the server.</para>
921
<para>A sample minimal configuration file is as follows:</para>
737
<title>Load Balancing</title>
739
- Add explanation of why load balancing is fragile at best
740
- and completely pointless in the general case.
744
A primitive form of load balancing can be achieved in
745
the <acronym>DNS</acronym> by using multiple records
746
(such as multiple A records) for one name.
750
For example, if you have three WWW servers with network addresses
751
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
752
following means that clients will connect to each machine one third
756
<informaltable colsep="0" rowsep="0">
757
<tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
758
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
759
<colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
760
<colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
761
<colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
762
<colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
787
Resource Record (RR) Data
794
<literal>www</literal>
799
<literal>600</literal>
804
<literal>IN</literal>
814
<literal>10.0.0.1</literal>
824
<literal>600</literal>
829
<literal>IN</literal>
839
<literal>10.0.0.2</literal>
849
<literal>600</literal>
854
<literal>IN</literal>
864
<literal>10.0.0.3</literal>
872
When a resolver queries for these records, <acronym>BIND</acronym> will rotate
873
them and respond to the query with the records in a different
874
order. In the example above, clients will randomly receive
875
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
876
will use the first record returned and discard the rest.
879
For more detail on ordering responses, check the
880
<command>rrset-order</command> substatement in the
881
<command>options</command> statement, see
882
<xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
888
<title>Name Server Operations</title>
891
<title>Tools for Use With the Name Server Daemon</title>
893
This section describes several indispensable diagnostic,
894
administrative and monitoring tools available to the system
895
administrator for controlling and debugging the name server
898
<sect3 id="diagnostic_tools">
899
<title>Diagnostic Tools</title>
901
The <command>dig</command>, <command>host</command>, and
902
<command>nslookup</command> programs are all command
904
for manually querying name servers. They differ in style and
910
<term id="dig"><command>dig</command></term>
913
The domain information groper (<command>dig</command>)
914
is the most versatile and complete of these lookup tools.
915
It has two modes: simple interactive
916
mode for a single query, and batch mode which executes a
918
each in a list of several query lines. All query options are
920
from the command line.
922
<cmdsynopsis label="Usage">
923
<command>dig</command>
924
<arg>@<replaceable>server</replaceable></arg>
925
<arg choice="plain"><replaceable>domain</replaceable></arg>
926
<arg><replaceable>query-type</replaceable></arg>
927
<arg><replaceable>query-class</replaceable></arg>
928
<arg>+<replaceable>query-option</replaceable></arg>
929
<arg>-<replaceable>dig-option</replaceable></arg>
930
<arg>%<replaceable>comment</replaceable></arg>
933
The usual simple use of dig will take the form
936
<command>dig @server domain query-type query-class</command>
939
For more information and a list of available commands and
940
options, see the <command>dig</command> man
947
<term><command>host</command></term>
950
The <command>host</command> utility emphasizes
952
and ease of use. By default, it converts
953
between host names and Internet addresses, but its
955
can be extended with the use of options.
957
<cmdsynopsis label="Usage">
958
<command>host</command>
959
<arg>-aCdlnrsTwv</arg>
960
<arg>-c <replaceable>class</replaceable></arg>
961
<arg>-N <replaceable>ndots</replaceable></arg>
962
<arg>-t <replaceable>type</replaceable></arg>
963
<arg>-W <replaceable>timeout</replaceable></arg>
964
<arg>-R <replaceable>retries</replaceable></arg>
965
<arg>-m <replaceable>flag</replaceable></arg>
968
<arg choice="plain"><replaceable>hostname</replaceable></arg>
969
<arg><replaceable>server</replaceable></arg>
972
For more information and a list of available commands and
973
options, see the <command>host</command> man
980
<term><command>nslookup</command></term>
982
<para><command>nslookup</command>
983
has two modes: interactive and
984
non-interactive. Interactive mode allows the user to
985
query name servers for information about various
986
hosts and domains or to print a list of hosts in a
987
domain. Non-interactive mode is used to print just
988
the name and requested information for a host or
991
<cmdsynopsis label="Usage">
992
<command>nslookup</command>
993
<arg rep="repeat">-option</arg>
995
<arg><replaceable>host-to-find</replaceable></arg>
996
<arg>- <arg>server</arg></arg>
1000
Interactive mode is entered when no arguments are given (the
1001
default name server will be used) or when the first argument
1003
hyphen (`-') and the second argument is the host name or
1008
Non-interactive mode is used when the name or Internet
1010
of the host to be looked up is given as the first argument.
1012
optional second argument specifies the host name or address
1016
Due to its arcane user interface and frequently inconsistent
1017
behavior, we do not recommend the use of <command>nslookup</command>.
1018
Use <command>dig</command> instead.
1026
<sect3 id="admin_tools">
1027
<title>Administrative Tools</title>
1029
Administrative tools play an integral part in the management
1033
<varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1035
<term><command>named-checkconf</command></term>
1038
The <command>named-checkconf</command> program
1039
checks the syntax of a <filename>named.conf</filename> file.
1041
<cmdsynopsis label="Usage">
1042
<command>named-checkconf</command>
1044
<arg>-t <replaceable>directory</replaceable></arg>
1045
<arg><replaceable>filename</replaceable></arg>
1049
<varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1051
<term><command>named-checkzone</command></term>
1054
The <command>named-checkzone</command> program
1055
checks a master file for
1056
syntax and consistency.
1058
<cmdsynopsis label="Usage">
1059
<command>named-checkzone</command>
1061
<arg>-c <replaceable>class</replaceable></arg>
1062
<arg>-o <replaceable>output</replaceable></arg>
1063
<arg>-t <replaceable>directory</replaceable></arg>
1064
<arg>-w <replaceable>directory</replaceable></arg>
1065
<arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1066
<arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1067
<arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1068
<arg choice="plain"><replaceable>zone</replaceable></arg>
1069
<arg><replaceable>filename</replaceable></arg>
1073
<varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
1074
<term><command>named-compilezone</command></term>
1077
Similar to <command>named-checkzone,</command> but
1078
it always dumps the zone content to a specified file
1079
(typically in a different format).
1083
<varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1085
<term><command>rndc</command></term>
1088
The remote name daemon control
1089
(<command>rndc</command>) program allows the
1091
administrator to control the operation of a name server.
1092
Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1093
supports all the commands of the BIND 8 <command>ndc</command>
1094
utility except <command>ndc start</command> and
1095
<command>ndc restart</command>, which were also
1096
not supported in <command>ndc</command>'s
1098
If you run <command>rndc</command> without any
1100
it will display a usage message as follows:
1102
<cmdsynopsis label="Usage">
1103
<command>rndc</command>
1104
<arg>-c <replaceable>config</replaceable></arg>
1105
<arg>-s <replaceable>server</replaceable></arg>
1106
<arg>-p <replaceable>port</replaceable></arg>
1107
<arg>-y <replaceable>key</replaceable></arg>
1108
<arg choice="plain"><replaceable>command</replaceable></arg>
1109
<arg rep="repeat"><replaceable>command</replaceable></arg>
1111
<para>The <command>command</command>
1112
is one of the following:
1118
<term><userinput>reload</userinput></term>
1121
Reload configuration file and zones.
1127
<term><userinput>reload <replaceable>zone</replaceable>
1128
<optional><replaceable>class</replaceable>
1129
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1132
Reload the given zone.
1138
<term><userinput>refresh <replaceable>zone</replaceable>
1139
<optional><replaceable>class</replaceable>
1140
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1143
Schedule zone maintenance for the given zone.
1149
<term><userinput>retransfer <replaceable>zone</replaceable>
1151
<optional><replaceable>class</replaceable>
1152
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1155
Retransfer the given zone from the master.
1162
<term><userinput>freeze
1163
<optional><replaceable>zone</replaceable>
1164
<optional><replaceable>class</replaceable>
1165
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1168
Suspend updates to a dynamic zone. If no zone is
1170
then all zones are suspended. This allows manual
1171
edits to be made to a zone normally updated by dynamic
1173
also causes changes in the journal file to be synced
1175
and the journal file to be removed. All dynamic
1176
update attempts will
1177
be refused while the zone is frozen.
1183
<term><userinput>thaw
1184
<optional><replaceable>zone</replaceable>
1185
<optional><replaceable>class</replaceable>
1186
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1189
Enable updates to a frozen dynamic zone. If no zone
1191
specified, then all frozen zones are enabled. This
1193
the server to reload the zone from disk, and
1194
re-enables dynamic updates
1195
after the load has completed. After a zone is thawed,
1197
will no longer be refused.
1203
<term><userinput>notify <replaceable>zone</replaceable>
1204
<optional><replaceable>class</replaceable>
1205
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1208
Resend NOTIFY messages for the zone.
1214
<term><userinput>reconfig</userinput></term>
1217
Reload the configuration file and load new zones,
1218
but do not reload existing zone files even if they
1220
This is faster than a full <command>reload</command> when there
1221
is a large number of zones because it avoids the need
1223
modification times of the zones files.
1229
<term><userinput>stats</userinput></term>
1232
Write server statistics to the statistics file.
1238
<term><userinput>querylog</userinput></term>
1241
Toggle query logging. Query logging can also be enabled
1242
by explicitly directing the <command>queries</command>
1243
<command>category</command> to a
1244
<command>channel</command> in the
1245
<command>logging</command> section of
1246
<filename>named.conf</filename> or by specifying
1247
<command>querylog yes;</command> in the
1248
<command>options</command> section of
1249
<filename>named.conf</filename>.
1255
<term><userinput>dumpdb
1256
<optional>-all|-cache|-zone</optional>
1257
<optional><replaceable>view ...</replaceable></optional></userinput></term>
1260
Dump the server's caches (default) and/or zones to
1262
dump file for the specified views. If no view is
1270
<term><userinput>stop <optional>-p</optional></userinput></term>
1273
Stop the server, making sure any recent changes
1274
made through dynamic update or IXFR are first saved to
1275
the master files of the updated zones.
1276
If -p is specified named's process id is returned.
1277
This allows an external process to determine when named
1278
had completed stopping.
1284
<term><userinput>halt <optional>-p</optional></userinput></term>
1287
Stop the server immediately. Recent changes
1288
made through dynamic update or IXFR are not saved to
1289
the master files, but will be rolled forward from the
1290
journal files when the server is restarted.
1291
If -p is specified named's process id is returned.
1292
This allows an external process to determine when named
1293
had completed halting.
1299
<term><userinput>trace</userinput></term>
1302
Increment the servers debugging level by one.
1308
<term><userinput>trace <replaceable>level</replaceable></userinput></term>
1311
Sets the server's debugging level to an explicit
1318
<term><userinput>notrace</userinput></term>
1321
Sets the server's debugging level to 0.
1327
<term><userinput>flush</userinput></term>
1330
Flushes the server's cache.
1336
<term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1339
Flushes the given name from the server's cache.
1345
<term><userinput>status</userinput></term>
1348
Display status of the server.
1349
Note that the number of zones includes the internal <command>bind/CH</command> zone
1350
and the default <command>./IN</command>
1351
hint zone if there is not an
1352
explicit root zone configured.
1358
<term><userinput>recursing</userinput></term>
1361
Dump the list of queries named is currently recursing
1370
A configuration file is required, since all
1371
communication with the server is authenticated with
1372
digital signatures that rely on a shared secret, and
1373
there is no way to provide that secret other than with a
1374
configuration file. The default location for the
1375
<command>rndc</command> configuration file is
1376
<filename>/etc/rndc.conf</filename>, but an
1378
location can be specified with the <option>-c</option>
1379
option. If the configuration file is not found,
1380
<command>rndc</command> will also look in
1381
<filename>/etc/rndc.key</filename> (or whatever
1382
<varname>sysconfdir</varname> was defined when
1383
the <acronym>BIND</acronym> build was
1385
The <filename>rndc.key</filename> file is
1387
running <command>rndc-confgen -a</command> as
1389
<xref linkend="controls_statement_definition_and_usage"/>.
1393
The format of the configuration file is similar to
1394
that of <filename>named.conf</filename>, but
1396
only four statements, the <command>options</command>,
1397
<command>key</command>, <command>server</command> and
1398
<command>include</command>
1399
statements. These statements are what associate the
1400
secret keys to the servers with which they are meant to
1401
be shared. The order of statements is not
1406
The <command>options</command> statement has
1408
<command>default-server</command>, <command>default-key</command>,
1409
and <command>default-port</command>.
1410
<command>default-server</command> takes a
1411
host name or address argument and represents the server
1413
be contacted if no <option>-s</option>
1414
option is provided on the command line.
1415
<command>default-key</command> takes
1416
the name of a key as its argument, as defined by a <command>key</command> statement.
1417
<command>default-port</command> specifies the
1419
<command>rndc</command> should connect if no
1420
port is given on the command line or in a
1421
<command>server</command> statement.
1425
The <command>key</command> statement defines a
1427
by <command>rndc</command> when authenticating
1429
<command>named</command>. Its syntax is
1431
<command>key</command> statement in named.conf.
1432
The keyword <userinput>key</userinput> is
1433
followed by a key name, which must be a valid
1434
domain name, though it need not actually be hierarchical;
1436
a string like "<userinput>rndc_key</userinput>" is a valid
1438
The <command>key</command> statement has two
1440
<command>algorithm</command> and <command>secret</command>.
1441
While the configuration parser will accept any string as the
1443
to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1444
has any meaning. The secret is a base-64 encoded string
1445
as specified in RFC 3548.
1449
The <command>server</command> statement
1451
defined using the <command>key</command>
1452
statement with a server.
1453
The keyword <userinput>server</userinput> is followed by a
1454
host name or address. The <command>server</command> statement
1455
has two clauses: <command>key</command> and <command>port</command>.
1456
The <command>key</command> clause specifies the
1458
to be used when communicating with this server, and the
1459
<command>port</command> clause can be used to
1460
specify the port <command>rndc</command> should
1466
A sample minimal configuration file is as follows:
922
1469
<programlisting>
924
1471
algorithm "hmac-md5";
931
1478
</programlisting>
933
<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
934
would allow the command:</para>
936
<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
938
<para>to connect to 127.0.0.1 port 953 and cause the name server
939
to reload, if a name server on the local machine were running with
940
following controls statements:</para>
1481
This file, if installed as <filename>/etc/rndc.conf</filename>,
1482
would allow the command:
1486
<prompt>$ </prompt><userinput>rndc reload</userinput>
1490
to connect to 127.0.0.1 port 953 and cause the name server
1491
to reload, if a name server on the local machine were
1493
following controls statements:
941
1496
<programlisting>
943
1498
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
945
1500
</programlisting>
946
<para>and it had an identical key statement for
947
<literal>rndc_key</literal>.</para>
949
<para>Running the <command>rndc-confgen</command> program will
950
conveniently create a <filename>rndc.conf</filename>
951
file for you, and also display the
952
corresponding <command>controls</command> statement that you need to
953
add to <filename>named.conf</filename>. Alternatively,
954
you can run <command>rndc-confgen -a</command> to set up
955
a <filename>rndc.key</filename> file and not modify
956
<filename>named.conf</filename> at all.
967
<title>Signals</title>
968
<para>Certain UNIX signals cause the name server to take specific
969
actions, as described in the following table. These signals can
970
be sent using the <command>kill</command> command.</para>
971
<informaltable frame = "all" ><tgroup cols = "2">
972
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
973
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
976
<entry colname = "1"><para><command>SIGHUP</command></para></entry>
977
<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
978
reload the database. </para></entry>
981
<entry colname = "1"><para><command>SIGTERM</command></para></entry>
982
<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
985
<entry colname = "1">
986
<para><command>SIGINT</command></para>
988
<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
1503
and it had an identical key statement for
1504
<literal>rndc_key</literal>.
1508
Running the <command>rndc-confgen</command>
1510
conveniently create a <filename>rndc.conf</filename>
1511
file for you, and also display the
1512
corresponding <command>controls</command>
1513
statement that you need to
1514
add to <filename>named.conf</filename>.
1516
you can run <command>rndc-confgen -a</command>
1518
a <filename>rndc.key</filename> file and not
1520
<filename>named.conf</filename> at all.
1531
<title>Signals</title>
1533
Certain UNIX signals cause the name server to take specific
1534
actions, as described in the following table. These signals can
1535
be sent using the <command>kill</command> command.
1537
<informaltable frame="all">
1539
<colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1540
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1544
<para><command>SIGHUP</command></para>
1548
Causes the server to read <filename>named.conf</filename> and
1549
reload the database.
1555
<para><command>SIGTERM</command></para>
1559
Causes the server to clean up and exit.
1565
<para><command>SIGINT</command></para>
1569
Causes the server to clean up and exit.
997
<chapter id="Bv9ARM.ch04">
998
<title>Advanced DNS Features</title>
1002
<title>Notify</title>
1003
<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1004
servers to notify their slave servers of changes to a zone's data. In
1005
response to a <command>NOTIFY</command> from a master server, the
1006
slave will check to see that its version of the zone is the
1007
current version and, if not, initiate a zone transfer.</para>
1009
<para><acronym>DNS</acronym>
1010
For more information about
1011
<command>NOTIFY</command>, see the description of the
1012
<command>notify</command> option in <xref linkend="boolean_options"/> and
1013
the description of the zone option <command>also-notify</command> in
1014
<xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1015
protocol is specified in RFC 1996.
1020
<sect1 id="dynamic_update">
1021
<title>Dynamic Update</title>
1023
<para>Dynamic Update is a method for adding, replacing or deleting
1024
records in a master server by sending it a special form of DNS
1025
messages. The format and meaning of these messages is specified
1028
<para>Dynamic update is enabled on a zone-by-zone basis, by
1029
including an <command>allow-update</command> or
1030
<command>update-policy</command> clause in the
1031
<command>zone</command> statement.</para>
1033
<para>Updating of secure zones (zones using DNSSEC) follows
1034
RFC 3007: RRSIG and NSEC records affected by updates are automatically
1035
regenerated by the server using an online zone key.
1036
Update authorization is based
1037
on transaction signatures and an explicit server policy.</para>
1039
<sect2 id="journal">
1040
<title>The journal file</title>
1042
<para>All changes made to a zone using dynamic update are stored in the
1043
zone's journal file. This file is automatically created by the
1044
server when the first dynamic update takes place. The name of
1045
the journal file is formed by appending the
1046
extension <filename>.jnl</filename> to the
1047
name of the corresponding zone file. The journal file is in a
1048
binary format and should not be edited manually.</para>
1050
<para>The server will also occasionally write ("dump")
1051
the complete contents of the updated zone to its zone file.
1052
This is not done immediately after
1053
each dynamic update, because that would be too slow when a large
1054
zone is updated frequently. Instead, the dump is delayed by
1055
up to 15 minutes, allowing additional updates to take place.</para>
1057
<para>When a server is restarted after a shutdown or crash, it will replay
1058
the journal file to incorporate into the zone any updates that took
1059
place after the last zone dump.</para>
1061
<para>Changes that result from incoming incremental zone transfers are also
1062
journalled in a similar way.</para>
1064
<para>The zone files of dynamic zones cannot normally be edited by
1065
hand because they are not guaranteed to contain the most recent
1066
dynamic changes - those are only in the journal file.
1067
The only way to ensure that the zone file of a dynamic zone
1068
is up to date is to run <command>rndc stop</command>.</para>
1070
<para>If you have to make changes to a dynamic zone
1071
manually, the following procedure will work: Disable dynamic updates
1073
<command>rndc freeze <replaceable>zone</replaceable></command>.
1074
This will also remove the zone's <filename>.jnl</filename> file
1075
and update the master file. Edit the zone file. Run
1076
<command>rndc unfreeze <replaceable>zone</replaceable></command>
1077
to reload the changed zone and re-enable dynamic updates.</para>
1083
<sect1 id="incremental_zone_transfers">
1084
<title>Incremental Zone Transfers (IXFR)</title>
1086
<para>The incremental zone transfer (IXFR) protocol is a way for
1087
slave servers to transfer only changed data, instead of having to
1088
transfer the entire zone. The IXFR protocol is specified in RFC
1089
1995. See <xref linkend="proposed_standards"/>.</para>
1091
<para>When acting as a master, <acronym>BIND</acronym> 9
1092
supports IXFR for those zones
1093
where the necessary change history information is available. These
1094
include master zones maintained by dynamic update and slave zones
1095
whose data was obtained by IXFR. For manually maintained master
1096
zones, and for slave zones obtained by performing a full zone
1097
transfer (AXFR), IXFR is supported only if the option
1098
<command>ixfr-from-differences</command> is set
1099
to <userinput>yes</userinput>.
1102
<para>When acting as a slave, <acronym>BIND</acronym> 9 will
1103
attempt to use IXFR unless
1104
it is explicitly disabled. For more information about disabling
1105
IXFR, see the description of the <command>request-ixfr</command> clause
1106
of the <command>server</command> statement.</para>
1109
<sect1><title>Split DNS</title>
1110
<para>Setting up different views, or visibility, of the DNS space to
1111
internal and external resolvers is usually referred to as a <emphasis>Split
1112
DNS</emphasis> setup. There are several reasons an organization
1113
would want to set up its DNS this way.</para>
1114
<para>One common reason for setting up a DNS system this way is
1115
to hide "internal" DNS information from "external" clients on the
1116
Internet. There is some debate as to whether or not this is actually useful.
1117
Internal DNS information leaks out in many ways (via email headers,
1118
for example) and most savvy "attackers" can find the information
1119
they need using other means.</para>
1120
<para>Another common reason for setting up a Split DNS system is
1121
to allow internal networks that are behind filters or in RFC 1918
1122
space (reserved IP space, as documented in RFC 1918) to resolve DNS
1123
on the Internet. Split DNS can also be used to allow mail from outside
1124
back in to the internal network.</para>
1125
<para>Here is an example of a split DNS setup:</para>
1126
<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
1127
(<literal>example.com</literal>)
1128
has several corporate sites that have an internal network with reserved
1129
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1130
or "outside" section of a network, that is available to the public.</para>
1131
<para><emphasis>Example, Inc.</emphasis> wants its internal clients
1132
to be able to resolve external hostnames and to exchange mail with
1133
people on the outside. The company also wants its internal resolvers
1134
to have access to certain internal-only zones that are not available
1135
at all outside of the internal network.</para>
1136
<para>In order to accomplish this, the company will set up two sets
1137
of name servers. One set will be on the inside network (in the reserved
1138
IP space) and the other set will be on bastion hosts, which are "proxy"
1139
hosts that can talk to both sides of its network, in the DMZ.</para>
1140
<para>The internal servers will be configured to forward all queries,
1141
except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1142
and <filename>site2.example.com</filename>, to the servers in the
1143
DMZ. These internal servers will have complete sets of information
1144
for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
1145
and <filename>site2.internal</filename>.</para>
1146
<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1147
the internal name servers must be configured to disallow all queries
1148
to these domains from any external hosts, including the bastion
1150
<para>The external servers, which are on the bastion hosts, will
1151
be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1152
This could include things such as the host records for public servers
1153
(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1154
and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
1155
<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1156
should have special MX records that contain wildcard (`*') records
1157
pointing to the bastion hosts. This is needed because external mail
1158
servers do not have any other way of looking up how to deliver mail
1159
to those internal hosts. With the wildcard records, the mail will
1160
be delivered to the bastion host, which can then forward it on to
1161
internal hosts.</para>
1162
<para>Here's an example of a wildcard MX record:</para>
1163
<programlisting>* IN MX 10 external1.example.com.</programlisting>
1164
<para>Now that they accept mail on behalf of anything in the internal
1165
network, the bastion hosts will need to know how to deliver mail
1166
to internal hosts. In order for this to work properly, the resolvers on
1167
the bastion hosts will need to be configured to point to the internal
1168
name servers for DNS resolution.</para>
1169
<para>Queries for internal hostnames will be answered by the internal
1170
servers, and queries for external hostnames will be forwarded back
1171
out to the DNS servers on the bastion hosts.</para>
1172
<para>In order for all this to work properly, internal clients will
1173
need to be configured to query <emphasis>only</emphasis> the internal
1174
name servers for DNS queries. This could also be enforced via selective
1175
filtering on the network.</para>
1176
<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1177
internal clients will now be able to:</para>
1178
<itemizedlist><listitem>
1179
<simpara>Look up any hostnames in the <literal>site1</literal> and
1180
<literal>site2.example.com</literal> zones.</simpara></listitem>
1182
<simpara>Look up any hostnames in the <literal>site1.internal</literal> and
1183
<literal>site2.internal</literal> domains.</simpara></listitem>
1185
<simpara>Look up any hostnames on the Internet.</simpara></listitem>
1187
<simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
1188
<para>Hosts on the Internet will be able to:</para>
1189
<itemizedlist><listitem>
1190
<simpara>Look up any hostnames in the <literal>site1</literal> and
1191
<literal>site2.example.com</literal> zones.</simpara></listitem>
1193
<simpara>Exchange mail with anyone in the <literal>site1</literal> and
1194
<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
1196
<para>Here is an example configuration for the setup we just
1197
described above. Note that this is only configuration information;
1198
for information on how to configure your zone files, see <xref
1199
linkend="sample_configuration"/></para>
1201
<para>Internal DNS server config:</para>
1580
<chapter id="Bv9ARM.ch04">
1581
<title>Advanced DNS Features</title>
1585
<title>Notify</title>
1587
<acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1588
servers to notify their slave servers of changes to a zone's data. In
1589
response to a <command>NOTIFY</command> from a master server, the
1590
slave will check to see that its version of the zone is the
1591
current version and, if not, initiate a zone transfer.
1595
For more information about <acronym>DNS</acronym>
1596
<command>NOTIFY</command>, see the description of the
1597
<command>notify</command> option in <xref linkend="boolean_options"/> and
1598
the description of the zone option <command>also-notify</command> in
1599
<xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1600
protocol is specified in RFC 1996.
1604
As a slave zone can also be a master to other slaves, named,
1605
by default, sends <command>NOTIFY</command> messages for every zone
1606
it loads. Specifying <command>notify master-only;</command> will
1607
cause named to only send <command>NOTIFY</command> for master
1608
zones that it loads.
1613
<sect1 id="dynamic_update">
1614
<title>Dynamic Update</title>
1617
Dynamic Update is a method for adding, replacing or deleting
1618
records in a master server by sending it a special form of DNS
1619
messages. The format and meaning of these messages is specified
1624
Dynamic update is enabled by including an
1625
<command>allow-update</command> or <command>update-policy</command>
1626
clause in the <command>zone</command> statement. The
1627
<command>tkey-gssapi-credential</command> and
1628
<command>tkey-domain</command> clauses in the
1629
<command>options</command> statement enable the
1630
server to negotiate keys that can be matched against those
1631
in <command>update-policy</command> or
1632
<command>allow-update</command>.
1636
Updating of secure zones (zones using DNSSEC) follows
1637
RFC 3007: RRSIG and NSEC records affected by updates are automatically
1638
regenerated by the server using an online zone key.
1639
Update authorization is based
1640
on transaction signatures and an explicit server policy.
1643
<sect2 id="journal">
1644
<title>The journal file</title>
1647
All changes made to a zone using dynamic update are stored
1648
in the zone's journal file. This file is automatically created
1649
by the server when the first dynamic update takes place.
1650
The name of the journal file is formed by appending the extension
1651
<filename>.jnl</filename> to the name of the
1653
file unless specifically overridden. The journal file is in a
1654
binary format and should not be edited manually.
1658
The server will also occasionally write ("dump")
1659
the complete contents of the updated zone to its zone file.
1660
This is not done immediately after
1661
each dynamic update, because that would be too slow when a large
1662
zone is updated frequently. Instead, the dump is delayed by
1663
up to 15 minutes, allowing additional updates to take place.
1667
When a server is restarted after a shutdown or crash, it will replay
1668
the journal file to incorporate into the zone any updates that
1670
place after the last zone dump.
1674
Changes that result from incoming incremental zone transfers are
1676
journalled in a similar way.
1680
The zone files of dynamic zones cannot normally be edited by
1681
hand because they are not guaranteed to contain the most recent
1682
dynamic changes — those are only in the journal file.
1683
The only way to ensure that the zone file of a dynamic zone
1684
is up to date is to run <command>rndc stop</command>.
1688
If you have to make changes to a dynamic zone
1689
manually, the following procedure will work: Disable dynamic updates
1691
<command>rndc freeze <replaceable>zone</replaceable></command>.
1692
This will also remove the zone's <filename>.jnl</filename> file
1693
and update the master file. Edit the zone file. Run
1694
<command>rndc thaw <replaceable>zone</replaceable></command>
1695
to reload the changed zone and re-enable dynamic updates.
1702
<sect1 id="incremental_zone_transfers">
1703
<title>Incremental Zone Transfers (IXFR)</title>
1706
The incremental zone transfer (IXFR) protocol is a way for
1707
slave servers to transfer only changed data, instead of having to
1708
transfer the entire zone. The IXFR protocol is specified in RFC
1709
1995. See <xref linkend="proposed_standards"/>.
1713
When acting as a master, <acronym>BIND</acronym> 9
1714
supports IXFR for those zones
1715
where the necessary change history information is available. These
1716
include master zones maintained by dynamic update and slave zones
1717
whose data was obtained by IXFR. For manually maintained master
1718
zones, and for slave zones obtained by performing a full zone
1719
transfer (AXFR), IXFR is supported only if the option
1720
<command>ixfr-from-differences</command> is set
1721
to <userinput>yes</userinput>.
1725
When acting as a slave, <acronym>BIND</acronym> 9 will
1726
attempt to use IXFR unless
1727
it is explicitly disabled. For more information about disabling
1728
IXFR, see the description of the <command>request-ixfr</command> clause
1729
of the <command>server</command> statement.
1734
<title>Split DNS</title>
1736
Setting up different views, or visibility, of the DNS space to
1737
internal and external resolvers is usually referred to as a
1738
<emphasis>Split DNS</emphasis> setup. There are several
1739
reasons an organization would want to set up its DNS this way.
1742
One common reason for setting up a DNS system this way is
1743
to hide "internal" DNS information from "external" clients on the
1744
Internet. There is some debate as to whether or not this is actually
1746
Internal DNS information leaks out in many ways (via email headers,
1747
for example) and most savvy "attackers" can find the information
1748
they need using other means.
1749
However, since listing addresses of internal servers that
1750
external clients cannot possibly reach can result in
1751
connection delays and other annoyances, an organization may
1752
choose to use a Split DNS to present a consistent view of itself
1753
to the outside world.
1756
Another common reason for setting up a Split DNS system is
1757
to allow internal networks that are behind filters or in RFC 1918
1758
space (reserved IP space, as documented in RFC 1918) to resolve DNS
1759
on the Internet. Split DNS can also be used to allow mail from outside
1760
back in to the internal network.
1763
<title>Example split DNS setup</title>
1765
Let's say a company named <emphasis>Example, Inc.</emphasis>
1766
(<literal>example.com</literal>)
1767
has several corporate sites that have an internal network with
1769
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1770
or "outside" section of a network, that is available to the public.
1773
<emphasis>Example, Inc.</emphasis> wants its internal clients
1774
to be able to resolve external hostnames and to exchange mail with
1775
people on the outside. The company also wants its internal resolvers
1776
to have access to certain internal-only zones that are not available
1777
at all outside of the internal network.
1780
In order to accomplish this, the company will set up two sets
1781
of name servers. One set will be on the inside network (in the
1783
IP space) and the other set will be on bastion hosts, which are
1785
hosts that can talk to both sides of its network, in the DMZ.
1788
The internal servers will be configured to forward all queries,
1789
except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1790
and <filename>site2.example.com</filename>, to the servers
1792
DMZ. These internal servers will have complete sets of information
1793
for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1794
and <filename>site2.internal</filename>.
1797
To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1798
the internal name servers must be configured to disallow all queries
1799
to these domains from any external hosts, including the bastion
1803
The external servers, which are on the bastion hosts, will
1804
be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1805
This could include things such as the host records for public servers
1806
(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1807
and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1810
In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1811
should have special MX records that contain wildcard (`*') records
1812
pointing to the bastion hosts. This is needed because external mail
1813
servers do not have any other way of looking up how to deliver mail
1814
to those internal hosts. With the wildcard records, the mail will
1815
be delivered to the bastion host, which can then forward it on to
1819
Here's an example of a wildcard MX record:
1821
<programlisting>* IN MX 10 external1.example.com.</programlisting>
1823
Now that they accept mail on behalf of anything in the internal
1824
network, the bastion hosts will need to know how to deliver mail
1825
to internal hosts. In order for this to work properly, the resolvers
1827
the bastion hosts will need to be configured to point to the internal
1828
name servers for DNS resolution.
1831
Queries for internal hostnames will be answered by the internal
1832
servers, and queries for external hostnames will be forwarded back
1833
out to the DNS servers on the bastion hosts.
1836
In order for all this to work properly, internal clients will
1837
need to be configured to query <emphasis>only</emphasis> the internal
1838
name servers for DNS queries. This could also be enforced via
1840
filtering on the network.
1843
If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1844
internal clients will now be able to:
1849
Look up any hostnames in the <literal>site1</literal>
1851
<literal>site2.example.com</literal> zones.
1856
Look up any hostnames in the <literal>site1.internal</literal> and
1857
<literal>site2.internal</literal> domains.
1861
<simpara>Look up any hostnames on the Internet.</simpara>
1864
<simpara>Exchange mail with both internal and external people.</simpara>
1868
Hosts on the Internet will be able to:
1873
Look up any hostnames in the <literal>site1</literal>
1875
<literal>site2.example.com</literal> zones.
1880
Exchange mail with anyone in the <literal>site1</literal> and
1881
<literal>site2.example.com</literal> zones.
1887
Here is an example configuration for the setup we just
1888
described above. Note that this is only configuration information;
1889
for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1893
Internal DNS server config:
1202
1896
<programlisting>
1204
1898
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1282
1980
file "s/site2.foo.com";
1283
1981
masters { another_bastion_host_maybe; };
1284
allow-query { any; };
1285
1982
allow-transfer { internals; externals; }
1287
1984
</programlisting>
1288
<para>In the <filename>resolv.conf</filename> (or equivalent) on
1289
the bastion host(s):</para>
1987
In the <filename>resolv.conf</filename> (or equivalent) on
1988
the bastion host(s):
1290
1991
<programlisting>
1292
1993
nameserver 172.16.72.2
1293
1994
nameserver 172.16.72.3
1294
1995
nameserver 172.16.72.4
1295
1996
</programlisting>
1297
<sect1 id="tsig"><title>TSIG</title>
1298
<para>This is a short guide to setting up Transaction SIGnatures
1299
(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
1300
to the configuration file as well as what changes are required for
1301
different features, including the process of creating transaction
1302
keys and using transaction signatures with <acronym>BIND</acronym>.</para>
1303
<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
1304
This includes zone transfer, notify, and recursive query messages.
1305
Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
1308
<para>TSIG might be most useful for dynamic update. A primary
1309
server for a dynamic zone should use access control to control
1310
updates, but IP-based access control is insufficient.
1311
The cryptographic access control provided by TSIG
1312
is far superior. The <command>nsupdate</command>
1313
program supports TSIG via the <option>-k</option> and
1314
<option>-y</option> command line options.</para>
1316
<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
1317
<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
1318
An arbitrary key name is chosen: "host1-host2.". The key name must
1319
be the same on both hosts.</para>
1320
<sect3><title>Automatic Generation</title>
1321
<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
1322
key as described above. Longer keys are better, but shorter keys
1323
are easier to read. Note that the maximum key length is 512 bits;
1324
keys longer than that will be digested with MD5 to produce a 128
1326
<para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
1327
<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
1328
Nothing directly uses this file, but the base-64 encoded string
1329
following "<literal>Key:</literal>"
1330
can be extracted from the file and used as a shared secret:</para>
1331
<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
1332
<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
1333
be used as the shared secret.</para></sect3>
1334
<sect3><title>Manual Generation</title>
1335
<para>The shared secret is simply a random sequence of bits, encoded
1336
in base-64. Most ASCII strings are valid base-64 strings (assuming
1337
the length is a multiple of 4 and only valid characters are used),
1338
so the shared secret can be manually generated.</para>
1339
<para>Also, a known string can be run through <command>mmencode</command> or
1340
a similar program to generate base-64 encoded data.</para></sect3></sect2>
1341
<sect2><title>Copying the Shared Secret to Both Machines</title>
1342
<para>This is beyond the scope of DNS. A secure transport mechanism
1343
should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
1344
<sect2><title>Informing the Servers of the Key's Existence</title>
1345
<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
1346
both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
2003
This is a short guide to setting up Transaction SIGnatures
2004
(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
2005
to the configuration file as well as what changes are required for
2006
different features, including the process of creating transaction
2007
keys and using transaction signatures with <acronym>BIND</acronym>.
2010
<acronym>BIND</acronym> primarily supports TSIG for server
2011
to server communication.
2012
This includes zone transfer, notify, and recursive query messages.
2013
Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2018
TSIG can also be useful for dynamic update. A primary
2019
server for a dynamic zone should control access to the dynamic
2020
update service, but IP-based access control is insufficient.
2021
The cryptographic access control provided by TSIG
2022
is far superior. The <command>nsupdate</command>
2023
program supports TSIG via the <option>-k</option> and
2024
<option>-y</option> command line options or inline by use
2025
of the <command>key</command>.
2029
<title>Generate Shared Keys for Each Pair of Hosts</title>
2031
A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2032
An arbitrary key name is chosen: "host1-host2.". The key name must
2033
be the same on both hosts.
2036
<title>Automatic Generation</title>
2038
The following command will generate a 128-bit (16 byte) HMAC-MD5
2039
key as described above. Longer keys are better, but shorter keys
2040
are easier to read. Note that the maximum key length is 512 bits;
2041
keys longer than that will be digested with MD5 to produce a
2045
<userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2048
The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2049
Nothing directly uses this file, but the base-64 encoded string
2050
following "<literal>Key:</literal>"
2051
can be extracted from the file and used as a shared secret:
2053
<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2055
The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2056
be used as the shared secret.
2060
<title>Manual Generation</title>
2062
The shared secret is simply a random sequence of bits, encoded
2063
in base-64. Most ASCII strings are valid base-64 strings (assuming
2064
the length is a multiple of 4 and only valid characters are used),
2065
so the shared secret can be manually generated.
2068
Also, a known string can be run through <command>mmencode</command> or
2069
a similar program to generate base-64 encoded data.
2074
<title>Copying the Shared Secret to Both Machines</title>
2076
This is beyond the scope of DNS. A secure transport mechanism
2077
should be used. This could be secure FTP, ssh, telephone, etc.
2081
<title>Informing the Servers of the Key's Existence</title>
2083
Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2085
both servers. The following is added to each server's <filename>named.conf</filename> file:
1347
2088
<programlisting>
1348
2089
key host1-host2. {
1349
2090
algorithm hmac-md5;
1350
2091
secret "La/E5CjG9O+os1jq0a2jdA==";
1352
2093
</programlisting>
1353
<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
1354
The secret is the one generated above. Since this is a secret, it
1355
is recommended that either <filename>named.conf</filename> be non-world
1356
readable, or the key directive be added to a non-world readable
1357
file that is included by <filename>named.conf</filename>.</para>
1358
<para>At this point, the key is recognized. This means that if the
1359
server receives a message signed by this key, it can verify the
1360
signature. If the signature is successfully verified, the
1361
response is signed by the same key.</para></sect2>
1363
<sect2><title>Instructing the Server to Use the Key</title>
1364
<para>Since keys are shared between two hosts only, the server must
1365
be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
1366
for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2096
The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
2097
The secret is the one generated above. Since this is a secret, it
2098
is recommended that either <filename>named.conf</filename> be non-world
2099
readable, or the key directive be added to a non-world readable
2100
file that is included by
2101
<filename>named.conf</filename>.
2104
At this point, the key is recognized. This means that if the
2105
server receives a message signed by this key, it can verify the
2106
signature. If the signature is successfully verified, the
2107
response is signed by the same key.
2112
<title>Instructing the Server to Use the Key</title>
2114
Since keys are shared between two hosts only, the server must
2115
be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2116
for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
1368
2120
<programlisting>
1369
2121
server 10.1.2.3 {
1370
2122
keys { host1-host2. ;};
1372
2124
</programlisting>
1373
<para>Multiple keys may be present, but only the first is used.
1374
This directive does not contain any secrets, so it may be in a world-readable
1376
<para>If <emphasis>host1</emphasis> sends a message that is a request
1377
to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
1378
expect any responses to signed messages to be signed with the same
1380
<para>A similar statement must be present in <emphasis>host2</emphasis>'s
1381
configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
1382
sign request messages to <emphasis>host1</emphasis>.</para></sect2>
1383
<sect2><title>TSIG Key Based Access Control</title>
1384
<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
1386
<command>allow-{ query | transfer | update }</command> directives.
1387
This has been extended to allow TSIG keys also. The above key would
1388
be denoted <command>key host1-host2.</command></para>
1389
<para>An example of an allow-update directive would be:</para>
2127
Multiple keys may be present, but only the first is used.
2128
This directive does not contain any secrets, so it may be in a
2133
If <emphasis>host1</emphasis> sends a message that is a request
2134
to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2135
expect any responses to signed messages to be signed with the same
2139
A similar statement must be present in <emphasis>host2</emphasis>'s
2140
configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2141
sign request messages to <emphasis>host1</emphasis>.
2145
<title>TSIG Key Based Access Control</title>
2147
<acronym>BIND</acronym> allows IP addresses and ranges
2148
to be specified in ACL
2150
<command>allow-{ query | transfer | update }</command>
2152
This has been extended to allow TSIG keys also. The above key would
2153
be denoted <command>key host1-host2.</command>
2156
An example of an allow-update directive would be:
1390
2159
<programlisting>
1391
2160
allow-update { key host1-host2. ;};
1392
2161
</programlisting>
1394
<para>This allows dynamic updates to succeed only if the request
1395
was signed by a key named
1396
"<command>host1-host2.</command>".</para> <para>You may want to read about the more
1397
powerful <command>update-policy</command> statement in <xref
1398
linkend="dynamic_update_policies"/>.</para>
1402
<title>Errors</title>
1404
<para>The processing of TSIG signed messages can result in
1405
several errors. If a signed message is sent to a non-TSIG aware
1406
server, a FORMERR will be returned, since the server will not
1407
understand the record. This is a result of misconfiguration,
1408
since the server must be explicitly configured to send a TSIG
1409
signed message to a specific server.</para>
1411
<para>If a TSIG aware server receives a message signed by an
1412
unknown key, the response will be unsigned with the TSIG
1413
extended error code set to BADKEY. If a TSIG aware server
1414
receives a message with a signature that does not validate, the
1415
response will be unsigned with the TSIG extended error code set
1416
to BADSIG. If a TSIG aware server receives a message with a time
1417
outside of the allowed range, the response will be signed with
1418
the TSIG extended error code set to BADTIME, and the time values
1419
will be adjusted so that the response can be successfully
1420
verified. In any of these cases, the message's rcode is set to
1428
<para><command>TKEY</command> is a mechanism for automatically
1429
generating a shared secret between two hosts. There are several
1430
"modes" of <command>TKEY</command> that specify how the key is
1431
generated or assigned. <acronym>BIND</acronym> 9
1432
implements only one of these modes,
1433
the Diffie-Hellman key exchange. Both hosts are required to have
1434
a Diffie-Hellman KEY record (although this record is not required
1435
to be present in a zone). The <command>TKEY</command> process
1436
must use signed messages, signed either by TSIG or SIG(0). The
1437
result of <command>TKEY</command> is a shared secret that can be
1438
used to sign messages with TSIG. <command>TKEY</command> can also
1439
be used to delete shared secrets that it had previously
1442
<para>The <command>TKEY</command> process is initiated by a client
1443
or server by sending a signed <command>TKEY</command> query
1444
(including any appropriate KEYs) to a TKEY-aware server. The
1445
server response, if it indicates success, will contain a
1446
<command>TKEY</command> record and any appropriate keys. After
1447
this exchange, both participants have enough information to
1448
determine the shared secret; the exact process depends on the
1449
<command>TKEY</command> mode. When using the Diffie-Hellman
1450
<command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
1451
and the shared secret is derived by both participants.</para>
1455
<title>SIG(0)</title>
1457
<para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
1458
transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)
1459
uses public/private keys to authenticate messages. Access control
1460
is performed in the same manner as TSIG keys; privileges can be
1461
granted or denied based on the key name.</para>
1463
<para>When a SIG(0) signed message is received, it will only be
1464
verified if the key is known and trusted by the server; the server
1465
will not attempt to locate and/or validate the key.</para>
1467
<para>SIG(0) signing of multiple-message TCP streams is not
1470
<para>The only tool shipped with <acronym>BIND</acronym> 9 that
1471
generates SIG(0) signed messages is <command>nsupdate</command>.</para>
1475
<title>DNSSEC</title>
1477
<para>Cryptographic authentication of DNS information is possible
1478
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
1479
defined in RFC <TBA>. This section describes the creation and use
1480
of DNSSEC signed zones.</para>
1482
<para>In order to set up a DNSSEC secure zone, there are a series
1483
of steps which must be followed. <acronym>BIND</acronym> 9 ships
1485
that are used in this process, which are explained in more detail
1486
below. In all cases, the <option>-h</option> option prints a
1487
full list of parameters. Note that the DNSSEC tools require the
1488
keyset files to be in the working directory or the
1489
directory specified by the <option>-h</option> option, and
1490
that the tools shipped with BIND 9.2.x and earlier are not compatible
1491
with the current ones.</para>
1493
<para>There must also be communication with the administrators of
1494
the parent and/or child zone to transmit keys. A zone's security
1495
status must be indicated by the parent zone for a DNSSEC capable
1496
resolver to trust its data. This is done through the presense
1497
or absence of a <literal>DS</literal> record at the delegation
1500
<para>For other servers to trust data in this zone, they must
1501
either be statically configured with this zone's zone key or the
1502
zone key of another zone above this one in the DNS tree.</para>
1505
<title>Generating Keys</title>
1507
<para>The <command>dnssec-keygen</command> program is used to
1508
generate keys.</para>
1510
<para>A secure zone must contain one or more zone keys. The
1511
zone keys will sign all other records in the zone, as well as
1512
the zone keys of any secure delegated zones. Zone keys must
1513
have the same name as the zone, a name type of
1514
<command>ZONE</command>, and must be usable for authentication.
1515
It is recommended that zone keys use a cryptographic algorithm
1516
designated as "mandatory to implement" by the IETF; currently
1517
the only one is RSASHA1.</para>
1519
<para>The following command will generate a 768 bit RSASHA1 key for
1520
the <filename>child.example</filename> zone:</para>
1522
<para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
1524
<para>Two output files will be produced:
1525
<filename>Kchild.example.+005+12345.key</filename> and
1526
<filename>Kchild.example.+005+12345.private</filename> (where
1527
12345 is an example of a key tag). The key file names contain
1528
the key name (<filename>child.example.</filename>), algorithm (3
1529
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
1530
The private key (in the <filename>.private</filename> file) is
1531
used to generate signatures, and the public key (in the
1532
<filename>.key</filename> file) is used for signature
1533
verification.</para>
1535
<para>To generate another key with the same properties (but with
1536
a different key tag), repeat the above command.</para>
1538
<para>The public keys should be inserted into the zone file by
1539
including the <filename>.key</filename> files using
1540
<command>$INCLUDE</command> statements.
1545
<title>Signing the Zone</title>
1547
<para>The <command>dnssec-signzone</command> program is used to
1550
<para>Any <filename>keyset</filename> files corresponding
1551
to secure subzones should be present. The zone signer will
1552
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
1553
records for the zone, as well as <literal>DS</literal> for
1554
the child zones if <literal>'-d'</literal> is specified.
1555
If <literal>'-d'</literal> is not specified then DS RRsets for
1556
the secure child zones need to be added manually.</para>
1558
<para>The following command signs the zone, assuming it is in a
1559
file called <filename>zone.child.example</filename>. By
1560
default, all zone keys which have an available private key are
1561
used to generate signatures.</para>
1563
<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
1565
<para>One output file is produced:
1566
<filename>zone.child.example.signed</filename>. This file
1567
should be referenced by <filename>named.conf</filename> as the
1568
input file for the zone.</para>
1570
<para><command>dnssec-signzone</command> will also produce a
1571
keyset and dsset files and optionally a dlvset file. These
1572
are used to provide the parent zone administators with the
1573
<literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
1574
records) that are the secure entry point to the zone.</para>
1578
<sect2><title>Configuring Servers</title>
1580
<para>Unlike <acronym>BIND</acronym> 8,
1581
<acronym>BIND</acronym> 9 does not verify signatures on load,
1582
so zone keys for authoritative zones do not need to be specified
1583
in the configuration file.</para>
1585
<para>The public key for any security root must be present in
1586
the configuration file's <command>trusted-keys</command>
1587
statement, as described later in this document. </para>
1593
<title>IPv6 Support in <acronym>BIND</acronym> 9</title>
1595
<para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
1596
name to address and address to name lookups. It will also use
1597
IPv6 addresses to make queries when running on an IPv6 capable
1600
<para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
1601
records. The use of A6 records is deprecated by RFC 3363, and the
1602
support for forward lookups in <acronym>BIND</acronym> 9 is
1603
removed accordingly.
1604
However, authoritative <acronym>BIND</acronym> 9 name servers still
1605
load zone files containing A6 records correctly, answer queries
1606
for A6 records, and accept zone transfer for a zone containing A6
1609
<para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
1610
the traditional "nibble" format used in the
1611
<emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
1612
<emphasis>ip6.int</emphasis> domain.
1613
<acronym>BIND</acronym> 9 formerly
1614
supported the "binary label" (also known as "bitstring") format.
1615
The support of binary labels, however, is now completely removed
1616
according to the changes in RFC 3363.
1617
Any applications in <acronym>BIND</acronym> 9 do not understand
1618
the format any more, and will return an error if given.
1619
In particular, an authoritative <acronym>BIND</acronym> 9 name
1620
server rejects to load a zone file containing binary labels.</para>
1622
<para>For an overview of the format and structure of IPv6 addresses,
1623
see <xref linkend="ipv6addresses"/>.</para>
1626
<title>Address Lookups Using AAAA Records</title>
1628
<para>The AAAA record is a parallel to the IPv4 A record. It
1629
specifies the entire address in a single record. For
2164
This allows dynamic updates to succeed only if the request
2165
was signed by a key named "<command>host1-host2.</command>".
2169
You may want to read about the more powerful
2170
<command>update-policy</command> statement in
2171
<xref linkend="dynamic_update_policies"/>.
2176
<title>Errors</title>
2179
The processing of TSIG signed messages can result in
2180
several errors. If a signed message is sent to a non-TSIG aware
2181
server, a FORMERR (format error) will be returned, since the server will not
2182
understand the record. This is a result of misconfiguration,
2183
since the server must be explicitly configured to send a TSIG
2184
signed message to a specific server.
2188
If a TSIG aware server receives a message signed by an
2189
unknown key, the response will be unsigned with the TSIG
2190
extended error code set to BADKEY. If a TSIG aware server
2191
receives a message with a signature that does not validate, the
2192
response will be unsigned with the TSIG extended error code set
2193
to BADSIG. If a TSIG aware server receives a message with a time
2194
outside of the allowed range, the response will be signed with
2195
the TSIG extended error code set to BADTIME, and the time values
2196
will be adjusted so that the response can be successfully
2197
verified. In any of these cases, the message's rcode (response code) is set to
2198
NOTAUTH (not authenticated).
2206
<para><command>TKEY</command>
2207
is a mechanism for automatically generating a shared secret
2208
between two hosts. There are several "modes" of
2209
<command>TKEY</command> that specify how the key is generated
2210
or assigned. <acronym>BIND</acronym> 9 implements only one of
2211
these modes, the Diffie-Hellman key exchange. Both hosts are
2212
required to have a Diffie-Hellman KEY record (although this
2213
record is not required to be present in a zone). The
2214
<command>TKEY</command> process must use signed messages,
2215
signed either by TSIG or SIG(0). The result of
2216
<command>TKEY</command> is a shared secret that can be used to
2217
sign messages with TSIG. <command>TKEY</command> can also be
2218
used to delete shared secrets that it had previously
2223
The <command>TKEY</command> process is initiated by a
2225
or server by sending a signed <command>TKEY</command>
2227
(including any appropriate KEYs) to a TKEY-aware server. The
2228
server response, if it indicates success, will contain a
2229
<command>TKEY</command> record and any appropriate keys.
2231
this exchange, both participants have enough information to
2232
determine the shared secret; the exact process depends on the
2233
<command>TKEY</command> mode. When using the
2235
<command>TKEY</command> mode, Diffie-Hellman keys are
2237
and the shared secret is derived by both participants.
2242
<title>SIG(0)</title>
2245
<acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2246
transaction signatures as specified in RFC 2535 and RFC2931.
2248
uses public/private keys to authenticate messages. Access control
2249
is performed in the same manner as TSIG keys; privileges can be
2250
granted or denied based on the key name.
2254
When a SIG(0) signed message is received, it will only be
2255
verified if the key is known and trusted by the server; the server
2256
will not attempt to locate and/or validate the key.
2260
SIG(0) signing of multiple-message TCP streams is not
2265
The only tool shipped with <acronym>BIND</acronym> 9 that
2266
generates SIG(0) signed messages is <command>nsupdate</command>.
2271
<title>DNSSEC</title>
2274
Cryptographic authentication of DNS information is possible
2275
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2276
defined in RFC 4033, RFC 4034, and RFC 4035.
2277
This section describes the creation and use of DNSSEC signed zones.
2281
In order to set up a DNSSEC secure zone, there are a series
2282
of steps which must be followed. <acronym>BIND</acronym>
2285
that are used in this process, which are explained in more detail
2286
below. In all cases, the <option>-h</option> option prints a
2287
full list of parameters. Note that the DNSSEC tools require the
2288
keyset files to be in the working directory or the
2289
directory specified by the <option>-d</option> option, and
2290
that the tools shipped with BIND 9.2.x and earlier are not compatible
2291
with the current ones.
2295
There must also be communication with the administrators of
2296
the parent and/or child zone to transmit keys. A zone's security
2297
status must be indicated by the parent zone for a DNSSEC capable
2298
resolver to trust its data. This is done through the presence
2299
or absence of a <literal>DS</literal> record at the
2305
For other servers to trust data in this zone, they must
2306
either be statically configured with this zone's zone key or the
2307
zone key of another zone above this one in the DNS tree.
2311
<title>Generating Keys</title>
2314
The <command>dnssec-keygen</command> program is used to
2319
A secure zone must contain one or more zone keys. The
2320
zone keys will sign all other records in the zone, as well as
2321
the zone keys of any secure delegated zones. Zone keys must
2322
have the same name as the zone, a name type of
2323
<command>ZONE</command>, and must be usable for
2325
It is recommended that zone keys use a cryptographic algorithm
2326
designated as "mandatory to implement" by the IETF; currently
2327
the only one is RSASHA1.
2331
The following command will generate a 768-bit RSASHA1 key for
2332
the <filename>child.example</filename> zone:
2336
<userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2340
Two output files will be produced:
2341
<filename>Kchild.example.+005+12345.key</filename> and
2342
<filename>Kchild.example.+005+12345.private</filename>
2344
12345 is an example of a key tag). The key filenames contain
2345
the key name (<filename>child.example.</filename>),
2347
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2349
The private key (in the <filename>.private</filename>
2351
used to generate signatures, and the public key (in the
2352
<filename>.key</filename> file) is used for signature
2357
To generate another key with the same properties (but with
2358
a different key tag), repeat the above command.
2362
The public keys should be inserted into the zone file by
2363
including the <filename>.key</filename> files using
2364
<command>$INCLUDE</command> statements.
2369
<title>Signing the Zone</title>
2372
The <command>dnssec-signzone</command> program is used
2378
Any <filename>keyset</filename> files corresponding
2379
to secure subzones should be present. The zone signer will
2380
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
2381
records for the zone, as well as <literal>DS</literal>
2383
the child zones if <literal>'-d'</literal> is specified.
2384
If <literal>'-d'</literal> is not specified, then
2386
the secure child zones need to be added manually.
2390
The following command signs the zone, assuming it is in a
2391
file called <filename>zone.child.example</filename>. By
2392
default, all zone keys which have an available private key are
2393
used to generate signatures.
2397
<userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2401
One output file is produced:
2402
<filename>zone.child.example.signed</filename>. This
2404
should be referenced by <filename>named.conf</filename>
2406
input file for the zone.
2409
<para><command>dnssec-signzone</command>
2410
will also produce a keyset and dsset files and optionally a
2411
dlvset file. These are used to provide the parent zone
2412
administrators with the <literal>DNSKEYs</literal> (or their
2413
corresponding <literal>DS</literal> records) that are the
2414
secure entry point to the zone.
2420
<title>Configuring Servers</title>
2423
To enable <command>named</command> to respond appropriately
2424
to DNS requests from DNSSEC aware clients,
2425
<command>dnssec-enable</command> must be set to yes.
2429
To enable <command>named</command> to validate answers from
2430
other servers both <command>dnssec-enable</command> and
2431
<command>dnssec-validation</command> must be set and some
2432
<command>trusted-keys</command> must be configured
2433
into <filename>named.conf</filename>.
2437
<command>trusted-keys</command> are copies of DNSKEY RRs
2438
for zones that are used to form the first link in the
2439
cryptographic chain of trust. All keys listed in
2440
<command>trusted-keys</command> (and corresponding zones)
2441
are deemed to exist and only the listed keys will be used
2442
to validated the DNSKEY RRset that they are from.
2446
<command>trusted-keys</command> are described in more detail
2447
later in this document.
2451
Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2452
9 does not verify signatures on load, so zone keys for
2453
authoritative zones do not need to be specified in the
2458
After DNSSEC gets established, a typical DNSSEC configuration
2459
will look something like the following. It has a one or
2460
more public keys for the root. This allows answers from
2461
outside the organization to be validated. It will also
2462
have several keys for parts of the namespace the organization
2463
controls. These are here to ensure that named is immune
2464
to compromises in the DNSSEC components of the security
2472
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2473
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2474
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2475
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2476
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2477
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2478
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2480
/* Key for our organization's forward zone */
2481
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2482
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2483
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2484
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2485
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2486
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2487
SCThlHf3xiYleDbt/o1OTQ09A0=";
2489
/* Key for our reverse zone. */
2490
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2491
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2492
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2493
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2494
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2495
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2496
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2497
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2503
dnssec-validation yes;
2508
None of the keys listed in this example are valid. In particular,
2509
the root key is not valid.
2516
<title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2519
<acronym>BIND</acronym> 9 fully supports all currently
2520
defined forms of IPv6
2521
name to address and address to name lookups. It will also use
2522
IPv6 addresses to make queries when running on an IPv6 capable
2527
For forward lookups, <acronym>BIND</acronym> 9 supports
2528
only AAAA records. RFC 3363 deprecated the use of A6 records,
2529
and client-side support for A6 records was accordingly removed
2530
from <acronym>BIND</acronym> 9.
2531
However, authoritative <acronym>BIND</acronym> 9 name servers still
2532
load zone files containing A6 records correctly, answer queries
2533
for A6 records, and accept zone transfer for a zone containing A6
2538
For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2539
the traditional "nibble" format used in the
2540
<emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2541
<emphasis>ip6.int</emphasis> domain.
2542
Older versions of <acronym>BIND</acronym> 9
2543
supported the "binary label" (also known as "bitstring") format,
2544
but support of binary labels has been completely removed per
2546
Many applications in <acronym>BIND</acronym> 9 do not understand
2547
the binary label format at all any more, and will return an
2549
In particular, an authoritative <acronym>BIND</acronym> 9
2550
name server will not load a zone file containing binary labels.
2554
For an overview of the format and structure of IPv6 addresses,
2555
see <xref linkend="ipv6addresses"/>.
2559
<title>Address Lookups Using AAAA Records</title>
2562
The IPv6 AAAA record is a parallel to the IPv4 A record,
2563
and, unlike the deprecated A6 record, specifies the entire
2564
IPv6 address in a single record. For example,
1632
2567
<programlisting>
1633
2568
$ORIGIN example.com.
1634
2569
host 3600 IN AAAA 2001:db8::1
1635
2570
</programlisting>
1637
<para>It is recommended that IPv4-in-IPv6 mapped addresses not
1638
be used. If a host has an IPv4 address, use an A record, not
1639
a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
1643
<title>Address to Name Lookups Using Nibble Format</title>
2573
Use of IPv4-in-IPv6 mapped addresses is not recommended.
2574
If a host has an IPv4 address, use an A record, not
2575
a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2580
<title>Address to Name Lookups Using Nibble Format</title>
1645
<para>When looking up an address in nibble format, the address
1646
components are simply reversed, just as in IPv4, and
1647
<literal>ip6.arpa.</literal> is appended to the resulting name.
1648
For example, the following would provide reverse name lookup for
1650
<literal>2001:db8::1</literal>.</para>
2583
When looking up an address in nibble format, the address
2584
components are simply reversed, just as in IPv4, and
2585
<literal>ip6.arpa.</literal> is appended to the
2587
For example, the following would provide reverse name lookup for
2589
<literal>2001:db8::1</literal>.
1652
2592
<programlisting>
1653
2593
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1654
2594
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
1655
2595
</programlisting>
1660
<chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
1661
<sect1><title>The Lightweight Resolver Library</title>
1662
<para>Traditionally applications have been linked with a stub resolver
1663
library that sends recursive DNS queries to a local caching name
1665
<para>IPv6 once introduced new complexity into the resolution process,
1666
such as following A6 chains and DNAME records, and simultaneous
1667
lookup of IPv4 and IPv6 addresses. Though most of the complexity was
1668
then removed, these are hard or impossible
1669
to implement in a traditional stub resolver.</para>
1670
<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
1671
using a combination of a lightweight resolver library and a resolver
1672
daemon process running on the local host. These communicate using
1673
a simple UDP-based protocol, the "lightweight resolver protocol"
1674
that is distinct from and simpler than the full DNS protocol.</para></sect1>
1675
<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
1677
<para>To use the lightweight resolver interface, the system must
1678
run the resolver daemon <command>lwresd</command> or a local
1679
name server configured with a <command>lwres</command> statement.</para>
1681
<para>By default, applications using the lightweight resolver library will make
1682
UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The
1683
address can be overridden by <command>lwserver</command> lines in
1684
<filename>/etc/resolv.conf</filename>.</para>
1686
<para>The daemon currently only looks in the DNS, but in the future
1687
it may use other sources such as <filename>/etc/hosts</filename>,
1690
<para>The <command>lwresd</command> daemon is essentially a
1691
caching-only name server that responds to requests using the lightweight
1692
resolver protocol rather than the DNS protocol. Because it needs
1693
to run on each host, it is designed to require no or minimal configuration.
1694
Unless configured otherwise, it uses the name servers listed on
1695
<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
1696
as forwarders, but is also capable of doing the resolution autonomously if
1697
none are specified.</para>
1698
<para>The <command>lwresd</command> daemon may also be configured with a
1699
<filename>named.conf</filename> style configuration file, in
1700
<filename>/etc/lwresd.conf</filename> by default. A name server may also
1701
be configured to act as a lightweight resolver daemon using the
1702
<command>lwres</command> statement in <filename>named.conf</filename>.</para>
1706
<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
1708
<para><acronym>BIND</acronym> 9 configuration is broadly similar
1709
to <acronym>BIND</acronym> 8; however, there are a few new areas
1710
of configuration, such as views. <acronym>BIND</acronym>
1711
8 configuration files should work with few alterations in <acronym>BIND</acronym>
1712
9, although more complex configurations should be reviewed to check
1713
if they can be more efficiently implemented using the new features
1714
found in <acronym>BIND</acronym> 9.</para>
1716
<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
1717
using the shell script
1718
<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
1719
<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
1720
<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
1721
file documentation:</para>
1722
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
1723
colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
1724
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
1725
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
1728
<entry colname = "1"><para><varname>acl_name</varname></para></entry>
1729
<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
1730
defined by the <command>acl</command> statement.</para></entry>
1733
<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
1734
<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>,
1735
<varname>ip_prefix</varname>, <varname>key_id</varname>,
1736
or <varname>acl_name</varname> elements, see
1737
<xref linkend="address_match_lists"/>.</para></entry>
1740
<entry colname = "1"><para><varname>domain_name</varname></para></entry>
1741
<entry colname = "2"><para>A quoted string which will be used as
1742
a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
1745
<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
1746
<entry colname = "2"><para>One to four integers valued 0 through
1747
255 separated by dots (`.'), such as <command>123</command>,
1748
<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
1751
<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
1752
<entry colname = "2"><para>An IPv4 address with exactly four elements
1753
in <varname>dotted_decimal</varname> notation.</para></entry>
1756
<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
1757
<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
1758
IPv6 scoped addresses that have ambiguity on their scope zones must be
1759
disambiguated by an appropriate zone ID with the percent character
1761
It is strongly recommended to use string zone names rather than
1762
numeric identifiers, in order to be robust against system
1763
configuration changes.
1764
However, since there is no standard mapping for such names and
1765
identifier values, currently only interface names as link identifiers
1766
are supported, assuming one-to-one mapping between interfaces and links.
1767
For example, a link-local address <command>fe80::1</command> on the
1768
link attached to the interface <command>ne0</command>
1769
can be specified as <command>fe80::1%ne0</command>.
1770
Note that on most systems link-local addresses always have the
1771
ambiguity, and need to be disambiguated.</para></entry>
1774
<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
1775
<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
1778
<entry colname = "1"><para><varname>ip_port</varname></para></entry>
1779
<entry colname = "2"><para>An IP port <varname>number</varname>.
1780
<varname>number</varname> is limited to 0 through 65535, with values
1781
below 1024 typically restricted to use by processes running as root.
1782
In some cases an asterisk (`*') character can be used as a placeholder to
1783
select a random high-numbered port.</para></entry>
1786
<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
1787
<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
1788
followed by a slash (`/') and then the number of bits in the netmask.
1789
Trailing zeros in a <varname>ip_addr</varname> may omitted.
1790
For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
1791
netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
1792
network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
1795
<entry colname = "1"><para><varname>key_id</varname></para></entry>
1796
<entry colname = "2"><para>A <varname>domain_name</varname> representing
1797
the name of a shared key, to be used for transaction security.</para></entry>
1800
<entry colname = "1"><para><varname>key_list</varname></para></entry>
1801
<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
1802
separated by semicolons and ending with a semicolon.</para></entry>
1805
<entry colname = "1"><para><varname>number</varname></para></entry>
1806
<entry colname = "2"><para>A non-negative 32 bit integer
1807
(i.e., a number between 0 and 4294967295, inclusive).
1808
Its acceptable value might further
1809
be limited by the context in which it is used.</para></entry>
1812
<entry colname = "1"><para><varname>path_name</varname></para></entry>
1813
<entry colname = "2"><para>A quoted string which will be used as
1814
a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
1817
<entry colname = "1"><para><varname>size_spec</varname></para></entry>
1818
<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
1819
or the word <userinput>default</userinput>.</para><para>
1820
An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
1821
use, or the maximum available amount. A <varname>default size_spec</varname> uses
1822
the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
1823
optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
1824
kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
1825
megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
1826
which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
1827
<para>The value must be representable as a 64-bit unsigned integer
1828
(0 to 18446744073709551615, inclusive).
1829
Using <varname>unlimited</varname> is the best way
1830
to safely set a really large number.</para></entry>
1833
<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
1834
<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
1835
The words <userinput>true</userinput> and <userinput>false</userinput> are
1836
also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
1839
<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
1840
<entry colname = "2"><para>One of <userinput>yes</userinput>,
1841
<userinput>no</userinput>, <userinput>notify</userinput>,
1842
<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
1843
<userinput>passive</userinput>.
1844
When used in a zone, <userinput>notify-passive</userinput>,
1845
<userinput>refresh</userinput>, and <userinput>passive</userinput>
1846
are restricted to slave and stub zones.</para></entry>
1849
</tgroup></informaltable>
1850
<sect2 id="address_match_lists"><title>Address Match Lists</title>
1851
<sect3><title>Syntax</title>
1852
<programlisting><varname>address_match_list</varname> = address_match_list_element ;
2601
<chapter id="Bv9ARM.ch05">
2602
<title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2604
<title>The Lightweight Resolver Library</title>
2606
Traditionally applications have been linked with a stub resolver
2607
library that sends recursive DNS queries to a local caching name
2611
IPv6 once introduced new complexity into the resolution process,
2612
such as following A6 chains and DNAME records, and simultaneous
2613
lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2614
then removed, these are hard or impossible
2615
to implement in a traditional stub resolver.
2618
<acronym>BIND</acronym> 9 therefore can also provide resolution
2619
services to local clients
2620
using a combination of a lightweight resolver library and a resolver
2621
daemon process running on the local host. These communicate using
2622
a simple UDP-based protocol, the "lightweight resolver protocol"
2623
that is distinct from and simpler than the full DNS protocol.
2627
<title>Running a Resolver Daemon</title>
2630
To use the lightweight resolver interface, the system must
2631
run the resolver daemon <command>lwresd</command> or a
2633
name server configured with a <command>lwres</command>
2638
By default, applications using the lightweight resolver library will
2640
UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2642
address can be overridden by <command>lwserver</command>
2644
<filename>/etc/resolv.conf</filename>.
2648
The daemon currently only looks in the DNS, but in the future
2649
it may use other sources such as <filename>/etc/hosts</filename>,
2654
The <command>lwresd</command> daemon is essentially a
2655
caching-only name server that responds to requests using the
2657
resolver protocol rather than the DNS protocol. Because it needs
2658
to run on each host, it is designed to require no or minimal
2660
Unless configured otherwise, it uses the name servers listed on
2661
<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2662
as forwarders, but is also capable of doing the resolution
2667
The <command>lwresd</command> daemon may also be
2669
<filename>named.conf</filename> style configuration file,
2671
<filename>/etc/lwresd.conf</filename> by default. A name
2673
be configured to act as a lightweight resolver daemon using the
2674
<command>lwres</command> statement in <filename>named.conf</filename>.
2680
<chapter id="Bv9ARM.ch06">
2681
<title><acronym>BIND</acronym> 9 Configuration Reference</title>
2684
<acronym>BIND</acronym> 9 configuration is broadly similar
2685
to <acronym>BIND</acronym> 8; however, there are a few new
2687
of configuration, such as views. <acronym>BIND</acronym>
2688
8 configuration files should work with few alterations in <acronym>BIND</acronym>
2689
9, although more complex configurations should be reviewed to check
2690
if they can be more efficiently implemented using the new features
2691
found in <acronym>BIND</acronym> 9.
2695
<acronym>BIND</acronym> 4 configuration files can be
2696
converted to the new format
2697
using the shell script
2698
<filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2700
<sect1 id="configuration_file_elements">
2701
<title>Configuration File Elements</title>
2703
Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2706
<informaltable colsep="0" rowsep="0">
2707
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2708
<colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2709
<colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2714
<varname>acl_name</varname>
2719
The name of an <varname>address_match_list</varname> as
2720
defined by the <command>acl</command> statement.
2727
<varname>address_match_list</varname>
2732
A list of one or more
2733
<varname>ip_addr</varname>,
2734
<varname>ip_prefix</varname>, <varname>key_id</varname>,
2735
or <varname>acl_name</varname> elements, see
2736
<xref linkend="address_match_lists"/>.
2743
<varname>masters_list</varname>
2748
A named list of one or more <varname>ip_addr</varname>
2749
with optional <varname>key_id</varname> and/or
2750
<varname>ip_port</varname>.
2751
A <varname>masters_list</varname> may include other
2752
<varname>masters_lists</varname>.
2759
<varname>domain_name</varname>
2764
A quoted string which will be used as
2765
a DNS name, for example "<literal>my.test.domain</literal>".
2772
<varname>dotted_decimal</varname>
2777
One to four integers valued 0 through
2778
255 separated by dots (`.'), such as <command>123</command>,
2779
<command>45.67</command> or <command>89.123.45.67</command>.
2786
<varname>ip4_addr</varname>
2791
An IPv4 address with exactly four elements
2792
in <varname>dotted_decimal</varname> notation.
2799
<varname>ip6_addr</varname>
2804
An IPv6 address, such as <command>2001:db8::1234</command>.
2805
IPv6 scoped addresses that have ambiguity on their
2806
scope zones must be disambiguated by an appropriate
2807
zone ID with the percent character (`%') as
2808
delimiter. It is strongly recommended to use
2809
string zone names rather than numeric identifiers,
2810
in order to be robust against system configuration
2811
changes. However, since there is no standard
2812
mapping for such names and identifier values,
2813
currently only interface names as link identifiers
2814
are supported, assuming one-to-one mapping between
2815
interfaces and links. For example, a link-local
2816
address <command>fe80::1</command> on the link
2817
attached to the interface <command>ne0</command>
2818
can be specified as <command>fe80::1%ne0</command>.
2819
Note that on most systems link-local addresses
2820
always have the ambiguity, and need to be
2828
<varname>ip_addr</varname>
2833
An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2840
<varname>ip_port</varname>
2845
An IP port <varname>number</varname>.
2846
The <varname>number</varname> is limited to 0
2847
through 65535, with values
2848
below 1024 typically restricted to use by processes running
2850
In some cases, an asterisk (`*') character can be used as a
2852
select a random high-numbered port.
2859
<varname>ip_prefix</varname>
2864
An IP network specified as an <varname>ip_addr</varname>,
2865
followed by a slash (`/') and then the number of bits in the
2867
Trailing zeros in a <varname>ip_addr</varname>
2869
For example, <command>127/8</command> is the
2870
network <command>127.0.0.0</command> with
2871
netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2872
network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2875
When specifying a prefix involving a IPv6 scoped address
2876
the scope may be omitted. In that case the prefix will
2877
match packets from any scope.
2884
<varname>key_id</varname>
2889
A <varname>domain_name</varname> representing
2890
the name of a shared key, to be used for transaction
2898
<varname>key_list</varname>
2903
A list of one or more
2904
<varname>key_id</varname>s,
2905
separated by semicolons and ending with a semicolon.
2912
<varname>number</varname>
2917
A non-negative 32-bit integer
2918
(i.e., a number between 0 and 4294967295, inclusive).
2919
Its acceptable value might further
2920
be limited by the context in which it is used.
2927
<varname>path_name</varname>
2932
A quoted string which will be used as
2933
a pathname, such as <filename>zones/master/my.test.domain</filename>.
2940
<varname>size_spec</varname>
2945
A number, the word <userinput>unlimited</userinput>,
2946
or the word <userinput>default</userinput>.
2949
An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2950
use, or the maximum available amount. A <varname>default size_spec</varname> uses
2951
the limit that was in force when the server was started.
2954
A <varname>number</varname> can optionally be
2955
followed by a scaling factor:
2956
<userinput>K</userinput> or <userinput>k</userinput>
2958
<userinput>M</userinput> or <userinput>m</userinput>
2960
<userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
2961
which scale by 1024, 1024*1024, and 1024*1024*1024
2965
The value must be representable as a 64-bit unsigned integer
2966
(0 to 18446744073709551615, inclusive).
2967
Using <varname>unlimited</varname> is the best
2969
to safely set a really large number.
2976
<varname>yes_or_no</varname>
2981
Either <userinput>yes</userinput> or <userinput>no</userinput>.
2982
The words <userinput>true</userinput> and <userinput>false</userinput> are
2983
also accepted, as are the numbers <userinput>1</userinput>
2984
and <userinput>0</userinput>.
2991
<varname>dialup_option</varname>
2996
One of <userinput>yes</userinput>,
2997
<userinput>no</userinput>, <userinput>notify</userinput>,
2998
<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
2999
<userinput>passive</userinput>.
3000
When used in a zone, <userinput>notify-passive</userinput>,
3001
<userinput>refresh</userinput>, and <userinput>passive</userinput>
3002
are restricted to slave and stub zones.
3009
<sect2 id="address_match_lists">
3010
<title>Address Match Lists</title>
3012
<title>Syntax</title>
3014
<programlisting><varname>address_match_list</varname> = address_match_list_element ;
1853
3015
<optional> address_match_list_element; ... </optional>
1854
3016
<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
1855
3017
key key_id | acl_name | { address_match_list } )
1856
3018
</programlisting>
1858
<sect3><title>Definition and Usage</title>
1859
<para>Address match lists are primarily used to determine access
1860
control for various server operations. They are also used in
1861
the <command>listen-on</command> and <command>sortlist</command>
1862
statements. The elements
1863
which constitute an address match list can be any of the following:</para>
1864
<itemizedlist><listitem>
1865
<simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
1867
<simpara>an IP prefix (in `/' notation)</simpara></listitem>
1869
<simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
1871
<simpara>the name of an address match list defined with
1872
the <command>acl</command> statement</simpara></listitem>
1874
<simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
1876
<para>Elements can be negated with a leading exclamation mark (`!'),
1877
and the match list names "any", "none", "localhost", and "localnets"
1878
are predefined. More information on those names can be found in
1879
the description of the acl statement.</para>
1881
<para>The addition of the key clause made the name of this syntactic
1882
element something of a misnomer, since security keys can be used
1883
to validate access without regard to a host or network address. Nonetheless,
1884
the term "address match list" is still used throughout the documentation.</para>
1886
<para>When a given IP address or prefix is compared to an address
1887
match list, the list is traversed in order until an element matches.
1888
The interpretation of a match depends on whether the list is being used
1889
for access control, defining listen-on ports, or in a sortlist,
1890
and whether the element was negated.</para>
1892
<para>When used as an access control list, a non-negated match allows
1893
access and a negated match denies access. If there is no match,
1894
access is denied. The clauses <command>allow-notify</command>,
1895
<command>allow-query</command>, <command>allow-transfer</command>,
1896
<command>allow-update</command>, <command>allow-update-forwarding</command>,
1897
and <command>blackhole</command> all
1898
use address match lists this. Similarly, the listen-on option will cause
1899
the server to not accept queries on any of the machine's addresses
1900
which do not match the list.</para>
1902
<para>Because of the first-match aspect of the algorithm, an element
1903
that defines a subset of another element in the list should come
1904
before the broader element, regardless of whether either is negated. For
1906
<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
1907
completely useless because the algorithm will match any lookup for
1908
1.2.3.13 to the 1.2.3/24 element.
1909
Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
1910
that problem by having 1.2.3.13 blocked by the negation but all
1911
other 1.2.3.* hosts fall through.</para>
1916
<title>Comment Syntax</title>
1918
<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
1919
anywhere that white space may appear in a <acronym>BIND</acronym> configuration
1920
file. To appeal to programmers of all kinds, they can be written
1921
in the C, C++, or shell/perl style.</para>
1924
<title>Syntax</title>
1926
<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
1927
<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
1928
<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
1932
<title>Definition and Usage</title>
1933
<para>Comments may appear anywhere that whitespace may appear in
1934
a <acronym>BIND</acronym> configuration file.</para>
1935
<para>C-style comments start with the two characters /* (slash,
1936
star) and end with */ (star, slash). Because they are completely
1937
delimited with these characters, they can be used to comment only
1938
a portion of a line or to span multiple lines.</para>
1939
<para>C-style comments cannot be nested. For example, the following
1940
is not valid because the entire comment ends with the first */:</para>
1941
<para><programlisting>/* This is the start of a comment.
3022
<title>Definition and Usage</title>
3024
Address match lists are primarily used to determine access
3025
control for various server operations. They are also used in
3026
the <command>listen-on</command> and <command>sortlist</command>
3027
statements. The elements which constitute an address match
3028
list can be any of the following:
3032
<simpara>an IP address (IPv4 or IPv6)</simpara>
3035
<simpara>an IP prefix (in `/' notation)</simpara>
3039
a key ID, as defined by the <command>key</command>
3044
<simpara>the name of an address match list defined with
3045
the <command>acl</command> statement
3049
<simpara>a nested address match list enclosed in braces</simpara>
3054
Elements can be negated with a leading exclamation mark (`!'),
3055
and the match list names "any", "none", "localhost", and
3056
"localnets" are predefined. More information on those names
3057
can be found in the description of the acl statement.
3061
The addition of the key clause made the name of this syntactic
3062
element something of a misnomer, since security keys can be used
3063
to validate access without regard to a host or network address.
3064
Nonetheless, the term "address match list" is still used
3065
throughout the documentation.
3069
When a given IP address or prefix is compared to an address
3070
match list, the comparison takes place in approximately O(1)
3071
time. However, key comparisons require that the list of keys
3072
be traversed until a matching key is found, and therefore may
3077
The interpretation of a match depends on whether the list is being
3078
used for access control, defining listen-on ports, or in a
3079
sortlist, and whether the element was negated.
3083
When used as an access control list, a non-negated match
3084
allows access and a negated match denies access. If
3085
there is no match, access is denied. The clauses
3086
<command>allow-notify</command>,
3087
<command>allow-recursion</command>,
3088
<command>allow-recursion-on</command>,
3089
<command>allow-query</command>,
3090
<command>allow-query-on</command>,
3091
<command>allow-query-cache</command>,
3092
<command>allow-query-cache-on</command>,
3093
<command>allow-transfer</command>,
3094
<command>allow-update</command>,
3095
<command>allow-update-forwarding</command>, and
3096
<command>blackhole</command> all use address match
3097
lists. Similarly, the listen-on option will cause the
3098
server to refuse queries on any of the machine's
3099
addresses which do not match the list.
3103
Order of insertion is signficant. If more than one element
3104
in an ACL is found to match a given IP address or prefix,
3105
preference will be given to the one that came
3106
<emphasis>first</emphasis> in the ACL definition.
3107
Because of this first-match behavior, an element that
3108
defines a subset of another element in the list should
3109
come before the broader element, regardless of whether
3110
either is negated. For example, in
3111
<command>1.2.3/24; ! 1.2.3.13;</command>
3112
the 1.2.3.13 element is completely useless because the
3113
algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3114
element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3115
that problem by having 1.2.3.13 blocked by the negation, but
3116
all other 1.2.3.* hosts fall through.
3122
<title>Comment Syntax</title>
3125
The <acronym>BIND</acronym> 9 comment syntax allows for
3127
anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3128
file. To appeal to programmers of all kinds, they can be written
3129
in the C, C++, or shell/perl style.
3133
<title>Syntax</title>
3136
<programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3137
<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3138
<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3142
<title>Definition and Usage</title>
3144
Comments may appear anywhere that whitespace may appear in
3145
a <acronym>BIND</acronym> configuration file.
3148
C-style comments start with the two characters /* (slash,
3149
star) and end with */ (star, slash). Because they are completely
3150
delimited with these characters, they can be used to comment only
3151
a portion of a line or to span multiple lines.
3154
C-style comments cannot be nested. For example, the following
3155
is not valid because the entire comment ends with the first */:
3159
<programlisting>/* This is the start of a comment.
1942
3160
This is still part of the comment.
1943
3161
/* This is an incorrect attempt at nesting a comment. */
1944
3162
This is no longer in any comment. */
1945
</programlisting></para>
1947
<para>C++-style comments start with the two characters // (slash,
1948
slash) and continue to the end of the physical line. They cannot
1949
be continued across multiple physical lines; to have one logical
1950
comment span multiple lines, each line must use the // pair.</para>
1951
<para>For example:</para>
1952
<para><programlisting>// This is the start of a comment. The next line
3168
C++-style comments start with the two characters // (slash,
3169
slash) and continue to the end of the physical line. They cannot
3170
be continued across multiple physical lines; to have one logical
3171
comment span multiple lines, each line must use the // pair.
3178
<programlisting>// This is the start of a comment. The next line
1953
3179
// is a new comment, even though it is logically
1954
3180
// part of the previous comment.
1955
</programlisting></para>
1956
<para>Shell-style (or perl-style, if you prefer) comments start
1957
with the character <literal>#</literal> (number sign) and continue to the end of the
1958
physical line, as in C++ comments.</para>
1959
<para>For example:</para>
1961
<para><programlisting># This is the start of a comment. The next line
3185
Shell-style (or perl-style, if you prefer) comments start
3186
with the character <literal>#</literal> (number sign)
3187
and continue to the end of the
3188
physical line, as in C++ comments.
3196
<programlisting># This is the start of a comment. The next line
1962
3197
# is a new comment, even though it is logically
1963
3198
# part of the previous comment.
1964
3199
</programlisting>
1968
<para>You cannot use the semicolon (`;') character
1969
to start a comment such as you would in a zone file. The
1970
semicolon indicates the end of a configuration
1977
<sect1 id="Configuration_File_Grammar">
1978
<title>Configuration File Grammar</title>
1980
<para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
1981
Statements end with a semicolon. Statements and comments are the
1982
only elements that can appear without enclosing braces. Many
1983
statements contain a block of sub-statements, which are also
1984
terminated with a semicolon.</para>
1986
<para>The following statements are supported:</para>
1988
<informaltable colsep = "0" rowsep = "0">
1989
<tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
1991
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
1992
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
1995
<entry colname = "1"><para><command>acl</command></para></entry>
1996
<entry colname = "2"><para>defines a named IP address
1997
matching list, for access control and other uses.</para></entry>
2000
<entry colname = "1"><para><command>controls</command></para></entry>
2001
<entry colname = "2"><para>declares control channels to be used
2002
by the <command>rndc</command> utility.</para></entry>
2005
<entry colname = "1"><para><command>include</command></para></entry>
2006
<entry colname = "2"><para>includes a file.</para></entry>
2009
<entry colname = "1"><para><command>key</command></para></entry>
2010
<entry colname = "2"><para>specifies key information for use in
2011
authentication and authorization using TSIG.</para></entry>
2014
<entry colname = "1"><para><command>logging</command></para></entry>
2015
<entry colname = "2"><para>specifies what the server logs, and where
2016
the log messages are sent.</para></entry>
2019
<entry colname = "1"><para><command>lwres</command></para></entry>
2020
<entry colname = "2"><para>configures <command>named</command> to
2021
also act as a light weight resolver daemon (<command>lwresd</command>).</para></entry>
2024
<entry colname = "1"><para><command>masters</command></para></entry>
2025
<entry colname = "2"><para>defines a named masters list for
2026
inclusion in stub and slave zone masters clauses.</para></entry>
2029
<entry colname = "1"><para><command>options</command></para></entry>
2030
<entry colname = "2"><para>controls global server configuration
2031
options and sets defaults for other statements.</para></entry>
2034
<entry colname = "1"><para><command>server</command></para></entry>
2035
<entry colname = "2"><para>sets certain configuration options on
2036
a per-server basis.</para></entry>
2039
<entry colname = "1"><para><command>trusted-keys</command></para></entry>
2040
<entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
2043
<entry colname = "1"><para><command>view</command></para></entry>
2044
<entry colname = "2"><para>defines a view.</para></entry>
2047
<entry colname = "1"><para><command>zone</command></para></entry>
2048
<entry colname = "2"><para>defines a zone.</para></entry>
2051
</tgroup></informaltable>
2053
<para>The <command>logging</command> and
2054
<command>options</command> statements may only occur once per
2055
configuration.</para>
2058
<title><command>acl</command> Statement Grammar</title>
2060
<programlisting><command>acl</command> acl-name {
3205
You cannot use the semicolon (`;') character
3206
to start a comment such as you would in a zone file. The
3207
semicolon indicates the end of a configuration
3215
<sect1 id="Configuration_File_Grammar">
3216
<title>Configuration File Grammar</title>
3219
A <acronym>BIND</acronym> 9 configuration consists of
3220
statements and comments.
3221
Statements end with a semicolon. Statements and comments are the
3222
only elements that can appear without enclosing braces. Many
3223
statements contain a block of sub-statements, which are also
3224
terminated with a semicolon.
3228
The following statements are supported:
3231
<informaltable colsep="0" rowsep="0">
3232
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3233
<colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3234
<colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3238
<para><command>acl</command></para>
3242
defines a named IP address
3243
matching list, for access control and other uses.
3249
<para><command>controls</command></para>
3253
declares control channels to be used
3254
by the <command>rndc</command> utility.
3260
<para><command>include</command></para>
3270
<para><command>key</command></para>
3274
specifies key information for use in
3275
authentication and authorization using TSIG.
3281
<para><command>logging</command></para>
3285
specifies what the server logs, and where
3286
the log messages are sent.
3292
<para><command>lwres</command></para>
3296
configures <command>named</command> to
3297
also act as a light-weight resolver daemon (<command>lwresd</command>).
3303
<para><command>masters</command></para>
3307
defines a named masters list for
3308
inclusion in stub and slave zone masters clauses.
3314
<para><command>options</command></para>
3318
controls global server configuration
3319
options and sets defaults for other statements.
3325
<para><command>statistics-channels</command></para>
3329
declares communication channels to get access to
3330
<command>named</command> statistics.
3336
<para><command>server</command></para>
3340
sets certain configuration options on
3347
<para><command>trusted-keys</command></para>
3351
defines trusted DNSSEC keys.
3357
<para><command>view</command></para>
3367
<para><command>zone</command></para>
3380
The <command>logging</command> and
3381
<command>options</command> statements may only occur once
3387
<title><command>acl</command> Statement Grammar</title>
3389
<programlisting><command>acl</command> acl-name {
2063
3392
</programlisting>
2066
<title><command>acl</command> Statement Definition and
2069
<para>The <command>acl</command> statement assigns a symbolic
2070
name to an address match list. It gets its name from a primary
2071
use of address match lists: Access Control Lists (ACLs).</para>
2073
<para>Note that an address match list's name must be defined
2074
with <command>acl</command> before it can be used elsewhere; no
2075
forward references are allowed.</para>
2077
<para>The following ACLs are built-in:</para>
2079
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
2080
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
2081
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
2082
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
2085
<entry colname = "1"><para><command>any</command></para></entry>
2086
<entry colname = "2"><para>Matches all hosts.</para></entry>
2089
<entry colname = "1"><para><command>none</command></para></entry>
2090
<entry colname = "2"><para>Matches no hosts.</para></entry>
2093
<entry colname = "1"><para><command>localhost</command></para></entry>
2094
<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
2095
interfaces on the system.</para></entry>
2098
<entry colname = "1"><para><command>localnets</command></para></entry>
2099
<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
2100
for which the system has an interface.
2101
Some systems do not provide a way to determine the prefix lengths of
2102
local IPv6 addresses.
2103
In such a case, <command>localnets</command> only matches the local
2104
IPv6 addresses, just like <command>localhost</command>.
2108
</tgroup></informaltable>
2112
<title><command>controls</command> Statement Grammar</title>
3396
<title><command>acl</command> Statement Definition and
3400
The <command>acl</command> statement assigns a symbolic
3401
name to an address match list. It gets its name from a primary
3402
use of address match lists: Access Control Lists (ACLs).
3406
Note that an address match list's name must be defined
3407
with <command>acl</command> before it can be used
3408
elsewhere; no forward references are allowed.
3412
The following ACLs are built-in:
3415
<informaltable colsep="0" rowsep="0">
3416
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3417
<colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3418
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3422
<para><command>any</command></para>
3432
<para><command>none</command></para>
3442
<para><command>localhost</command></para>
3446
Matches the IPv4 and IPv6 addresses of all network
3447
interfaces on the system.
3453
<para><command>localnets</command></para>
3457
Matches any host on an IPv4 or IPv6 network
3458
for which the system has an interface.
3459
Some systems do not provide a way to determine the prefix
3461
local IPv6 addresses.
3462
In such a case, <command>localnets</command>
3463
only matches the local
3464
IPv6 addresses, just like <command>localhost</command>.
3474
<title><command>controls</command> Statement Grammar</title>
2113
3476
<programlisting><command>controls</command> {
2114
inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
2115
keys { <replaceable> key_list </replaceable> };
2116
<optional> inet ...; </optional>
3477
[ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3478
keys { <replaceable>key_list</replaceable> }; ]
3480
[ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
2118
3483
</programlisting>
2121
<sect2 id="controls_statement_definition_and_usage">
2122
<title><command>controls</command> Statement Definition and Usage</title>
2124
<para>The <command>controls</command> statement declares control
2125
channels to be used by system administrators to control the
2126
operation of the name server. These control channels are
2127
used by the <command>rndc</command> utility to send commands to
2128
and retrieve non-DNS results from a name server.</para>
2130
<para>An <command>inet</command> control channel is a TCP
2131
socket listening at the specified
2132
<command>ip_port</command> on the specified
2133
<command>ip_addr</command>, which can be an IPv4 or IPv6
2134
address. An <command>ip_addr</command>
2135
of <literal>*</literal> is interpreted as the IPv4 wildcard
2136
address; connections will be accepted on any of the system's
2137
IPv4 addresses. To listen on the IPv6 wildcard address,
2138
use an <command>ip_addr</command> of <literal>::</literal>.
2139
If you will only use <command>rndc</command> on the local host,
2140
using the loopback address (<literal>127.0.0.1</literal>
2141
or <literal>::1</literal>) is recommended for maximum
2146
If no port is specified, port 953
2147
is used. "<literal>*</literal>" cannot be used for
2148
<command>ip_port</command>.</para>
2150
<para>The ability to issue commands over the control channel is
2151
restricted by the <command>allow</command> and
2152
<command>keys</command> clauses. Connections to the control
2153
channel are permitted based on the
2154
<command>address_match_list</command>. This is for simple
2155
IP address based filtering only; any <command>key_id</command>
2156
elements of the <command>address_match_list</command> are
2160
<para>The primary authorization mechanism of the command
2161
channel is the <command>key_list</command>, which contains
2162
a list of <command>key_id</command>s.
2163
Each <command>key_id</command> in
2164
the <command>key_list</command> is authorized to execute
2165
commands over the control channel.
2166
See <xref linkend="rndc"/> in
2167
<xref linkend="admin_tools"/>) for information about
2168
configuring keys in <command>rndc</command>.</para>
2171
If no <command>controls</command> statement is present,
2172
<command>named</command> will set up a default
2173
control channel listening on the loopback address 127.0.0.1
2174
and its IPv6 counterpart ::1.
2175
In this case, and also when the <command>controls</command> statement
2176
is present but does not have a <command>keys</command> clause,
2177
<command>named</command> will attempt to load the command channel key
2178
from the file <filename>rndc.key</filename> in
2179
<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
2180
was specified as when <acronym>BIND</acronym> was built).
2181
To create a <filename>rndc.key</filename> file, run
2182
<userinput>rndc-confgen -a</userinput>.
2185
<para>The <filename>rndc.key</filename> feature was created to
2186
ease the transition of systems from <acronym>BIND</acronym> 8,
2187
which did not have digital signatures on its command channel messages
2188
and thus did not have a <command>keys</command> clause.
2190
It makes it possible to use an existing <acronym>BIND</acronym> 8
2191
configuration file in <acronym>BIND</acronym> 9 unchanged,
2192
and still have <command>rndc</command> work the same way
2193
<command>ndc</command> worked in BIND 8, simply by executing the
2194
command <userinput>rndc-confgen -a</userinput> after BIND 9 is
2199
Since the <filename>rndc.key</filename> feature
2200
is only intended to allow the backward-compatible usage of
2201
<acronym>BIND</acronym> 8 configuration files, this feature does not
2202
have a high degree of configurability. You cannot easily change
2203
the key name or the size of the secret, so you should make a
2204
<filename>rndc.conf</filename> with your own key if you wish to change
2205
those things. The <filename>rndc.key</filename> file also has its
2206
permissions set such that only the owner of the file (the user that
2207
<command>named</command> is running as) can access it. If you
2208
desire greater flexibility in allowing other users to access
2209
<command>rndc</command> commands then you need to create an
2210
<filename>rndc.conf</filename> and make it group readable by a group
2211
that contains the users who should have access.</para>
2213
<para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
2214
in <acronym>BIND</acronym> 9, and is not expected to be added in future
2215
releases. If it is present in the controls statement from a
2216
<acronym>BIND</acronym> 8 configuration file, it is ignored
2217
and a warning is logged.</para>
2220
To disable the command channel, use an empty <command>controls</command>
2221
statement: <command>controls { };</command>.
2226
<title><command>include</command> Statement Grammar</title>
2227
<programlisting>include <replaceable>filename</replaceable>;</programlisting>
2230
<title><command>include</command> Statement Definition and Usage</title>
2232
<para>The <command>include</command> statement inserts the
2233
specified file at the point where the <command>include</command>
2234
statement is encountered. The <command>include</command>
2235
statement facilitates the administration of configuration files
2236
by permitting the reading or writing of some things but not
2237
others. For example, the statement could include private keys
2238
that are readable only by the name server.</para>
2242
<title><command>key</command> Statement Grammar</title>
2243
<programlisting>key <replaceable>key_id</replaceable> {
3487
<sect2 id="controls_statement_definition_and_usage">
3488
<title><command>controls</command> Statement Definition and
3492
The <command>controls</command> statement declares control
3493
channels to be used by system administrators to control the
3494
operation of the name server. These control channels are
3495
used by the <command>rndc</command> utility to send
3496
commands to and retrieve non-DNS results from a name server.
3500
An <command>inet</command> control channel is a TCP socket
3501
listening at the specified <command>ip_port</command> on the
3502
specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3503
address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3504
interpreted as the IPv4 wildcard address; connections will be
3505
accepted on any of the system's IPv4 addresses.
3506
To listen on the IPv6 wildcard address,
3507
use an <command>ip_addr</command> of <literal>::</literal>.
3508
If you will only use <command>rndc</command> on the local host,
3509
using the loopback address (<literal>127.0.0.1</literal>
3510
or <literal>::1</literal>) is recommended for maximum security.
3514
If no port is specified, port 953 is used. The asterisk
3515
"<literal>*</literal>" cannot be used for <command>ip_port</command>.
3519
The ability to issue commands over the control channel is
3520
restricted by the <command>allow</command> and
3521
<command>keys</command> clauses.
3522
Connections to the control channel are permitted based on the
3523
<command>address_match_list</command>. This is for simple
3524
IP address based filtering only; any <command>key_id</command>
3525
elements of the <command>address_match_list</command>
3530
A <command>unix</command> control channel is a UNIX domain
3531
socket listening at the specified path in the file system.
3532
Access to the socket is specified by the <command>perm</command>,
3533
<command>owner</command> and <command>group</command> clauses.
3534
Note on some platforms (SunOS and Solaris) the permissions
3535
(<command>perm</command>) are applied to the parent directory
3536
as the permissions on the socket itself are ignored.
3540
The primary authorization mechanism of the command
3541
channel is the <command>key_list</command>, which
3542
contains a list of <command>key_id</command>s.
3543
Each <command>key_id</command> in the <command>key_list</command>
3544
is authorized to execute commands over the control channel.
3545
See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3546
for information about configuring keys in <command>rndc</command>.
3550
If no <command>controls</command> statement is present,
3551
<command>named</command> will set up a default
3552
control channel listening on the loopback address 127.0.0.1
3553
and its IPv6 counterpart ::1.
3554
In this case, and also when the <command>controls</command> statement
3555
is present but does not have a <command>keys</command> clause,
3556
<command>named</command> will attempt to load the command channel key
3557
from the file <filename>rndc.key</filename> in
3558
<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3559
was specified as when <acronym>BIND</acronym> was built).
3560
To create a <filename>rndc.key</filename> file, run
3561
<userinput>rndc-confgen -a</userinput>.
3565
The <filename>rndc.key</filename> feature was created to
3566
ease the transition of systems from <acronym>BIND</acronym> 8,
3567
which did not have digital signatures on its command channel
3568
messages and thus did not have a <command>keys</command> clause.
3570
It makes it possible to use an existing <acronym>BIND</acronym> 8
3571
configuration file in <acronym>BIND</acronym> 9 unchanged,
3572
and still have <command>rndc</command> work the same way
3573
<command>ndc</command> worked in BIND 8, simply by executing the
3574
command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3579
Since the <filename>rndc.key</filename> feature
3580
is only intended to allow the backward-compatible usage of
3581
<acronym>BIND</acronym> 8 configuration files, this
3583
have a high degree of configurability. You cannot easily change
3584
the key name or the size of the secret, so you should make a
3585
<filename>rndc.conf</filename> with your own key if you
3587
those things. The <filename>rndc.key</filename> file
3589
permissions set such that only the owner of the file (the user that
3590
<command>named</command> is running as) can access it.
3592
desire greater flexibility in allowing other users to access
3593
<command>rndc</command> commands, then you need to create
3595
<filename>rndc.conf</filename> file and make it group
3597
that contains the users who should have access.
3601
To disable the command channel, use an empty
3602
<command>controls</command> statement:
3603
<command>controls { };</command>.
3608
<title><command>include</command> Statement Grammar</title>
3609
<programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3612
<title><command>include</command> Statement Definition and
3616
The <command>include</command> statement inserts the
3617
specified file at the point where the <command>include</command>
3618
statement is encountered. The <command>include</command>
3619
statement facilitates the administration of configuration
3621
by permitting the reading or writing of some things but not
3622
others. For example, the statement could include private keys
3623
that are readable only by the name server.
3628
<title><command>key</command> Statement Grammar</title>
3630
<programlisting><command>key</command> <replaceable>key_id</replaceable> {
2244
3631
algorithm <replaceable>string</replaceable>;
2245
3632
secret <replaceable>string</replaceable>;
2247
3634
</programlisting>
2251
<title><command>key</command> Statement Definition and Usage</title>
2253
<para>The <command>key</command> statement defines a shared
2254
secret key for use with TSIG (see <xref linkend="tsig"/>)
2255
or the command channel
2256
(see <xref linkend="controls_statement_definition_and_usage"/>).
2260
The <command>key</command> statement can occur at the top level
2261
of the configuration file or inside a <command>view</command>
2262
statement. Keys defined in top-level <command>key</command>
2263
statements can be used in all views. Keys intended for use in
2264
a <command>controls</command> statement
2265
(see <xref linkend="controls_statement_definition_and_usage"/>)
2266
must be defined at the top level.
2269
<para>The <replaceable>key_id</replaceable>, also known as the
2270
key name, is a domain name uniquely identifying the key. It can
2271
be used in a <command>server</command>
2272
statement to cause requests sent to that
2273
server to be signed with this key, or in address match lists to
2274
verify that incoming requests have been signed with a key
2275
matching this name, algorithm, and secret.</para>
2277
<para>The <replaceable>algorithm_id</replaceable> is a string
2278
that specifies a security/authentication algorithm. The only
2279
algorithm currently supported with TSIG authentication is
2280
<literal>hmac-md5</literal>. The
2281
<replaceable>secret_string</replaceable> is the secret to be
2282
used by the algorithm, and is treated as a base-64 encoded
2287
<title><command>logging</command> Statement Grammar</title>
2288
<programlisting><command>logging</command> {
3639
<title><command>key</command> Statement Definition and Usage</title>
3642
The <command>key</command> statement defines a shared
3643
secret key for use with TSIG (see <xref linkend="tsig"/>)
3644
or the command channel
3645
(see <xref linkend="controls_statement_definition_and_usage"/>).
3649
The <command>key</command> statement can occur at the
3651
of the configuration file or inside a <command>view</command>
3652
statement. Keys defined in top-level <command>key</command>
3653
statements can be used in all views. Keys intended for use in
3654
a <command>controls</command> statement
3655
(see <xref linkend="controls_statement_definition_and_usage"/>)
3656
must be defined at the top level.
3660
The <replaceable>key_id</replaceable>, also known as the
3661
key name, is a domain name uniquely identifying the key. It can
3662
be used in a <command>server</command>
3663
statement to cause requests sent to that
3664
server to be signed with this key, or in address match lists to
3665
verify that incoming requests have been signed with a key
3666
matching this name, algorithm, and secret.
3670
The <replaceable>algorithm_id</replaceable> is a string
3671
that specifies a security/authentication algorithm. Named
3672
supports <literal>hmac-md5</literal>,
3673
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3674
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3675
and <literal>hmac-sha512</literal> TSIG authentication.
3676
Truncated hashes are supported by appending the minimum
3677
number of required bits preceded by a dash, e.g.
3678
<literal>hmac-sha1-80</literal>. The
3679
<replaceable>secret_string</replaceable> is the secret
3680
to be used by the algorithm, and is treated as a base-64
3686
<title><command>logging</command> Statement Grammar</title>
3688
<programlisting><command>logging</command> {
2289
3689
[ <command>channel</command> <replaceable>channel_name</replaceable> {
2290
3690
( <command>file</command> <replaceable>path name</replaceable>
2291
[ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
3691
[ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
2292
3692
[ <command>size</command> <replaceable>size spec</replaceable> ]
2293
3693
| <command>syslog</command> <replaceable>syslog_facility</replaceable>
2294
3694
| <command>stderr</command>
2833
4565
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
2834
4566
<optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
2835
4567
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4568
<optional> max-udp-size <replaceable>number</replaceable>; </optional>
2836
4569
<optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
2837
4570
<optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
2838
4571
<optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4572
<optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4573
<optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4574
<optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4575
<optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4576
<optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4577
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4578
<optional> empty-server <replaceable>name</replaceable> ; </optional>
4579
<optional> empty-contact <replaceable>name</replaceable> ; </optional>
4580
<optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4581
<optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4582
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4583
<optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
2840
4585
</programlisting>
2843
<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
2845
<para>The <command>options</command> statement sets up global options
2846
to be used by <acronym>BIND</acronym>. This statement may appear only
2847
once in a configuration file. If there is no <command>options</command>
2848
statement, an options block with each option set to its default will
2853
<varlistentry><term><command>directory</command></term>
2854
<listitem><para>The working directory of the server.
2855
Any non-absolute pathnames in the configuration file will be taken
2856
as relative to this directory. The default location for most server
2857
output files (e.g. <filename>named.run</filename>) is this directory.
2858
If a directory is not specified, the working directory defaults
2859
to `<filename>.</filename>', the directory from which the server
2860
was started. The directory specified should be an absolute path.</para>
2861
</listitem></varlistentry>
2863
<varlistentry><term><command>key-directory</command></term>
2864
<listitem><para>When performing dynamic update of secure zones, the
2865
directory where the public and private key files should be found,
2866
if different than the current working directory. The directory specified
2867
must be an absolute path.</para>
2868
</listitem></varlistentry>
2870
<varlistentry><term><command>named-xfer</command></term>
2871
<listitem><para><emphasis>This option is obsolete.</emphasis>
2872
It was used in <acronym>BIND</acronym> 8 to
2873
specify the pathname to the <command>named-xfer</command> program.
2874
In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
2875
needed; its functionality is built into the name server.</para>
2877
</listitem></varlistentry>
2879
<varlistentry><term><command>tkey-domain</command></term>
2880
<listitem><para>The domain appended to the names of all
2881
shared keys generated with <command>TKEY</command>. When a client
2882
requests a <command>TKEY</command> exchange, it may or may not specify
2883
the desired name for the key. If present, the name of the shared
2884
key will be "<varname>client specified part</varname>" +
2885
"<varname>tkey-domain</varname>".
2886
Otherwise, the name of the shared key will be "<varname>random hex
2887
digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
2888
the <command>domainname</command> should be the server's domain
2890
</listitem></varlistentry>
2892
<varlistentry><term><command>tkey-dhkey</command></term>
2893
<listitem><para>The Diffie-Hellman key used by the server
2894
to generate shared keys with clients using the Diffie-Hellman mode
2895
of <command>TKEY</command>. The server must be able to load the
2896
public and private keys from files in the working directory. In
2897
most cases, the keyname should be the server's host name.</para>
2898
</listitem></varlistentry>
2900
<varlistentry><term><command>dump-file</command></term>
2901
<listitem><para>The pathname of the file the server dumps
2902
the database to when instructed to do so with
2903
<command>rndc dumpdb</command>.
2904
If not specified, the default is <filename>named_dump.db</filename>.</para>
2905
</listitem></varlistentry>
2906
<varlistentry><term><command>memstatistics-file</command></term>
2907
<listitem><para>The pathname of the file the server writes memory
2908
usage statistics to on exit. If not specified,
2909
the default is <filename>named.memstats</filename>.</para>
2910
</listitem></varlistentry>
2912
<varlistentry><term><command>pid-file</command></term>
2913
<listitem><para>The pathname of the file the server writes its process ID
2914
in. If not specified, the default is <filename>/var/run/named.pid</filename>.
2915
The pid-file is used by programs that want to send signals to the running
2916
name server. Specifying <command>pid-file none</command> disables the
2917
use of a PID file — no file will be written and any
2918
existing one will be removed. Note that <command>none</command>
2919
is a keyword, not a file name, and therefore is not enclosed in
2920
double quotes.</para>
2921
</listitem></varlistentry>
2923
<varlistentry><term><command>statistics-file</command></term>
2924
<listitem><para>The pathname of the file the server appends statistics
2925
to when instructed to do so using <command>rndc stats</command>.
2926
If not specified, the default is <filename>named.stats</filename> in the
2927
server's current directory. The format of the file is described
2928
in <xref linkend="statsfile"/></para>
2929
</listitem></varlistentry>
2931
<varlistentry><term><command>port</command></term>
2933
The UDP/TCP port number the server uses for
2934
receiving and sending DNS protocol traffic.
2935
The default is 53. This option is mainly intended for server testing;
2936
a server using a port other than 53 will not be able to communicate with
2939
</listitem></varlistentry>
2941
<varlistentry><term><command>random-device</command></term>
2943
The source of entropy to be used by the server. Entropy is primarily needed
2944
for DNSSEC operations, such as TKEY transactions and dynamic update of signed
2945
zones. This options specifies the device (or file) from which to read
2946
entropy. If this is a file, operations requiring entropy will fail when the
2947
file has been exhausted. If not specified, the default value is
2948
<filename>/dev/random</filename>
2949
(or equivalent) when present, and none otherwise. The
2950
<command>random-device</command> option takes effect during
2951
the initial configuration load at server startup time and
2952
is ignored on subsequent reloads.</para>
2953
</listitem></varlistentry>
2955
<varlistentry><term><command>preferred-glue</command></term>
2957
If specified the listed type (A or AAAA) will be emitted before other glue
2958
in the additional section of a query response.
2959
The default is not to preference any type (NONE).
2961
</listitem></varlistentry>
2963
<varlistentry><term><command>root-delegation-only</command></term>
2965
Turn on enforcement of delegation-only in TLDs and root zones with an optional
2969
Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
4589
<sect2 id="options">
4590
<title><command>options</command> Statement Definition and
4594
The <command>options</command> statement sets up global
4596
to be used by <acronym>BIND</acronym>. This statement
4598
once in a configuration file. If there is no <command>options</command>
4599
statement, an options block with each option set to its default will
4606
<term><command>directory</command></term>
4609
The working directory of the server.
4610
Any non-absolute pathnames in the configuration file will be
4612
as relative to this directory. The default location for most
4614
output files (e.g. <filename>named.run</filename>)
4616
If a directory is not specified, the working directory
4617
defaults to `<filename>.</filename>', the directory from
4619
was started. The directory specified should be an absolute
4626
<term><command>key-directory</command></term>
4629
When performing dynamic update of secure zones, the
4630
directory where the public and private key files should be
4632
if different than the current working directory. The
4634
must be an absolute path.
4640
<term><command>named-xfer</command></term>
4643
<emphasis>This option is obsolete.</emphasis> It
4644
was used in <acronym>BIND</acronym> 8 to specify
4645
the pathname to the <command>named-xfer</command>
4646
program. In <acronym>BIND</acronym> 9, no separate
4647
<command>named-xfer</command> program is needed;
4648
its functionality is built into the name server.
4654
<term><command>tkey-gssapi-credential</command></term>
4657
The security credential with which the server should
4658
authenticate keys requested by the GSS-TSIG protocol.
4659
Currently only Kerberos 5 authentication is available
4660
and the credential is a Kerberos principal which
4661
the server can acquire through the default system
4662
key file, normally <filename>/etc/krb5.keytab</filename>.
4663
Normally this principal is of the form
4664
"<userinput>dns/</userinput><varname>server.domain</varname>".
4665
To use GSS-TSIG, <command>tkey-domain</command>
4672
<term><command>tkey-domain</command></term>
4675
The domain appended to the names of all shared keys
4676
generated with <command>TKEY</command>. When a
4677
client requests a <command>TKEY</command> exchange,
4678
it may or may not specify the desired name for the
4679
key. If present, the name of the shared key will
4680
will be <varname>client specified part</varname> +
4681
<varname>tkey-domain</varname>. Otherwise, the
4682
name of the shared key will be <varname>random hex
4683
digits</varname> + <varname>tkey-domain</varname>.
4684
In most cases, the <command>domainname</command>
4685
should be the server's domain name, or an otherwise
4686
non-existent subdomain like
4687
"_tkey.<varname>domainname</varname>". If you are
4688
using GSS-TSIG, this variable must be defined.
4694
<term><command>tkey-dhkey</command></term>
4697
The Diffie-Hellman key used by the server
4698
to generate shared keys with clients using the Diffie-Hellman
4700
of <command>TKEY</command>. The server must be
4702
public and private keys from files in the working directory.
4704
most cases, the keyname should be the server's host name.
4710
<term><command>cache-file</command></term>
4713
This is for testing only. Do not use.
4719
<term><command>dump-file</command></term>
4722
The pathname of the file the server dumps
4723
the database to when instructed to do so with
4724
<command>rndc dumpdb</command>.
4725
If not specified, the default is <filename>named_dump.db</filename>.
4731
<term><command>memstatistics-file</command></term>
4734
The pathname of the file the server writes memory
4735
usage statistics to on exit. If not specified,
4736
the default is <filename>named.memstats</filename>.
4742
<term><command>pid-file</command></term>
4745
The pathname of the file the server writes its process ID
4746
in. If not specified, the default is <filename>/var/run/named.pid</filename>.
4747
The pid-file is used by programs that want to send signals to
4749
name server. Specifying <command>pid-file none</command> disables the
4750
use of a PID file — no file will be written and any
4751
existing one will be removed. Note that <command>none</command>
4752
is a keyword, not a filename, and therefore is not enclosed
4760
<term><command>recursing-file</command></term>
4763
The pathname of the file the server dumps
4764
the queries that are currently recursing when instructed
4765
to do so with <command>rndc recursing</command>.
4766
If not specified, the default is <filename>named.recursing</filename>.
4772
<term><command>statistics-file</command></term>
4775
The pathname of the file the server appends statistics
4776
to when instructed to do so using <command>rndc stats</command>.
4777
If not specified, the default is <filename>named.stats</filename> in the
4778
server's current directory. The format of the file is
4780
in <xref linkend="statsfile"/>.
4786
<term><command>port</command></term>
4789
The UDP/TCP port number the server uses for
4790
receiving and sending DNS protocol traffic.
4791
The default is 53. This option is mainly intended for server
4793
a server using a port other than 53 will not be able to
4801
<term><command>random-device</command></term>
4804
The source of entropy to be used by the server. Entropy is
4806
for DNSSEC operations, such as TKEY transactions and dynamic
4808
zones. This options specifies the device (or file) from which
4810
entropy. If this is a file, operations requiring entropy will
4812
file has been exhausted. If not specified, the default value
4814
<filename>/dev/random</filename>
4815
(or equivalent) when present, and none otherwise. The
4816
<command>random-device</command> option takes
4818
the initial configuration load at server startup time and
4819
is ignored on subsequent reloads.
4825
<term><command>preferred-glue</command></term>
4828
If specified, the listed type (A or AAAA) will be emitted
4830
in the additional section of a query response.
4831
The default is not to prefer any type (NONE).
4837
<term><command>root-delegation-only</command></term>
4840
Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
4845
Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
2971
4849
<programlisting>
2973
4851
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
2975
4853
</programlisting>
2976
</listitem></varlistentry>
2978
<varlistentry><term><command>disable-algorithms</command></term>
2980
Disable the specified DNSSEC algorithms at and below the specified name.
2981
Multiple <command>disable-algorithms</command> statements are allowed.
2982
Only the most specific will be applied.
2983
</para></listitem></varlistentry>
2985
<varlistentry><term><command>dnssec-lookaside</command></term>
2987
When set <command>dnssec-lookaside</command> provides the
2988
validator with an alternate method to validate DNSKEY records at the
2989
top of a zone. When a DNSKEY is at or below a domain specified by the
2990
deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
2991
has left the key untrusted, the trust-anchor will be append to the key
2992
name and a DLV record will be looked up to see if it can validate the
2993
key. If the DLV record validates a DNSKEY (similarly to the way a DS
2994
record does) the DNSKEY RRset is deemed to be trusted.
2995
</para></listitem></varlistentry>
2997
<varlistentry><term><command>dnssec-must-be-secure</command></term>
2999
Specify heirarchies which must / may not be secure (signed and validated).
3000
If <userinput>yes</userinput> then named will only accept answers if they
3002
If <userinput>no</userinput> then normal dnssec validation applies
3003
allowing for insecure answers to be accepted.
3004
The specified domain must be under a <command>trusted-key</command> or
3005
<command>dnssec-lookaside</command> must be active.
3006
</para></listitem></varlistentry>
3010
<sect3 id="boolean_options"><title>Boolean Options</title>
3014
<varlistentry><term><command>auth-nxdomain</command></term>
3015
<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
3016
is always set on NXDOMAIN responses, even if the server is not actually
3017
authoritative. The default is <userinput>no</userinput>; this is
3018
a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
3019
may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
3021
<varlistentry><term><command>deallocate-on-exit</command></term>
3022
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
3023
for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
3024
the checks.</para></listitem></varlistentry>
3026
<varlistentry><term><command>dialup</command></term>
3027
<listitem><para>If <userinput>yes</userinput>, then the
3028
server treats all zones as if they are doing zone transfers across
3029
a dial on demand dialup link, which can be brought up by traffic
3030
originating from this server. This has different effects according
3031
to zone type and concentrates the zone maintenance so that it all
3032
happens in a short interval, once every <command>heartbeat-interval</command> and
3033
hopefully during the one call. It also suppresses some of the normal
3034
zone maintenance traffic. The default is <userinput>no</userinput>.</para>
3035
<para>The <command>dialup</command> option
3036
may also be specified in the <command>view</command> and
3037
<command>zone</command> statements,
3038
in which case it overrides the global <command>dialup</command>
3040
<para>If the zone is a master zone then the server will send out a NOTIFY
3041
request to all the slaves (default). This should trigger the zone serial
3042
number check in the slave (providing it supports NOTIFY) allowing the slave
3043
to verify the zone while the connection is active.
3044
The set of servers to which NOTIFY is sent can be controlled by
3045
<command>notify</command> and <command>also-notify</command>.</para>
3047
zone is a slave or stub zone, then the server will suppress the regular
3048
"zone up to date" (refresh) queries and only perform them when the
3049
<command>heartbeat-interval</command> expires in addition to sending
3050
NOTIFY requests.</para><para>Finer control can be achieved by using
3051
<userinput>notify</userinput> which only sends NOTIFY messages,
3052
<userinput>notify-passive</userinput> which sends NOTIFY messages and
3053
suppresses the normal refresh queries, <userinput>refresh</userinput>
3054
which suppresses normal refresh processing and sends refresh queries
3055
when the <command>heartbeat-interval</command> expires, and
3056
<userinput>passive</userinput> which just disables normal refresh
3059
<informaltable colsep = "0" rowsep = "0">
3060
<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
3061
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
3062
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
3063
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
3064
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
3067
<entry colname = "1"><para>dialup mode</para></entry>
3068
<entry colname = "2"><para>normal refresh</para></entry>
3069
<entry colname = "3"><para>heart-beat refresh</para></entry>
3070
<entry colname = "4"><para>heart-beat notify</para></entry>
3073
<entry colname = "1"><para><command>no</command> (default)</para></entry>
3074
<entry colname = "2"><para>yes</para></entry>
3075
<entry colname = "3"><para>no</para></entry>
3076
<entry colname = "4"><para>no</para></entry>
3079
<entry colname = "1"><para><command>yes</command></para></entry>
3080
<entry colname = "2"><para>no</para></entry>
3081
<entry colname = "3"><para>yes</para></entry>
3082
<entry colname = "4"><para>yes</para></entry>
3085
<entry colname = "1"><para><command>notify</command></para></entry>
3086
<entry colname = "2"><para>yes</para></entry>
3087
<entry colname = "3"><para>no</para></entry>
3088
<entry colname = "4"><para>yes</para></entry>
3091
<entry colname = "1"><para><command>refresh</command></para></entry>
3092
<entry colname = "2"><para>no</para></entry>
3093
<entry colname = "3"><para>yes</para></entry>
3094
<entry colname = "4"><para>no</para></entry>
3097
<entry colname = "1"><para><command>passive</command></para></entry>
3098
<entry colname = "2"><para>no</para></entry>
3099
<entry colname = "3"><para>no</para></entry>
3100
<entry colname = "4"><para>no</para></entry>
3103
<entry colname = "1"><para><command>notify-passive</command></para></entry>
3104
<entry colname = "2"><para>no</para></entry>
3105
<entry colname = "3"><para>no</para></entry>
3106
<entry colname = "4"><para>yes</para></entry>
3109
</tgroup></informaltable>
3111
<para>Note that normal NOTIFY processing is not affected by
3112
<command>dialup</command>.</para>
3114
</listitem></varlistentry>
3116
<varlistentry><term><command>fake-iquery</command></term>
3117
<listitem><para>In <acronym>BIND</acronym> 8, this option
3118
enabled simulating the obsolete DNS query type
3119
IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
3120
</para></listitem></varlistentry>
3122
<varlistentry><term><command>fetch-glue</command></term>
3123
<listitem><para>This option is obsolete.
3124
In BIND 8, <userinput>fetch-glue yes</userinput>
3125
caused the server to attempt to fetch glue resource records it
3126
didn't have when constructing the additional
3127
data section of a response. This is now considered a bad idea
3128
and BIND 9 never does it.</para></listitem></varlistentry>
3130
<varlistentry><term><command>flush-zones-on-shutdown</command></term>
3131
<listitem><para>When the nameserver exits due receiving SIGTERM,
3132
flush / do not flush any pending zone writes. The default is
3133
<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
3134
</para></listitem></varlistentry>
3136
<varlistentry><term><command>has-old-clients</command></term>
3137
<listitem><para>This option was incorrectly implemented
3138
in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
3139
To achieve the intended effect
3141
<command>has-old-clients</command> <userinput>yes</userinput>, specify
3142
the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
3143
and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
3144
</para></listitem></varlistentry>
3146
<varlistentry><term><command>host-statistics</command></term>
3147
<listitem><para>In BIND 8, this enables keeping of
3148
statistics for every host that the name server interacts with.
3149
Not implemented in BIND 9.
3150
</para></listitem></varlistentry>
3152
<varlistentry><term><command>maintain-ixfr-base</command></term>
3153
<listitem><para><emphasis>This option is obsolete</emphasis>.
3154
It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
3155
kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
3156
log whenever possible. If you need to disable outgoing incremental zone
3157
transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
3158
</para></listitem></varlistentry>
3160
<varlistentry><term><command>minimal-responses</command></term>
3161
<listitem><para>If <userinput>yes</userinput>, then when generating
3162
responses the server will only add records to the authority and
3163
additional data sections when they are required (e.g. delegations,
3164
negative responses). This may improve the performance of the server.
3165
The default is <userinput>no</userinput>.
3166
</para></listitem></varlistentry>
3168
<varlistentry><term><command>multiple-cnames</command></term>
3169
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
3170
a domain name to have multiple CNAME records in violation of the
3171
DNS standards. <acronym>BIND</acronym> 9.2 always strictly
3172
enforces the CNAME rules both in master files and dynamic updates.
3173
</para></listitem></varlistentry>
3175
<varlistentry><term><command>notify</command></term>
3176
<listitem><para>If <userinput>yes</userinput> (the default),
3177
DNS NOTIFY messages are sent when a zone the server is authoritative for
3178
changes, see <xref linkend="notify"/>. The messages are sent to the
3179
servers listed in the zone's NS records (except the master server identified
3180
in the SOA MNAME field), and to any servers listed in the
3181
<command>also-notify</command> option.
3183
If <userinput>explicit</userinput>, notifies are sent only to
3184
servers explicitly listed using <command>also-notify</command>.
3185
If <userinput>no</userinput>, no notifies are sent.
3187
The <command>notify</command> option may also be
3188
specified in the <command>zone</command> statement,
3189
in which case it overrides the <command>options notify</command> statement.
3190
It would only be necessary to turn off this option if it caused slaves
3191
to crash.</para></listitem></varlistentry>
3193
<varlistentry><term><command>recursion</command></term>
3194
<listitem><para>If <userinput>yes</userinput>, and a
3195
DNS query requests recursion, then the server will attempt to do
3196
all the work required to answer the query. If recursion is off
3197
and the server does not already know the answer, it will return a
3198
referral response. The default is <userinput>yes</userinput>.
3199
Note that setting <command>recursion no</command> does not prevent
3200
clients from getting data from the server's cache; it only
3201
prevents new data from being cached as an effect of client queries.
3202
Caching may still occur as an effect the server's internal
3203
operation, such as NOTIFY address lookups.
3204
See also <command>fetch-glue</command> above.
3205
</para></listitem></varlistentry>
3207
<varlistentry><term><command>rfc2308-type1</command></term>
3208
<listitem><para>Setting this to <userinput>yes</userinput> will
3209
cause the server to send NS records along with the SOA record for negative
3210
answers. The default is <userinput>no</userinput>.</para>
3211
<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
3212
</listitem></varlistentry>
3214
<varlistentry><term><command>use-id-pool</command></term>
3215
<listitem><para><emphasis>This option is obsolete</emphasis>.
3216
<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
3217
</para></listitem></varlistentry>
3219
<varlistentry><term><command>zone-statistics</command></term>
3220
<listitem><para>If <userinput>yes</userinput>, the server will collect
3221
statistical data on all zones (unless specifically turned off
3222
on a per-zone basis by specifying <command>zone-statistics no</command>
3223
in the <command>zone</command> statement). These statistics may be accessed
3224
using <command>rndc stats</command>, which will dump them to the file listed
3225
in the <command>statistics-file</command>. See also <xref linkend="statsfile"/>.
3226
</para></listitem></varlistentry>
3228
<varlistentry><term><command>use-ixfr</command></term>
3229
<listitem><para><emphasis>This option is obsolete</emphasis>.
3230
If you need to disable IXFR to a particular server or servers see
3231
the information on the <command>provide-ixfr</command> option
3232
in <xref linkend="server_statement_definition_and_usage"/>. See also
3233
<xref linkend="incremental_zone_transfers"/>.
3234
</para></listitem></varlistentry>
3236
<varlistentry><term><command>provide-ixfr</command></term>
3239
See the description of
3240
<command>provide-ixfr</command> in
3241
<xref linkend="server_statement_definition_and_usage"/>
3242
</para></listitem></varlistentry>
3244
<varlistentry><term><command>request-ixfr</command></term>
3247
See the description of
3248
<command>request-ixfr</command> in
3249
<xref linkend="server_statement_definition_and_usage"/>
3250
</para></listitem></varlistentry>
3252
<varlistentry><term><command>treat-cr-as-space</command></term>
3253
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
3254
the server treat carriage return ("<command>\r</command>") characters the same way
3255
as a space or tab character,
3256
to facilitate loading of zone files on a UNIX system that were generated
3257
on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
3258
and NT/DOS "<command>\r\n</command>" newlines are always accepted,
3259
and the option is ignored.</para></listitem></varlistentry>
3262
<term><command>additional-from-auth</command></term>
3263
<term><command>additional-from-cache</command></term>
3267
These options control the behavior of an authoritative server when
3268
answering queries which have additional data, or when following CNAME
3273
When both of these options are set to <userinput>yes</userinput>
3275
query is being answered from authoritative data (a zone
3276
configured into the server), the additional data section of the
3277
reply will be filled in using data from other authoritative zones
3278
and from the cache. In some situations this is undesirable, such
3279
as when there is concern over the correctness of the cache, or
3280
in servers where slave zones may be added and modified by
3281
untrusted third parties. Also, avoiding
3282
the search for this additional data will speed up server operations
3283
at the possible expense of additional queries to resolve what would
3284
otherwise be provided in the additional section.
3288
For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
3289
and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
3290
records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
3291
if known, even though they are not in the example.com zone.
3292
Setting these options to <command>no</command> disables this behavior and makes
3293
the server only search for additional data in the zone it answers from.
3297
These options are intended for use in authoritative-only
3298
servers, or in authoritative-only views. Attempts to set
3299
them to <command>no</command> without also specifying
3300
<command>recursion no</command> will cause the server to
3301
ignore the options and log a warning message.
3305
Specifying <command>additional-from-cache no</command> actually
3306
disables the use of the cache not only for additional data lookups
3307
but also when looking up the answer. This is usually the desired
3308
behavior in an authoritative-only server where the correctness of
3309
the cached data is an issue.
3313
When a name server is non-recursively queried for a name that is not
3314
below the apex of any served zone, it normally answers with an
3315
"upwards referral" to the root servers or the servers of some other
3316
known parent of the query name. Since the data in an upwards referral
3317
comes from the cache, the server will not be able to provide upwards
3318
referrals when <command>additional-from-cache no</command>
3319
has been specified. Instead, it will respond to such queries
3320
with REFUSED. This should not cause any problems since
3321
upwards referrals are not required for the resolution process.
3324
</listitem></varlistentry>
3326
<varlistentry><term><command>match-mapped-addresses</command></term>
3327
<listitem><para>If <userinput>yes</userinput>, then an
3328
IPv4-mapped IPv6 address will match any address match
3329
list entries that match the corresponding IPv4 address.
3330
Enabling this option is sometimes useful on IPv6-enabled Linux
3331
systems, to work around a kernel quirk that causes IPv4
3332
TCP connections such as zone transfers to be accepted
3333
on an IPv6 socket using mapped addresses, causing
3334
address match lists designed for IPv4 to fail to match.
3335
The use of this option for any other purpose is discouraged.
3336
</para></listitem></varlistentry>
3338
<varlistentry><term><command>ixfr-from-differences</command></term>
3341
When 'yes' and the server loads a new version of a master
3342
zone from its zone file or receives a new version of a slave
3343
file by a non-incremental zone transfer, it will compare
3344
the new version to the previous one and calculate a set
3345
of differences. The differences are then logged in the
3346
zone's journal file such that the changes can be transmitted
3347
to downstream slaves as an incremental zone transfer.
3349
By allowing incremental zone transfers to be used for
3350
non-dynamic zones, this option saves bandwidth at the
3351
expense of increased CPU and memory consumption at the master.
3352
In particular, if the new version of a zone is completely
3353
different from the previous one, the set of differences
3354
will be of a size comparable to the combined size of the
3355
old and new zone version, and the server will need to
3356
temporarily allocate memory to hold this complete
3358
</para></listitem></varlistentry>
3360
<varlistentry><term><command>multi-master</command></term>
3363
This should be set when you have multiple masters for a zone and the
3364
addresses refer to different machines. If 'yes' named will not log
3365
when the serial number on the master is less than what named currently
3366
has. The default is <userinput>no</userinput>.
3367
</para></listitem></varlistentry>
3369
<varlistentry><term><command>dnssec-enable</command></term>
3372
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
3373
named behaves as if it does not support DNSSEC.
3374
The default is <userinput>no</userinput>.
3375
</para></listitem></varlistentry>
3377
<varlistentry><term><command>querylog</command></term>
3380
Specify whether query logging should be started when named start.
3381
If <command>querylog</command> is not specified then the query logging
3382
is determined by the presence of the logging category <command>queries</command>.
3383
</para></listitem></varlistentry>
3385
<varlistentry><term><command>check-names</command></term>
3388
This option is used to restrict the character set and syntax of
3389
certain domain names in master files and/or DNS responses received
3390
from the network. The default varies according to usage area. For
3391
<command>master</command> zones the default is <command>fail</command>.
3392
For <command>slave</command> zones the default is <command>warn</command>.
3393
For answer received from the network (<command>response</command>)
3394
the default is <command>ignore</command>.
3396
<para>The rules for legal hostnames / mail domains are derived from RFC 952
3397
and RFC 821 as modified by RFC 1123.
3399
<para><command>check-names</command> applies to the owner names of A, AAA and
3400
MX records. It also applies to the domain names in the RDATA of NS, SOA and MX
3401
records. It also applies to the RDATA of PTR records where the owner name
3402
indicated that it is a reverse lookup of a hostname (the owner name ends in
3403
IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
3405
</listitem></varlistentry>
3411
<sect3><title>Forwarding</title>
3412
<para>The forwarding facility can be used to create a large site-wide
3413
cache on a few servers, reducing traffic over links to external
3414
name servers. It can also be used to allow queries by servers that
3415
do not have direct access to the Internet, but wish to look up exterior
3416
names anyway. Forwarding occurs only on those queries for which
3417
the server is not authoritative and does not have the answer in
3421
<varlistentry><term><command>forward</command></term>
3422
<listitem><para>This option is only meaningful if the
3423
forwarders list is not empty. A value of <varname>first</varname>,
3424
the default, causes the server to query the forwarders first, and
3425
if that doesn't answer the question the server will then look for
3426
the answer itself. If <varname>only</varname> is specified, the
3427
server will only query the forwarders.
3428
</para></listitem></varlistentry>
3430
<varlistentry><term><command>forwarders</command></term>
3431
<listitem><para>Specifies the IP addresses to be used
3432
for forwarding. The default is the empty list (no forwarding).
3433
</para></listitem></varlistentry>
3437
<para>Forwarding can also be configured on a per-domain basis, allowing
3438
for the global forwarding options to be overridden in a variety
3439
of ways. You can set particular domains to use different forwarders,
3440
or have a different <command>forward only/first</command> behavior,
3441
or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
3444
<sect3><title>Dual-stack Servers</title>
3445
<para>Dual-stack servers are used as servers of last resort to work around
3446
problems in reachability due the lack of support for either IPv4 or IPv6
3447
on the host machine.</para>
3450
<varlistentry><term><command>dual-stack-servers</command></term>
3451
<listitem><para>Specifies host names / addresses of machines with access to
3452
both IPv4 and IPv6 transports. If a hostname is used the server must be able
3453
to resolve the name using only the transport it has. If the machine is dual
3454
stacked then the <command>dual-stack-servers</command> have no effect unless
3455
access to a transport has been disabled on the command line
3456
(e.g. <command>named -4</command>).</para></listitem>
3461
<sect3 id="access_control"><title>Access Control</title>
3463
<para>Access to the server can be restricted based on the IP address
3464
of the requesting system. See <xref linkend="address_match_lists"/> for
3465
details on how to specify IP address lists.</para>
3469
<varlistentry><term><command>allow-notify</command></term>
3470
<listitem><para>Specifies which hosts are allowed to
3471
notify this server, a slave, of zone changes in addition
3472
to the zone masters.
3473
<command>allow-notify</command> may also be specified in the
3474
<command>zone</command> statement, in which case it overrides the
3475
<command>options allow-notify</command> statement. It is only meaningful
3476
for a slave zone. If not specified, the default is to process notify messages
3477
only from a zone's master.</para>
3478
</listitem></varlistentry>
3480
<varlistentry><term><command>allow-query</command></term>
3481
<listitem><para>Specifies which hosts are allowed to
3482
ask ordinary DNS questions. <command>allow-query</command> may also
3483
be specified in the <command>zone</command> statement, in which
3484
case it overrides the <command>options allow-query</command> statement. If
3485
not specified, the default is to allow queries from all hosts.</para>
3486
</listitem></varlistentry>
3489
<varlistentry><term><command>allow-recursion</command></term>
3490
<listitem><para>Specifies which hosts are allowed to
3491
make recursive queries through this server. If not specified, the
3492
default is to allow recursive queries from all hosts.
3493
Note that disallowing recursive queries for a host does not prevent the
3494
host from retrieving data that is already in the server's cache.
3496
</listitem></varlistentry>
3498
<varlistentry><term><command>allow-update-forwarding</command></term>
3499
<listitem><para>Specifies which hosts are allowed to
3500
submit Dynamic DNS updates to slave zones to be forwarded to the
3501
master. The default is <userinput>{ none; }</userinput>, which
3502
means that no update forwarding will be performed. To enable
3503
update forwarding, specify
3504
<userinput>allow-update-forwarding { any; };</userinput>.
3505
Specifying values other than <userinput>{ none; }</userinput> or
3506
<userinput>{ any; }</userinput> is usually counterproductive, since
3507
the responsibility for update access control should rest with the
3508
master server, not the slaves.</para>
3509
<para>Note that enabling the update forwarding feature on a slave server
3510
may expose master servers relying on insecure IP address based
3511
access control to attacks; see <xref linkend="dynamic_update_security"/>
3512
for more details.</para>
3513
</listitem></varlistentry>
3515
<varlistentry><term><command>allow-v6-synthesis</command></term>
3516
<listitem><para>This option was introduced for the smooth transition from AAAA
3517
to A6 and from "nibble labels" to binary labels.
3518
However, since both A6 and binary labels were then deprecated,
3519
this option was also deprecated.
3520
It is now ignored with some warning messages.
3522
</listitem></varlistentry>
3524
<varlistentry><term><command>allow-transfer</command></term>
3525
<listitem><para>Specifies which hosts are allowed to
3526
receive zone transfers from the server. <command>allow-transfer</command> may
3527
also be specified in the <command>zone</command> statement, in which
3528
case it overrides the <command>options allow-transfer</command> statement.
3529
If not specified, the default is to allow transfers to all hosts.</para>
3530
</listitem></varlistentry>
3532
<varlistentry><term><command>blackhole</command></term>
3533
<listitem><para>Specifies a list of addresses that the
3534
server will not accept queries from or use to resolve a query. Queries
3535
from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
3536
</listitem></varlistentry>
3542
<sect3><title>Interfaces</title>
3543
<para>The interfaces and ports that the server will answer queries
3544
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
3545
an optional port, and an <varname>address_match_list</varname>.
3546
The server will listen on all interfaces allowed by the address
3547
match list. If a port is not specified, port 53 will be used.</para>
3548
<para>Multiple <command>listen-on</command> statements are allowed.
4859
<term><command>disable-algorithms</command></term>
4862
Disable the specified DNSSEC algorithms at and below the
4864
Multiple <command>disable-algorithms</command>
4865
statements are allowed.
4866
Only the most specific will be applied.
4872
<term><command>dnssec-lookaside</command></term>
4875
When set, <command>dnssec-lookaside</command>
4877
validator with an alternate method to validate DNSKEY records
4879
top of a zone. When a DNSKEY is at or below a domain
4881
deepest <command>dnssec-lookaside</command>, and
4882
the normal dnssec validation
4883
has left the key untrusted, the trust-anchor will be append to
4885
name and a DLV record will be looked up to see if it can
4887
key. If the DLV record validates a DNSKEY (similarly to the
4889
record does) the DNSKEY RRset is deemed to be trusted.
4895
<term><command>dnssec-must-be-secure</command></term>
4898
Specify hierarchies which must be or may not be secure (signed and
4900
If <userinput>yes</userinput>, then named will only accept
4903
If <userinput>no</userinput>, then normal dnssec validation
4905
allowing for insecure answers to be accepted.
4906
The specified domain must be under a <command>trusted-key</command> or
4907
<command>dnssec-lookaside</command> must be
4915
<sect3 id="boolean_options">
4916
<title>Boolean Options</title>
4921
<term><command>auth-nxdomain</command></term>
4924
If <userinput>yes</userinput>, then the <command>AA</command> bit
4925
is always set on NXDOMAIN responses, even if the server is
4927
authoritative. The default is <userinput>no</userinput>;
4929
a change from <acronym>BIND</acronym> 8. If you
4930
are using very old DNS software, you
4931
may need to set it to <userinput>yes</userinput>.
4937
<term><command>deallocate-on-exit</command></term>
4940
This option was used in <acronym>BIND</acronym>
4941
8 to enable checking
4942
for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
4949
<term><command>memstatistics</command></term>
4952
Write memory statistics to the file specfied by
4953
<command>memstatistics-file</command> at exit.
4954
The default is <userinput>no</userinput> unless
4955
'-m record' is specified on the command line in
4956
which case it is <userinput>yes</userinput>.
4962
<term><command>dialup</command></term>
4965
If <userinput>yes</userinput>, then the
4966
server treats all zones as if they are doing zone transfers
4968
a dial-on-demand dialup link, which can be brought up by
4970
originating from this server. This has different effects
4972
to zone type and concentrates the zone maintenance so that
4974
happens in a short interval, once every <command>heartbeat-interval</command> and
4975
hopefully during the one call. It also suppresses some of
4977
zone maintenance traffic. The default is <userinput>no</userinput>.
4980
The <command>dialup</command> option
4981
may also be specified in the <command>view</command> and
4982
<command>zone</command> statements,
4983
in which case it overrides the global <command>dialup</command>
4987
If the zone is a master zone, then the server will send out a
4989
request to all the slaves (default). This should trigger the
4991
number check in the slave (providing it supports NOTIFY)
4993
to verify the zone while the connection is active.
4994
The set of servers to which NOTIFY is sent can be controlled
4996
<command>notify</command> and <command>also-notify</command>.
5000
zone is a slave or stub zone, then the server will suppress
5002
"zone up to date" (refresh) queries and only perform them
5004
<command>heartbeat-interval</command> expires in
5009
Finer control can be achieved by using
5010
<userinput>notify</userinput> which only sends NOTIFY
5012
<userinput>notify-passive</userinput> which sends NOTIFY
5014
suppresses the normal refresh queries, <userinput>refresh</userinput>
5015
which suppresses normal refresh processing and sends refresh
5017
when the <command>heartbeat-interval</command>
5019
<userinput>passive</userinput> which just disables normal
5024
<informaltable colsep="0" rowsep="0">
5025
<tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
5026
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
5027
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
5028
<colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
5029
<colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
5055
<para><command>no</command> (default)</para>
5075
<para><command>yes</command></para>
5095
<para><command>notify</command></para>
5115
<para><command>refresh</command></para>
5135
<para><command>passive</command></para>
5155
<para><command>notify-passive</command></para>
5178
Note that normal NOTIFY processing is not affected by
5179
<command>dialup</command>.
5186
<term><command>fake-iquery</command></term>
5189
In <acronym>BIND</acronym> 8, this option
5190
enabled simulating the obsolete DNS query type
5191
IQUERY. <acronym>BIND</acronym> 9 never does
5198
<term><command>fetch-glue</command></term>
5201
This option is obsolete.
5202
In BIND 8, <userinput>fetch-glue yes</userinput>
5203
caused the server to attempt to fetch glue resource records
5205
didn't have when constructing the additional
5206
data section of a response. This is now considered a bad
5208
and BIND 9 never does it.
5214
<term><command>flush-zones-on-shutdown</command></term>
5217
When the nameserver exits due receiving SIGTERM,
5218
flush or do not flush any pending zone writes. The default
5220
<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5226
<term><command>has-old-clients</command></term>
5229
This option was incorrectly implemented
5230
in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5231
To achieve the intended effect
5233
<command>has-old-clients</command> <userinput>yes</userinput>, specify
5234
the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5235
and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5241
<term><command>host-statistics</command></term>
5244
In BIND 8, this enables keeping of
5245
statistics for every host that the name server interacts
5247
Not implemented in BIND 9.
5253
<term><command>maintain-ixfr-base</command></term>
5256
<emphasis>This option is obsolete</emphasis>.
5257
It was used in <acronym>BIND</acronym> 8 to
5258
determine whether a transaction log was
5259
kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5260
log whenever possible. If you need to disable outgoing
5262
transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5268
<term><command>minimal-responses</command></term>
5271
If <userinput>yes</userinput>, then when generating
5272
responses the server will only add records to the authority
5273
and additional data sections when they are required (e.g.
5274
delegations, negative responses). This may improve the
5275
performance of the server.
5276
The default is <userinput>no</userinput>.
5282
<term><command>multiple-cnames</command></term>
5285
This option was used in <acronym>BIND</acronym> 8 to allow
5286
a domain name to have multiple CNAME records in violation of
5287
the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5288
always strictly enforces the CNAME rules both in master
5289
files and dynamic updates.
5295
<term><command>notify</command></term>
5298
If <userinput>yes</userinput> (the default),
5299
DNS NOTIFY messages are sent when a zone the server is
5301
changes, see <xref linkend="notify"/>. The messages are
5303
servers listed in the zone's NS records (except the master
5305
in the SOA MNAME field), and to any servers listed in the
5306
<command>also-notify</command> option.
5309
If <userinput>master-only</userinput>, notifies are only
5312
If <userinput>explicit</userinput>, notifies are sent only
5314
servers explicitly listed using <command>also-notify</command>.
5315
If <userinput>no</userinput>, no notifies are sent.
5318
The <command>notify</command> option may also be
5319
specified in the <command>zone</command>
5321
in which case it overrides the <command>options notify</command> statement.
5322
It would only be necessary to turn off this option if it
5330
<term><command>notify-to-soa</command></term>
5333
If <userinput>yes</userinput> do not check the nameservers
5334
in the NS RRset against the SOA MNAME. Normally a NOTIFY
5335
message is not sent to the SOA MNAME (SOA ORIGIN) as it is
5336
supposed to contain the name of the ultimate master.
5337
Sometimes, however, a slave is listed as the SOA MNAME in
5338
hidden master configurations and in that case you would
5339
want the ultimate master to still send NOTIFY messages to
5340
all the nameservers listed in the NS RRset.
5346
<term><command>recursion</command></term>
5349
If <userinput>yes</userinput>, and a
5350
DNS query requests recursion, then the server will attempt
5352
all the work required to answer the query. If recursion is
5354
and the server does not already know the answer, it will
5356
referral response. The default is
5357
<userinput>yes</userinput>.
5358
Note that setting <command>recursion no</command> does not prevent
5359
clients from getting data from the server's cache; it only
5360
prevents new data from being cached as an effect of client
5362
Caching may still occur as an effect the server's internal
5363
operation, such as NOTIFY address lookups.
5364
See also <command>fetch-glue</command> above.
5370
<term><command>rfc2308-type1</command></term>
5373
Setting this to <userinput>yes</userinput> will
5374
cause the server to send NS records along with the SOA
5376
answers. The default is <userinput>no</userinput>.
5380
Not yet implemented in <acronym>BIND</acronym>
5388
<term><command>use-id-pool</command></term>
5391
<emphasis>This option is obsolete</emphasis>.
5392
<acronym>BIND</acronym> 9 always allocates query
5399
<term><command>zone-statistics</command></term>
5402
If <userinput>yes</userinput>, the server will collect
5403
statistical data on all zones (unless specifically turned
5405
on a per-zone basis by specifying <command>zone-statistics no</command>
5406
in the <command>zone</command> statement).
5407
These statistics may be accessed
5408
using <command>rndc stats</command>, which will
5409
dump them to the file listed
5410
in the <command>statistics-file</command>. See
5411
also <xref linkend="statsfile"/>.
5417
<term><command>use-ixfr</command></term>
5420
<emphasis>This option is obsolete</emphasis>.
5421
If you need to disable IXFR to a particular server or
5423
the information on the <command>provide-ixfr</command> option
5424
in <xref linkend="server_statement_definition_and_usage"/>.
5426
<xref linkend="incremental_zone_transfers"/>.
5432
<term><command>provide-ixfr</command></term>
5435
See the description of
5436
<command>provide-ixfr</command> in
5437
<xref linkend="server_statement_definition_and_usage"/>.
5443
<term><command>request-ixfr</command></term>
5446
See the description of
5447
<command>request-ixfr</command> in
5448
<xref linkend="server_statement_definition_and_usage"/>.
5454
<term><command>treat-cr-as-space</command></term>
5457
This option was used in <acronym>BIND</acronym>
5459
the server treat carriage return ("<command>\r</command>") characters the same way
5460
as a space or tab character,
5461
to facilitate loading of zone files on a UNIX system that
5463
on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5464
and NT/DOS "<command>\r\n</command>" newlines
5465
are always accepted,
5466
and the option is ignored.
5472
<term><command>additional-from-auth</command></term>
5473
<term><command>additional-from-cache</command></term>
5477
These options control the behavior of an authoritative
5479
answering queries which have additional data, or when
5485
When both of these options are set to <userinput>yes</userinput>
5487
query is being answered from authoritative data (a zone
5488
configured into the server), the additional data section of
5490
reply will be filled in using data from other authoritative
5492
and from the cache. In some situations this is undesirable,
5494
as when there is concern over the correctness of the cache,
5496
in servers where slave zones may be added and modified by
5497
untrusted third parties. Also, avoiding
5498
the search for this additional data will speed up server
5500
at the possible expense of additional queries to resolve
5502
otherwise be provided in the additional section.
5506
For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5507
and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5508
records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5509
if known, even though they are not in the example.com zone.
5510
Setting these options to <command>no</command>
5511
disables this behavior and makes
5512
the server only search for additional data in the zone it
5517
These options are intended for use in authoritative-only
5518
servers, or in authoritative-only views. Attempts to set
5519
them to <command>no</command> without also
5521
<command>recursion no</command> will cause the
5523
ignore the options and log a warning message.
5527
Specifying <command>additional-from-cache no</command> actually
5528
disables the use of the cache not only for additional data
5530
but also when looking up the answer. This is usually the
5532
behavior in an authoritative-only server where the
5534
the cached data is an issue.
5538
When a name server is non-recursively queried for a name
5540
below the apex of any served zone, it normally answers with
5542
"upwards referral" to the root servers or the servers of
5544
known parent of the query name. Since the data in an
5546
comes from the cache, the server will not be able to provide
5548
referrals when <command>additional-from-cache no</command>
5549
has been specified. Instead, it will respond to such
5551
with REFUSED. This should not cause any problems since
5552
upwards referrals are not required for the resolution
5560
<term><command>match-mapped-addresses</command></term>
5563
If <userinput>yes</userinput>, then an
5564
IPv4-mapped IPv6 address will match any address match
5565
list entries that match the corresponding IPv4 address.
5566
Enabling this option is sometimes useful on IPv6-enabled
5568
systems, to work around a kernel quirk that causes IPv4
5569
TCP connections such as zone transfers to be accepted
5570
on an IPv6 socket using mapped addresses, causing
5571
address match lists designed for IPv4 to fail to match.
5572
The use of this option for any other purpose is discouraged.
5578
<term><command>ixfr-from-differences</command></term>
5581
When <userinput>yes</userinput> and the server loads a new version of a master
5582
zone from its zone file or receives a new version of a slave
5583
file by a non-incremental zone transfer, it will compare
5584
the new version to the previous one and calculate a set
5585
of differences. The differences are then logged in the
5586
zone's journal file such that the changes can be transmitted
5587
to downstream slaves as an incremental zone transfer.
5590
By allowing incremental zone transfers to be used for
5591
non-dynamic zones, this option saves bandwidth at the
5592
expense of increased CPU and memory consumption at the
5594
In particular, if the new version of a zone is completely
5595
different from the previous one, the set of differences
5596
will be of a size comparable to the combined size of the
5597
old and new zone version, and the server will need to
5598
temporarily allocate memory to hold this complete
5601
<para><command>ixfr-from-differences</command>
5602
also accepts <command>master</command> and
5603
<command>slave</command> at the view and options
5605
<command>ixfr-from-differences</command> to apply to
5606
all <command>master</command> or
5607
<command>slave</command> zones respectively.
5613
<term><command>multi-master</command></term>
5616
This should be set when you have multiple masters for a zone
5618
addresses refer to different machines. If <userinput>yes</userinput>, named will
5620
when the serial number on the master is less than what named
5622
has. The default is <userinput>no</userinput>.
5628
<term><command>dnssec-enable</command></term>
5631
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
5632
named behaves as if it does not support DNSSEC.
5633
The default is <userinput>yes</userinput>.
5639
<term><command>dnssec-validation</command></term>
5642
Enable DNSSEC validation in named.
5643
Note <command>dnssec-enable</command> also needs to be
5644
set to <userinput>yes</userinput> to be effective.
5645
The default is <userinput>yes</userinput>.
5651
<term><command>dnssec-accept-expired</command></term>
5654
Accept expired signatures when verifying DNSSEC signatures.
5655
The default is <userinput>no</userinput>.
5656
Setting this option to "yes" leaves named vulnerable to replay attacks.
5662
<term><command>querylog</command></term>
5665
Specify whether query logging should be started when named
5667
If <command>querylog</command> is not specified,
5668
then the query logging
5669
is determined by the presence of the logging category <command>queries</command>.
5675
<term><command>check-names</command></term>
5678
This option is used to restrict the character set and syntax
5680
certain domain names in master files and/or DNS responses
5682
from the network. The default varies according to usage
5684
<command>master</command> zones the default is <command>fail</command>.
5685
For <command>slave</command> zones the default
5686
is <command>warn</command>.
5687
For answers received from the network (<command>response</command>)
5688
the default is <command>ignore</command>.
5691
The rules for legal hostnames and mail domains are derived
5692
from RFC 952 and RFC 821 as modified by RFC 1123.
5694
<para><command>check-names</command>
5695
applies to the owner names of A, AAAA and MX records.
5696
It also applies to the domain names in the RDATA of NS, SOA
5698
It also applies to the RDATA of PTR records where the owner
5699
name indicated that it is a reverse lookup of a hostname
5700
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
5706
<term><command>check-mx</command></term>
5709
Check whether the MX record appears to refer to a IP address.
5710
The default is to <command>warn</command>. Other possible
5711
values are <command>fail</command> and
5712
<command>ignore</command>.
5718
<term><command>check-wildcard</command></term>
5721
This option is used to check for non-terminal wildcards.
5722
The use of non-terminal wildcards is almost always as a
5724
to understand the wildcard matching algorithm (RFC 1034).
5726
affects master zones. The default (<command>yes</command>) is to check
5727
for non-terminal wildcards and issue a warning.
5733
<term><command>check-integrity</command></term>
5736
Perform post load zone integrity checks on master
5737
zones. This checks that MX and SRV records refer
5738
to address (A or AAAA) records and that glue
5739
address records exist for delegated zones. For
5740
MX and SRV records only in-zone hostnames are
5741
checked (for out-of-zone hostnames use named-checkzone).
5742
For NS records only names below top of zone are
5743
checked (for out-of-zone names and glue consistency
5744
checks use named-checkzone). The default is
5745
<command>yes</command>.
5751
<term><command>check-mx-cname</command></term>
5754
If <command>check-integrity</command> is set then
5755
fail, warn or ignore MX records that refer
5756
to CNAMES. The default is to <command>warn</command>.
5762
<term><command>check-srv-cname</command></term>
5765
If <command>check-integrity</command> is set then
5766
fail, warn or ignore SRV records that refer
5767
to CNAMES. The default is to <command>warn</command>.
5773
<term><command>check-sibling</command></term>
5776
When performing integrity checks, also check that
5777
sibling glue exists. The default is <command>yes</command>.
5783
<term><command>zero-no-soa-ttl</command></term>
5786
When returning authoritative negative responses to
5787
SOA queries set the TTL of the SOA recored returned in
5788
the authority section to zero.
5789
The default is <command>yes</command>.
5795
<term><command>zero-no-soa-ttl-cache</command></term>
5798
When caching a negative response to a SOA query
5799
set the TTL to zero.
5800
The default is <command>no</command>.
5806
<term><command>update-check-ksk</command></term>
5809
When regenerating the RRSIGs following a UPDATE
5810
request to a secure zone, check the KSK flag on
5811
the DNSKEY RR to determine if this key should be
5812
used to generate the RRSIG. This flag is ignored
5813
if there are not DNSKEY RRs both with and without
5815
The default is <command>yes</command>.
5821
<term><command>try-tcp-refresh</command></term>
5824
Try to refresh the zone using TCP if UDP queries fail.
5825
For BIND 8 compatibility, the default is
5826
<command>yes</command>.
5836
<title>Forwarding</title>
5838
The forwarding facility can be used to create a large site-wide
5839
cache on a few servers, reducing traffic over links to external
5840
name servers. It can also be used to allow queries by servers that
5841
do not have direct access to the Internet, but wish to look up
5843
names anyway. Forwarding occurs only on those queries for which
5844
the server is not authoritative and does not have the answer in
5850
<term><command>forward</command></term>
5853
This option is only meaningful if the
5854
forwarders list is not empty. A value of <varname>first</varname>,
5855
the default, causes the server to query the forwarders
5857
if that doesn't answer the question, the server will then
5859
the answer itself. If <varname>only</varname> is
5861
server will only query the forwarders.
5867
<term><command>forwarders</command></term>
5870
Specifies the IP addresses to be used
5871
for forwarding. The default is the empty list (no
5880
Forwarding can also be configured on a per-domain basis, allowing
5881
for the global forwarding options to be overridden in a variety
5882
of ways. You can set particular domains to use different
5884
or have a different <command>forward only/first</command> behavior,
5885
or not forward at all, see <xref linkend="zone_statement_grammar"/>.
5890
<title>Dual-stack Servers</title>
5892
Dual-stack servers are used as servers of last resort to work
5894
problems in reachability due the lack of support for either IPv4
5896
on the host machine.
5901
<term><command>dual-stack-servers</command></term>
5904
Specifies host names or addresses of machines with access to
5905
both IPv4 and IPv6 transports. If a hostname is used, the
5907
to resolve the name using only the transport it has. If the
5909
stacked, then the <command>dual-stack-servers</command> have no effect unless
5910
access to a transport has been disabled on the command line
5911
(e.g. <command>named -4</command>).
5918
<sect3 id="access_control">
5919
<title>Access Control</title>
5922
Access to the server can be restricted based on the IP address
5923
of the requesting system. See <xref linkend="address_match_lists"/> for
5924
details on how to specify IP address lists.
5930
<term><command>allow-notify</command></term>
5933
Specifies which hosts are allowed to
5934
notify this server, a slave, of zone changes in addition
5935
to the zone masters.
5936
<command>allow-notify</command> may also be
5938
<command>zone</command> statement, in which case
5940
<command>options allow-notify</command>
5941
statement. It is only meaningful
5942
for a slave zone. If not specified, the default is to
5943
process notify messages
5944
only from a zone's master.
5950
<term><command>allow-query</command></term>
5953
Specifies which hosts are allowed to ask ordinary
5954
DNS questions. <command>allow-query</command> may
5955
also be specified in the <command>zone</command>
5956
statement, in which case it overrides the
5957
<command>options allow-query</command> statement.
5958
If not specified, the default is to allow queries
5963
<command>allow-query-cache</command> is now
5964
used to specify access to the cache.
5971
<term><command>allow-query-on</command></term>
5974
Specifies which local addresses can accept ordinary
5975
DNS questions. This makes it possible, for instance,
5976
to allow queries on internal-facing interfaces but
5977
disallow them on external-facing ones, without
5978
necessarily knowing the internal network's addresses.
5981
<command>allow-query-on</command> may
5982
also be specified in the <command>zone</command>
5983
statement, in which case it overrides the
5984
<command>options allow-query-on</command> statement.
5987
If not specified, the default is to allow queries
5992
<command>allow-query-cache</command> is
5993
used to specify access to the cache.
6000
<term><command>allow-query-cache</command></term>
6003
Specifies which hosts are allowed to get answers
6004
from the cache. If <command>allow-query-cache</command>
6005
is not set then <command>allow-recursion</command>
6006
is used if set, otherwise <command>allow-query</command>
6007
is used if set, otherwise the default
6008
(<command>localnets;</command>
6009
<command>localhost;</command>) is used.
6015
<term><command>allow-query-cache-on</command></term>
6018
Specifies which local addresses can give answers
6019
from the cache. If not specified, the default is
6020
to allow cache queries on any address,
6021
<command>localnets</command> and
6022
<command>localhost</command>.
6028
<term><command>allow-recursion</command></term>
6031
Specifies which hosts are allowed to make recursive
6032
queries through this server. If
6033
<command>allow-recursion</command> is not set
6034
then <command>allow-query-cache</command> is
6035
used if set, otherwise <command>allow-query</command>
6036
is used if set, otherwise the default
6037
(<command>localnets;</command>
6038
<command>localhost;</command>) is used.
6044
<term><command>allow-recursion-on</command></term>
6047
Specifies which local addresses can accept recursive
6048
queries. If not specified, the default is to allow
6049
recursive queries on all addresses.
6055
<term><command>allow-update</command></term>
6058
Specifies which hosts are allowed to
6059
submit Dynamic DNS updates for master zones. The default is
6061
updates from all hosts. Note that allowing updates based
6062
on the requestor's IP address is insecure; see
6063
<xref linkend="dynamic_update_security"/> for details.
6069
<term><command>allow-update-forwarding</command></term>
6072
Specifies which hosts are allowed to
6073
submit Dynamic DNS updates to slave zones to be forwarded to
6075
master. The default is <userinput>{ none; }</userinput>,
6077
means that no update forwarding will be performed. To
6079
update forwarding, specify
6080
<userinput>allow-update-forwarding { any; };</userinput>.
6081
Specifying values other than <userinput>{ none; }</userinput> or
6082
<userinput>{ any; }</userinput> is usually
6083
counterproductive, since
6084
the responsibility for update access control should rest
6086
master server, not the slaves.
6089
Note that enabling the update forwarding feature on a slave
6091
may expose master servers relying on insecure IP address
6093
access control to attacks; see <xref linkend="dynamic_update_security"/>
6100
<term><command>allow-v6-synthesis</command></term>
6103
This option was introduced for the smooth transition from
6105
to A6 and from "nibble labels" to binary labels.
6106
However, since both A6 and binary labels were then
6108
this option was also deprecated.
6109
It is now ignored with some warning messages.
6115
<term><command>allow-transfer</command></term>
6118
Specifies which hosts are allowed to
6119
receive zone transfers from the server. <command>allow-transfer</command> may
6120
also be specified in the <command>zone</command>
6122
case it overrides the <command>options allow-transfer</command> statement.
6123
If not specified, the default is to allow transfers to all
6130
<term><command>blackhole</command></term>
6133
Specifies a list of addresses that the
6134
server will not accept queries from or use to resolve a
6136
from these addresses will not be responded to. The default
6137
is <userinput>none</userinput>.
6147
<title>Interfaces</title>
6149
The interfaces and ports that the server will answer queries
6150
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
6151
an optional port, and an <varname>address_match_list</varname>.
6152
The server will listen on all interfaces allowed by the address
6153
match list. If a port is not specified, port 53 will be used.
6156
Multiple <command>listen-on</command> statements are
3551
6161
<programlisting>listen-on { 5.6.7.8; };
3552
6162
listen-on port 1234 { !1.2.3.4; 1.2/16; };
3553
6163
</programlisting>
3555
<para>will enable the name server on port 53 for the IP address
3556
5.6.7.8, and on port 1234 of an address on the machine in net
3557
1.2 that is not 1.2.3.4.</para>
3559
<para>If no <command>listen-on</command> is specified, the
3560
server will listen on port 53 on all interfaces.</para>
3562
<para>The <command>listen-on-v6</command> option is used to
3563
specify the interfaces and the ports on which the server will listen
3564
for incoming queries sent using IPv6.</para>
3566
<para>When <programlisting>{ any; }</programlisting> is specified
3567
as the <varname>address_match_list</varname> for the
3568
<command>listen-on-v6</command> option,
3569
the server does not bind a separate socket to each IPv6 interface
3570
address as it does for IPv4 if the operating system has enough API
3571
support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
3572
Instead, it listens on the IPv6 wildcard address.
3573
If the system only has incomplete API support for IPv6, however,
3574
the behavior is the same as that for IPv4.</para>
3576
<para>A list of particular IPv6 addresses can also be specified, in which case
3577
the server listens on a separate socket for each specified address,
3578
regardless of whether the desired API is supported by the system.</para>
3580
<para>Multiple <command>listen-on-v6</command> options can be used.
6166
will enable the name server on port 53 for the IP address
6167
5.6.7.8, and on port 1234 of an address on the machine in net
6168
1.2 that is not 1.2.3.4.
6172
If no <command>listen-on</command> is specified, the
6173
server will listen on port 53 on all interfaces.
6177
The <command>listen-on-v6</command> option is used to
6178
specify the interfaces and the ports on which the server will
6180
for incoming queries sent using IPv6.
6184
When <programlisting>{ any; }</programlisting> is
6186
as the <varname>address_match_list</varname> for the
6187
<command>listen-on-v6</command> option,
6188
the server does not bind a separate socket to each IPv6 interface
6189
address as it does for IPv4 if the operating system has enough API
6190
support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6192
Instead, it listens on the IPv6 wildcard address.
6193
If the system only has incomplete API support for IPv6, however,
6194
the behavior is the same as that for IPv4.
6198
A list of particular IPv6 addresses can also be specified, in
6200
the server listens on a separate socket for each specified
6202
regardless of whether the desired API is supported by the system.
6206
Multiple <command>listen-on-v6</command> options can
3583
6211
<programlisting>listen-on-v6 { any; };
3584
6212
listen-on-v6 port 1234 { !2001:db8::/32; any; };
3585
6213
</programlisting>
3587
<para>will enable the name server on port 53 for any IPv6 addresses
3588
(with a single wildcard socket),
3589
and on port 1234 of IPv6 addresses that is not in the prefix
3590
2001:db8::/32 (with separate sockets for each matched address.)</para>
3592
<para>To make the server not listen on any IPv6 address, use</para>
6216
will enable the name server on port 53 for any IPv6 addresses
6217
(with a single wildcard socket),
6218
and on port 1234 of IPv6 addresses that is not in the prefix
6219
2001:db8::/32 (with separate sockets for each matched address.)
6223
To make the server not listen on any IPv6 address, use
3593
6226
<programlisting>listen-on-v6 { none; };
3594
6227
</programlisting>
3595
<para>If no <command>listen-on-v6</command> option is specified,
3596
the server will not listen on any IPv6 address.</para></sect3>
3598
<sect3><title>Query Address</title>
3599
<para>If the server doesn't know the answer to a question, it will
3600
query other name servers. <command>query-source</command> specifies
3601
the address and port used for such queries. For queries sent over
3602
IPv6, there is a separate <command>query-source-v6</command> option.
3603
If <command>address</command> is <command>*</command> or is omitted,
3604
a wildcard IP address (<command>INADDR_ANY</command>) will be used.
3605
If <command>port</command> is <command>*</command> or is omitted,
3606
a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
3607
and <command>avoid-v6-udp-ports</command> can be used to prevent named
3608
from selecting certain ports. The defaults are</para>
6230
If no <command>listen-on-v6</command> option is
6232
the server will not listen on any IPv6 address.
6236
<sect3 id="query_address">
6237
<title>Query Address</title>
6239
If the server doesn't know the answer to a question, it will
6240
query other name servers. <command>query-source</command> specifies
6241
the address and port used for such queries. For queries sent over
6242
IPv6, there is a separate <command>query-source-v6</command> option.
6243
If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6244
a wildcard IP address (<command>INADDR_ANY</command>)
6246
If <command>port</command> is <command>*</command> or is omitted,
6247
a random unprivileged port number is picked up and will be
6248
used for each query.
6249
Previously, the <command>use-queryport-pool</command> was provided
6250
to support a pool of such random ports, but this option is now
6251
obsolete because reusing the same ports in the pool is not
6252
sufficiently secure.
6253
For the same reason, it is generally strongly discouraged to
6254
specify a particular port for the
6255
<command>query-source</command> or
6256
<command>query-source-v6</command> options;
6257
it implicitly disables the use of randomized port numbers.
6258
The <command>avoid-v4-udp-ports</command>
6259
and <command>avoid-v6-udp-ports</command> options can be used
6261
from selecting certain ports.
3609
6265
<programlisting>query-source address * port *;
3610
6266
query-source-v6 address * port *;
3611
6267
</programlisting>
3613
<para>The address specified in the <command>query-source</command> option
3614
is used for both UDP and TCP queries, but the port applies only to
3615
UDP queries. TCP queries always use a random
3616
unprivileged port.</para></note>
3618
<para>See also <command>transfer-source</command> and
3619
<command>notify-source</command>.</para></note>
3622
<sect3 id="zone_transfers"><title>Zone Transfers</title>
3623
<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
3624
and set limits on the amount of load that transfers place on the
3625
system. The following options apply to zone transfers.</para>
3629
<varlistentry><term><command>also-notify</command></term>
3630
<listitem><para>Defines a global list of IP addresses of name servers
3631
that are also sent NOTIFY messages whenever a fresh copy of the
3632
zone is loaded, in addition to the servers listed in the zone's NS records.
3633
This helps to ensure that copies of the zones will
3634
quickly converge on stealth servers. If an <command>also-notify</command> list
3635
is given in a <command>zone</command> statement, it will override
3636
the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
3637
is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
3638
not be sent NOTIFY messages for that zone. The default is the empty
3639
list (no global notification list).</para>
3640
</listitem></varlistentry>
3642
<varlistentry><term><command>max-transfer-time-in</command></term>
3643
<listitem><para>Inbound zone transfers running longer than
3644
this many minutes will be terminated. The default is 120 minutes
3645
(2 hours). The maximum value is 28 days (40320 minutes).</para>
3646
</listitem></varlistentry>
3648
<varlistentry><term><command>max-transfer-idle-in</command></term>
3649
<listitem><para>Inbound zone transfers making no progress
3650
in this many minutes will be terminated. The default is 60 minutes
3651
(1 hour). The maximum value is 28 days (40320 minutes).</para>
3652
</listitem></varlistentry>
3654
<varlistentry><term><command>max-transfer-time-out</command></term>
3655
<listitem><para>Outbound zone transfers running longer than
3656
this many minutes will be terminated. The default is 120 minutes
3657
(2 hours). The maximum value is 28 days (40320 minutes).</para>
3658
</listitem></varlistentry>
3660
<varlistentry><term><command>max-transfer-idle-out</command></term>
3661
<listitem><para>Outbound zone transfers making no progress
3662
in this many minutes will be terminated. The default is 60 minutes (1
3663
hour). The maximum value is 28 days (40320 minutes).</para>
3664
</listitem></varlistentry>
3666
<varlistentry><term><command>serial-query-rate</command></term>
3667
<listitem><para>Slave servers will periodically query master servers
3668
to find out if zone serial numbers have changed. Each such query uses
3669
a minute amount of the slave server's network bandwidth. To limit the
3670
amount of bandwidth used, BIND 9 limits the rate at which queries are
3671
sent. The value of the <command>serial-query-rate</command> option,
3672
an integer, is the maximum number of queries sent per second.
3675
</listitem></varlistentry>
3677
<varlistentry><term><command>serial-queries</command></term>
3678
<listitem><para>In BIND 8, the <command>serial-queries</command> option
3679
set the maximum number of concurrent serial number queries
3680
allowed to be outstanding at any given time.
3681
BIND 9 does not limit the number of outstanding
3682
serial queries and ignores the <command>serial-queries</command> option.
3683
Instead, it limits the rate at which the queries are sent
3684
as defined using the <command>serial-query-rate</command> option.
3686
</listitem></varlistentry>
3688
<varlistentry><term><command>transfer-format</command></term>
3692
Zone transfers can be sent using two different formats,
3693
<command>one-answer</command> and <command>many-answers</command>.
3694
The <command>transfer-format</command> option is used
3695
on the master server to determine which format it sends.
3696
<command>one-answer</command> uses one DNS message per
3697
resource record transferred.
3698
<command>many-answers</command> packs as many resource records as
3699
possible into a message. <command>many-answers</command> is more
3700
efficient, but is only supported by relatively new slave servers,
3701
such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
3702
versions of <acronym>BIND</acronym> 4.9.5. The default is
3703
<command>many-answers</command>. <command>transfer-format</command>
3704
may be overridden on a per-server basis by using the
3705
<command>server</command> statement.
3708
</listitem></varlistentry>
3710
<varlistentry><term><command>transfers-in</command></term>
3711
<listitem><para>The maximum number of inbound zone transfers
3712
that can be running concurrently. The default value is <literal>10</literal>.
3713
Increasing <command>transfers-in</command> may speed up the convergence
3714
of slave zones, but it also may increase the load on the local system.</para>
3715
</listitem></varlistentry>
3717
<varlistentry><term><command>transfers-out</command></term>
3718
<listitem><para>The maximum number of outbound zone transfers
3719
that can be running concurrently. Zone transfer requests in excess
3720
of the limit will be refused. The default value is <literal>10</literal>.</para>
3721
</listitem></varlistentry>
3723
<varlistentry><term><command>transfers-per-ns</command></term>
3724
<listitem><para>The maximum number of inbound zone transfers
3725
that can be concurrently transferring from a given remote name server.
3726
The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
3727
speed up the convergence of slave zones, but it also may increase
3728
the load on the remote name server. <command>transfers-per-ns</command> may
3729
be overridden on a per-server basis by using the <command>transfers</command> phrase
3730
of the <command>server</command> statement.</para>
3731
</listitem></varlistentry>
3733
<varlistentry><term><command>transfer-source</command></term>
3734
<listitem><para><command>transfer-source</command> determines
3735
which local address will be bound to IPv4 TCP connections used to
3736
fetch zones transferred inbound by the server. It also determines
3737
the source IPv4 address, and optionally the UDP port, used for the
3738
refresh queries and forwarded dynamic updates. If not set, it defaults
3739
to a system controlled value which will usually be the address of
3740
the interface "closest to" the remote end. This address must appear
3741
in the remote end's <command>allow-transfer</command> option for
3742
the zone being transferred, if one is specified. This statement
3743
sets the <command>transfer-source</command> for all zones, but can
3744
be overridden on a per-view or per-zone basis by including a
3745
<command>transfer-source</command> statement within the
3746
<command>view</command> or <command>zone</command> block
3747
in the configuration file.</para>
3748
</listitem></varlistentry>
3750
<varlistentry><term><command>transfer-source-v6</command></term>
3751
<listitem><para>The same as <command>transfer-source</command>,
3752
except zone transfers are performed using IPv6.</para>
3753
</listitem></varlistentry>
3756
<term><command>alt-transfer-source</command></term>
3759
An alternate transfer source if the one listed in
3760
<command>transfer-source</command> fails and
3761
<command>use-alt-transfer-source</command> is
6271
<term><command>use-queryport-pool</command></term>
6274
This option is obsolete.
6280
<term><command>queryport-pool-ports</command></term>
6283
This option is obsolete.
6289
<term><command>queryport-pool-updateinterval</command></term>
6292
This option is obsolete.
6300
The address specified in the <command>query-source</command> option
6301
is used for both UDP and TCP queries, but the port applies only
6302
to UDP queries. TCP queries always use a random
6308
Solaris 2.5.1 and earlier does not support setting the source
6309
address for TCP sockets.
6314
See also <command>transfer-source</command> and
6315
<command>notify-source</command>.
6320
<sect3 id="zone_transfers">
6321
<title>Zone Transfers</title>
6323
<acronym>BIND</acronym> has mechanisms in place to
6324
facilitate zone transfers
6325
and set limits on the amount of load that transfers place on the
6326
system. The following options apply to zone transfers.
6332
<term><command>also-notify</command></term>
6335
Defines a global list of IP addresses of name servers
6336
that are also sent NOTIFY messages whenever a fresh copy of
6338
zone is loaded, in addition to the servers listed in the
6340
This helps to ensure that copies of the zones will
6341
quickly converge on stealth servers. If an <command>also-notify</command> list
6342
is given in a <command>zone</command> statement,
6344
the <command>options also-notify</command>
6345
statement. When a <command>zone notify</command>
6347
is set to <command>no</command>, the IP
6348
addresses in the global <command>also-notify</command> list will
6349
not be sent NOTIFY messages for that zone. The default is
6351
list (no global notification list).
6357
<term><command>max-transfer-time-in</command></term>
6360
Inbound zone transfers running longer than
6361
this many minutes will be terminated. The default is 120
6363
(2 hours). The maximum value is 28 days (40320 minutes).
6369
<term><command>max-transfer-idle-in</command></term>
6372
Inbound zone transfers making no progress
6373
in this many minutes will be terminated. The default is 60
6375
(1 hour). The maximum value is 28 days (40320 minutes).
6381
<term><command>max-transfer-time-out</command></term>
6384
Outbound zone transfers running longer than
6385
this many minutes will be terminated. The default is 120
6387
(2 hours). The maximum value is 28 days (40320 minutes).
6393
<term><command>max-transfer-idle-out</command></term>
6396
Outbound zone transfers making no progress
6397
in this many minutes will be terminated. The default is 60
6399
hour). The maximum value is 28 days (40320 minutes).
6405
<term><command>serial-query-rate</command></term>
6408
Slave servers will periodically query master servers
6409
to find out if zone serial numbers have changed. Each such
6411
a minute amount of the slave server's network bandwidth. To
6413
amount of bandwidth used, BIND 9 limits the rate at which
6415
sent. The value of the <command>serial-query-rate</command> option,
6416
an integer, is the maximum number of queries sent per
6424
<term><command>serial-queries</command></term>
6427
In BIND 8, the <command>serial-queries</command>
6429
set the maximum number of concurrent serial number queries
6430
allowed to be outstanding at any given time.
6431
BIND 9 does not limit the number of outstanding
6432
serial queries and ignores the <command>serial-queries</command> option.
6433
Instead, it limits the rate at which the queries are sent
6434
as defined using the <command>serial-query-rate</command> option.
6440
<term><command>transfer-format</command></term>
6444
Zone transfers can be sent using two different formats,
6445
<command>one-answer</command> and
6446
<command>many-answers</command>.
6447
The <command>transfer-format</command> option is used
6448
on the master server to determine which format it sends.
6449
<command>one-answer</command> uses one DNS message per
6450
resource record transferred.
6451
<command>many-answers</command> packs as many resource
6452
records as possible into a message.
6453
<command>many-answers</command> is more efficient, but is
6454
only supported by relatively new slave servers,
6455
such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6456
8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6457
The <command>many-answers</command> format is also supported by
6458
recent Microsoft Windows nameservers.
6459
The default is <command>many-answers</command>.
6460
<command>transfer-format</command> may be overridden on a
6461
per-server basis by using the <command>server</command>
6469
<term><command>transfers-in</command></term>
6472
The maximum number of inbound zone transfers
6473
that can be running concurrently. The default value is <literal>10</literal>.
6474
Increasing <command>transfers-in</command> may
6475
speed up the convergence
6476
of slave zones, but it also may increase the load on the
6483
<term><command>transfers-out</command></term>
6486
The maximum number of outbound zone transfers
6487
that can be running concurrently. Zone transfer requests in
6489
of the limit will be refused. The default value is <literal>10</literal>.
6495
<term><command>transfers-per-ns</command></term>
6498
The maximum number of inbound zone transfers
6499
that can be concurrently transferring from a given remote
6501
The default value is <literal>2</literal>.
6502
Increasing <command>transfers-per-ns</command>
6504
speed up the convergence of slave zones, but it also may
6506
the load on the remote name server. <command>transfers-per-ns</command> may
6507
be overridden on a per-server basis by using the <command>transfers</command> phrase
6508
of the <command>server</command> statement.
6514
<term><command>transfer-source</command></term>
6516
<para><command>transfer-source</command>
6517
determines which local address will be bound to IPv4
6518
TCP connections used to fetch zones transferred
6519
inbound by the server. It also determines the
6520
source IPv4 address, and optionally the UDP port,
6521
used for the refresh queries and forwarded dynamic
6522
updates. If not set, it defaults to a system
6523
controlled value which will usually be the address
6524
of the interface "closest to" the remote end. This
6525
address must appear in the remote end's
6526
<command>allow-transfer</command> option for the
6527
zone being transferred, if one is specified. This
6529
<command>transfer-source</command> for all zones,
6530
but can be overridden on a per-view or per-zone
6531
basis by including a
6532
<command>transfer-source</command> statement within
6533
the <command>view</command> or
6534
<command>zone</command> block in the configuration
6539
Solaris 2.5.1 and earlier does not support setting the
6540
source address for TCP sockets.
6547
<term><command>transfer-source-v6</command></term>
6550
The same as <command>transfer-source</command>,
6551
except zone transfers are performed using IPv6.
6557
<term><command>alt-transfer-source</command></term>
6560
An alternate transfer source if the one listed in
6561
<command>transfer-source</command> fails and
6562
<command>use-alt-transfer-source</command> is
3765
6566
If you do not wish the alternate transfer source
3766
to be used you should set
6567
to be used, you should set
3767
6568
<command>use-alt-transfer-source</command>
3768
6569
appropriately and you should not depend upon
3769
6570
getting a answer back to the first refresh
3775
<varlistentry><term><command>alt-transfer-source-v6</command></term>
3776
<listitem><para>An alternate transfer source if the one listed in
3777
<command>transfer-source-v6</command> fails and
3778
<command>use-alt-transfer-source</command> is set.</para>
3779
</listitem></varlistentry>
3781
<varlistentry><term><command>use-alt-transfer-source</command></term>
3782
<listitem><para>Use the alternate transfer sources or not. If views are
3783
specified this defaults to <command>no</command> otherwise it defaults to
3784
<command>yes</command> (for BIND 8 compatibility).</para>
3785
</listitem></varlistentry>
3787
<varlistentry><term><command>notify-source</command></term>
3788
<listitem><para><command>notify-source</command> determines
3789
which local source address, and optionally UDP port, will be used to
3790
send NOTIFY messages.
3791
This address must appear in the slave server's <command>masters</command>
3792
zone clause or in an <command>allow-notify</command> clause.
3793
This statement sets the <command>notify-source</command> for all zones,
3794
but can be overridden on a per-zone / per-view basis by including a
3795
<command>notify-source</command> statement within the <command>zone</command>
3796
or <command>view</command> block in the configuration file.</para>
3797
</listitem></varlistentry>
3799
<varlistentry><term><command>notify-source-v6</command></term>
3800
<listitem><para>Like <command>notify-source</command>,
3801
but applies to notify messages sent to IPv6 addresses.</para>
3802
</listitem></varlistentry>
3809
<title>Bad UDP Port Lists</title>
3811
<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
3812
specify a list of IPv4 and IPv6 UDP ports that will not be used as system
3813
assigned source ports for UDP sockets. These lists prevent named
3814
from choosing as its random source port a port that is blocked by
3815
your firewall. If a query went out with such a source port, the
3816
answer would not get by the firewall and the name server would have
3822
<title>Operating System Resource Limits</title>
3824
<para>The server's usage of many system resources can be limited.
3825
Scaled values are allowed when specifying resource limits. For
3826
example, <command>1G</command> can be used instead of
3827
<command>1073741824</command> to specify a limit of one
3828
gigabyte. <command>unlimited</command> requests unlimited use, or the
3829
maximum available amount. <command>default</command> uses the limit
3830
that was in force when the server was started. See the description of
3831
<command>size_spec</command> in <xref
3832
linkend="configuration_file_elements"/>.</para>
3834
<para>The following options set operating system resource limits for
3835
the name server process. Some operating systems don't support some or
3836
any of the limits. On such systems, a warning will be issued if the
3837
unsupported limit is used.</para>
3841
<varlistentry><term><command>coresize</command></term>
3842
<listitem><para>The maximum size of a core dump. The default
3843
is <literal>default</literal>.</para>
3844
</listitem></varlistentry>
3846
<varlistentry><term><command>datasize</command></term>
3847
<listitem><para>The maximum amount of data memory the server
3848
may use. The default is <literal>default</literal>.
3849
This is a hard limit on server memory usage.
3850
If the server attempts to allocate memory in excess of this
3851
limit, the allocation will fail, which may in turn leave
3852
the server unable to perform DNS service. Therefore,
3853
this option is rarely useful as a way of limiting the
3854
amount of memory used by the server, but it can be used
3855
to raise an operating system data size limit that is
3856
too small by default. If you wish to limit the amount
3857
of memory used by the server, use the
3858
<command>max-cache-size</command> and
3859
<command>recursive-clients</command>
3861
</para></listitem></varlistentry>
3863
<varlistentry><term><command>files</command></term>
3864
<listitem><para>The maximum number of files the server
3865
may have open concurrently. The default is <literal>unlimited</literal>.
3867
</listitem></varlistentry>
3869
<varlistentry><term><command>stacksize</command></term>
3870
<listitem><para>The maximum amount of stack memory the server
3871
may use. The default is <literal>default</literal>.</para>
3872
</listitem></varlistentry>
3879
<title>Server Resource Limits</title>
3881
<para>The following options set limits on the server's
3882
resource consumption that are enforced internally by the
3883
server rather than the operating system.</para>
3887
<varlistentry><term><command>max-ixfr-log-size</command></term>
3888
<listitem><para>This option is obsolete; it is accepted
3889
and ignored for BIND 8 compatibility. The option
3890
<command>max-journal-size</command> performs a similar
3893
</listitem></varlistentry>
3895
<varlistentry><term><command>max-journal-size</command></term>
3896
<listitem><para>Sets a maximum size for each journal file
3897
(<xref linkend="journal"/>). When the journal file approaches
3898
the specified size, some of the oldest transactions in the journal
3899
will be automatically removed. The default is
3900
<literal>unlimited</literal>.</para>
3901
</listitem></varlistentry>
3903
<varlistentry><term><command>host-statistics-max</command></term>
3904
<listitem><para>In BIND 8, specifies the maximum number of host statistic
3906
Not implemented in BIND 9.
3907
</para></listitem></varlistentry>
3909
<varlistentry><term><command>recursive-clients</command></term>
3910
<listitem><para>The maximum number of simultaneous recursive lookups
3911
the server will perform on behalf of clients. The default is
3912
<literal>1000</literal>. Because each recursing client uses a fair
3913
bit of memory, on the order of 20 kilobytes, the value of the
3914
<command>recursive-clients</command> option may have to be decreased
3915
on hosts with limited memory.
3917
</listitem></varlistentry>
3919
<varlistentry><term><command>tcp-clients</command></term>
3920
<listitem><para>The maximum number of simultaneous client TCP
3921
connections that the server will accept.
3922
The default is <literal>100</literal>.</para>
3923
</listitem></varlistentry>
3925
<varlistentry><term><command>max-cache-size</command></term>
3926
<listitem><para>The maximum amount of memory to use for the
3927
server's cache, in bytes. When the amount of data in the cache
3928
reaches this limit, the server will cause records to expire
3929
prematurely so that the limit is not exceeded. In a server with
3930
multiple views, the limit applies separately to the cache of each
3931
view. The default is <literal>unlimited</literal>, meaning that
3932
records are purged from the cache only when their TTLs expire.
3934
</listitem></varlistentry>
3936
<varlistentry><term><command>tcp-listen-queue</command></term>
3937
<listitem><para>The listen queue depth. The default and minimum is 3.
3938
If the kernel supports the accept filter "dataready" this also controls how
3939
many TCP connections that will be queued in kernel space waiting for
3940
some data before being passed to accept. Values less than 3 will be
3943
</listitem></varlistentry>
3949
<sect3><title>Periodic Task Intervals</title>
3953
<varlistentry><term><command>cleaning-interval</command></term>
3954
<listitem><para>The server will remove expired resource records
3955
from the cache every <command>cleaning-interval</command> minutes.
3956
The default is 60 minutes. The maximum value is 28 days (40320 minutes).
3957
If set to 0, no periodic cleaning will occur.</para>
3958
</listitem></varlistentry>
3960
<varlistentry><term><command>heartbeat-interval</command></term>
3961
<listitem><para>The server will perform zone maintenance tasks
3962
for all zones marked as <command>dialup</command> whenever this
3963
interval expires. The default is 60 minutes. Reasonable values are up
3964
to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes).
3965
If set to 0, no zone maintenance for these zones will occur.</para>
3966
</listitem></varlistentry>
3968
<varlistentry><term><command>interface-interval</command></term>
3969
<listitem><para>The server will scan the network interface list
3970
every <command>interface-interval</command> minutes. The default
3971
is 60 minutes. The maximum value is 28 days (40320 minutes).
3972
If set to 0, interface scanning will only occur when
3973
the configuration file is loaded. After the scan, the server will
3974
begin listening for queries on any newly discovered
3975
interfaces (provided they are allowed by the
3976
<command>listen-on</command> configuration), and will
3977
stop listening on interfaces that have gone away.</para>
3978
</listitem></varlistentry>
3980
<varlistentry><term><command>statistics-interval</command></term>
3981
<listitem><para>Name server statistics will be logged
3982
every <command>statistics-interval</command> minutes. The default is
3983
60. The maximum value is 28 days (40320 minutes).
3984
If set to 0, no statistics will be logged.</para><note>
3985
<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
3986
</listitem></varlistentry>
3992
<sect3 id="topology"><title>Topology</title>
3994
<para>All other things being equal, when the server chooses a name server
3995
to query from a list of name servers, it prefers the one that is
3996
topologically closest to itself. The <command>topology</command> statement
3997
takes an <command>address_match_list</command> and interprets it
3998
in a special way. Each top-level list element is assigned a distance.
3999
Non-negated elements get a distance based on their position in the
4000
list, where the closer the match is to the start of the list, the
4001
shorter the distance is between it and the server. A negated match
4002
will be assigned the maximum distance from the server. If there
4003
is no match, the address will get a distance which is further than
4004
any non-negated list element, and closer than any negated element.
6577
<term><command>alt-transfer-source-v6</command></term>
6580
An alternate transfer source if the one listed in
6581
<command>transfer-source-v6</command> fails and
6582
<command>use-alt-transfer-source</command> is
6589
<term><command>use-alt-transfer-source</command></term>
6592
Use the alternate transfer sources or not. If views are
6593
specified this defaults to <command>no</command>
6594
otherwise it defaults to
6595
<command>yes</command> (for BIND 8
6602
<term><command>notify-source</command></term>
6604
<para><command>notify-source</command>
6605
determines which local source address, and
6606
optionally UDP port, will be used to send NOTIFY
6607
messages. This address must appear in the slave
6608
server's <command>masters</command> zone clause or
6609
in an <command>allow-notify</command> clause. This
6610
statement sets the <command>notify-source</command>
6611
for all zones, but can be overridden on a per-zone or
6612
per-view basis by including a
6613
<command>notify-source</command> statement within
6614
the <command>zone</command> or
6615
<command>view</command> block in the configuration
6620
Solaris 2.5.1 and earlier does not support setting the
6621
source address for TCP sockets.
6628
<term><command>notify-source-v6</command></term>
6631
Like <command>notify-source</command>,
6632
but applies to notify messages sent to IPv6 addresses.
6642
<title>Bad UDP Port Lists</title>
6643
<para><command>avoid-v4-udp-ports</command>
6644
and <command>avoid-v6-udp-ports</command> specify a list
6645
of IPv4 and IPv6 UDP ports that will not be used as system
6646
assigned source ports for UDP sockets. These lists
6647
prevent named from choosing as its random source port a
6648
port that is blocked by your firewall. If a query went
6649
out with such a source port, the answer would not get by
6650
the firewall and the name server would have to query
6656
<title>Operating System Resource Limits</title>
6659
The server's usage of many system resources can be limited.
6660
Scaled values are allowed when specifying resource limits. For
6661
example, <command>1G</command> can be used instead of
6662
<command>1073741824</command> to specify a limit of
6664
gigabyte. <command>unlimited</command> requests
6665
unlimited use, or the
6666
maximum available amount. <command>default</command>
6668
that was in force when the server was started. See the description
6669
of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
6673
The following options set operating system resource limits for
6674
the name server process. Some operating systems don't support
6676
any of the limits. On such systems, a warning will be issued if
6678
unsupported limit is used.
6684
<term><command>coresize</command></term>
6687
The maximum size of a core dump. The default
6688
is <literal>default</literal>.
6694
<term><command>datasize</command></term>
6697
The maximum amount of data memory the server
6698
may use. The default is <literal>default</literal>.
6699
This is a hard limit on server memory usage.
6700
If the server attempts to allocate memory in excess of this
6701
limit, the allocation will fail, which may in turn leave
6702
the server unable to perform DNS service. Therefore,
6703
this option is rarely useful as a way of limiting the
6704
amount of memory used by the server, but it can be used
6705
to raise an operating system data size limit that is
6706
too small by default. If you wish to limit the amount
6707
of memory used by the server, use the
6708
<command>max-cache-size</command> and
6709
<command>recursive-clients</command>
6716
<term><command>files</command></term>
6719
The maximum number of files the server
6720
may have open concurrently. The default is <literal>unlimited</literal>.
6726
<term><command>stacksize</command></term>
6729
The maximum amount of stack memory the server
6730
may use. The default is <literal>default</literal>.
6740
<title>Server Resource Limits</title>
6743
The following options set limits on the server's
6744
resource consumption that are enforced internally by the
6745
server rather than the operating system.
6751
<term><command>max-ixfr-log-size</command></term>
6754
This option is obsolete; it is accepted
6755
and ignored for BIND 8 compatibility. The option
6756
<command>max-journal-size</command> performs a
6757
similar function in BIND 9.
6763
<term><command>max-journal-size</command></term>
6766
Sets a maximum size for each journal file
6767
(see <xref linkend="journal"/>). When the journal file
6769
the specified size, some of the oldest transactions in the
6771
will be automatically removed. The default is
6772
<literal>unlimited</literal>.
6778
<term><command>host-statistics-max</command></term>
6781
In BIND 8, specifies the maximum number of host statistics
6783
Not implemented in BIND 9.
6789
<term><command>recursive-clients</command></term>
6792
The maximum number of simultaneous recursive lookups
6793
the server will perform on behalf of clients. The default
6795
<literal>1000</literal>. Because each recursing
6797
bit of memory, on the order of 20 kilobytes, the value of
6799
<command>recursive-clients</command> option may
6800
have to be decreased
6801
on hosts with limited memory.
6807
<term><command>tcp-clients</command></term>
6810
The maximum number of simultaneous client TCP
6811
connections that the server will accept.
6812
The default is <literal>100</literal>.
6818
<term><command>reserved-sockets</command></term>
6821
The number of file descriptors reserved for TCP, stdio,
6822
etc. This needs to be big enough to cover the number of
6823
interfaces named listens on, tcp-clients as well as
6824
to provide room for outgoing TCP queries and incoming zone
6825
transfers. The default is <literal>512</literal>.
6826
The minimum value is <literal>128</literal> and the
6827
maximum value is <literal>128</literal> less than
6828
'files' or FD_SETSIZE (whichever is smaller). This
6829
option may be removed in the future.
6835
<term><command>max-cache-size</command></term>
6838
The maximum amount of memory to use for the
6839
server's cache, in bytes. When the amount of data in the
6841
reaches this limit, the server will cause records to expire
6842
prematurely so that the limit is not exceeded. In a server
6844
multiple views, the limit applies separately to the cache of
6846
view. The default is <literal>32M</literal>.
6852
<term><command>tcp-listen-queue</command></term>
6855
The listen queue depth. The default and minimum is 3.
6856
If the kernel supports the accept filter "dataready" this
6858
many TCP connections that will be queued in kernel space
6860
some data before being passed to accept. Values less than 3
6872
<title>Periodic Task Intervals</title>
6877
<term><command>cleaning-interval</command></term>
6880
This interval is effectively obsolete. Previously,
6881
the server would remove expired resource records
6882
from the cache every <command>cleaning-interval</command> minutes.
6883
<acronym>BIND</acronym> 9 now manages cache
6884
memory in a more sophisticated manner and does not
6885
rely on the periodic cleaning any more.
6886
Specifying this option therefore has no effect on
6887
the server's behavior.
6893
<term><command>heartbeat-interval</command></term>
6896
The server will perform zone maintenance tasks
6897
for all zones marked as <command>dialup</command> whenever this
6898
interval expires. The default is 60 minutes. Reasonable
6900
to 1 day (1440 minutes). The maximum value is 28 days
6902
If set to 0, no zone maintenance for these zones will occur.
6908
<term><command>interface-interval</command></term>
6911
The server will scan the network interface list
6912
every <command>interface-interval</command>
6913
minutes. The default
6914
is 60 minutes. The maximum value is 28 days (40320 minutes).
6915
If set to 0, interface scanning will only occur when
6916
the configuration file is loaded. After the scan, the
6918
begin listening for queries on any newly discovered
6919
interfaces (provided they are allowed by the
6920
<command>listen-on</command> configuration), and
6922
stop listening on interfaces that have gone away.
6928
<term><command>statistics-interval</command></term>
6931
Name server statistics will be logged
6932
every <command>statistics-interval</command>
6933
minutes. The default is
6934
60. The maximum value is 28 days (40320 minutes).
6935
If set to 0, no statistics will be logged.
6938
Not yet implemented in
6939
<acronym>BIND</acronym> 9.
6949
<sect3 id="topology">
6950
<title>Topology</title>
6953
All other things being equal, when the server chooses a name
6955
to query from a list of name servers, it prefers the one that is
6956
topologically closest to itself. The <command>topology</command> statement
6957
takes an <command>address_match_list</command> and
6959
in a special way. Each top-level list element is assigned a
6961
Non-negated elements get a distance based on their position in the
6962
list, where the closer the match is to the start of the list, the
6963
shorter the distance is between it and the server. A negated match
6964
will be assigned the maximum distance from the server. If there
6965
is no match, the address will get a distance which is further than
6966
any non-negated list element, and closer than any negated element.
4006
6970
<programlisting>topology {
4009
6973
{ 1.2/16; 3/8; };
4010
6974
};</programlisting>
4011
<para>will prefer servers on network 10 the most, followed by hosts
4012
on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
4013
exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
4014
is preferred least of all.</para>
4015
<para>The default topology is</para>
6977
will prefer servers on network 10 the most, followed by hosts
6978
on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
6979
exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
6980
is preferred least of all.
6983
The default topology is
4016
6986
<programlisting> topology { localhost; localnets; };
4017
6987
</programlisting>
4018
<note><simpara>The <command>topology</command> option
4019
is not implemented in <acronym>BIND</acronym> 9.
4023
<sect3 id="the_sortlist_statement">
4025
<title>The <command>sortlist</command> Statement</title>
4027
<para>The response to a DNS query may consist of multiple resource
4028
records (RRs) forming a resource records set (RRset).
4029
The name server will normally return the
4030
RRs within the RRset in an indeterminate order
4031
(but see the <command>rrset-order</command>
4032
statement in <xref linkend="rrset_ordering"/>).
4033
The client resolver code should rearrange the RRs as appropriate,
4034
that is, using any addresses on the local net in preference to other addresses.
4035
However, not all resolvers can do this or are correctly configured.
4036
When a client is using a local server the sorting can be performed
4037
in the server, based on the client's address. This only requires
4038
configuring the name servers, not all the clients.</para>
4040
<para>The <command>sortlist</command> statement (see below) takes
4041
an <command>address_match_list</command> and interprets it even
4042
more specifically than the <command>topology</command> statement
4043
does (<xref linkend="topology"/>).
4044
Each top level statement in the <command>sortlist</command> must
4045
itself be an explicit <command>address_match_list</command> with
4046
one or two elements. The first element (which may be an IP address,
4047
an IP prefix, an ACL name or a nested <command>address_match_list</command>)
4048
of each top level list is checked against the source address of
4049
the query until a match is found.</para>
4050
<para>Once the source address of the query has been matched, if
4051
the top level statement contains only one element, the actual primitive
4052
element that matched the source address is used to select the address
4053
in the response to move to the beginning of the response. If the
4054
statement is a list of two elements, then the second element is
4055
treated the same as the <command>address_match_list</command> in
4056
a <command>topology</command> statement. Each top level element
4057
is assigned a distance and the address in the response with the minimum
4058
distance is moved to the beginning of the response.</para>
4059
<para>In the following example, any queries received from any of
4060
the addresses of the host itself will get responses preferring addresses
4061
on any of the locally connected networks. Next most preferred are addresses
4062
on the 192.168.1/24 network, and after that either the 192.168.2/24
4064
192.168.3/24 network with no preference shown between these two
4065
networks. Queries received from a host on the 192.168.1/24 network
4066
will prefer other addresses on that network to the 192.168.2/24
4068
192.168.3/24 networks. Queries received from a host on the 192.168.4/24
4069
or the 192.168.5/24 network will only prefer other addresses on
4070
their directly connected networks.</para>
6991
The <command>topology</command> option
6992
is not implemented in <acronym>BIND</acronym> 9.
6997
<sect3 id="the_sortlist_statement">
6999
<title>The <command>sortlist</command> Statement</title>
7002
The response to a DNS query may consist of multiple resource
7003
records (RRs) forming a resource records set (RRset).
7004
The name server will normally return the
7005
RRs within the RRset in an indeterminate order
7006
(but see the <command>rrset-order</command>
7007
statement in <xref linkend="rrset_ordering"/>).
7008
The client resolver code should rearrange the RRs as appropriate,
7009
that is, using any addresses on the local net in preference to
7011
However, not all resolvers can do this or are correctly
7013
When a client is using a local server, the sorting can be performed
7014
in the server, based on the client's address. This only requires
7015
configuring the name servers, not all the clients.
7019
The <command>sortlist</command> statement (see below)
7021
an <command>address_match_list</command> and
7023
more specifically than the <command>topology</command>
7025
does (<xref linkend="topology"/>).
7026
Each top level statement in the <command>sortlist</command> must
7027
itself be an explicit <command>address_match_list</command> with
7028
one or two elements. The first element (which may be an IP
7030
an IP prefix, an ACL name or a nested <command>address_match_list</command>)
7031
of each top level list is checked against the source address of
7032
the query until a match is found.
7035
Once the source address of the query has been matched, if
7036
the top level statement contains only one element, the actual
7038
element that matched the source address is used to select the
7040
in the response to move to the beginning of the response. If the
7041
statement is a list of two elements, then the second element is
7042
treated the same as the <command>address_match_list</command> in
7043
a <command>topology</command> statement. Each top
7045
is assigned a distance and the address in the response with the
7047
distance is moved to the beginning of the response.
7050
In the following example, any queries received from any of
7051
the addresses of the host itself will get responses preferring
7053
on any of the locally connected networks. Next most preferred are
7055
on the 192.168.1/24 network, and after that either the
7058
192.168.3/24 network with no preference shown between these two
7059
networks. Queries received from a host on the 192.168.1/24 network
7060
will prefer other addresses on that network to the 192.168.2/24
7062
192.168.3/24 networks. Queries received from a host on the
7064
or the 192.168.5/24 network will only prefer other addresses on
7065
their directly connected networks.
4071
7068
<programlisting>sortlist {
4072
7069
{ localhost; // IF the local host
4073
7070
{ localnets; // THEN first fit on the
4085
7082
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
4087
7084
};</programlisting>
4088
<para>The following example will give reasonable behavior for the
4089
local host and hosts on directly connected networks. It is similar
4090
to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
4091
to queries from the local host will favor any of the directly connected
4092
networks. Responses sent to queries from any other hosts on a directly
4093
connected network will prefer addresses on that same network. Responses
4094
to other queries will not be sorted.</para>
7087
The following example will give reasonable behavior for the
7088
local host and hosts on directly connected networks. It is similar
7089
to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
7090
to queries from the local host will favor any of the directly
7092
networks. Responses sent to queries from any other hosts on a
7094
connected network will prefer addresses on that same network.
7096
to other queries will not be sorted.
4095
7099
<programlisting>sortlist {
4096
7100
{ localhost; localnets; };
4097
7101
{ localnets; };
4099
7103
</programlisting>
4101
<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
4102
<para>When multiple records are returned in an answer it may be
4103
useful to configure the order of the records placed into the response.
4104
The <command>rrset-order</command> statement permits configuration
4105
of the ordering of the records in a multiple record response.
4106
See also the <command>sortlist</command> statement,
4107
<xref linkend="the_sortlist_statement"/>.
4110
<para>An <command>order_spec</command> is defined as follows:</para>
4111
<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
4112
order <replaceable>ordering</replaceable>
4114
<para>If no class is specified, the default is <command>ANY</command>.
4115
If no type is specified, the default is <command>ANY</command>.
4116
If no name is specified, the default is "<command>*</command>".</para>
4117
<para>The legal values for <command>ordering</command> are:</para>
4118
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
4119
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
4120
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
4121
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
4124
<entry colname = "1"><para><command>fixed</command></para></entry>
4125
<entry colname = "2"><para>Records are returned in the order they
4126
are defined in the zone file.</para></entry>
4129
<entry colname = "1"><para><command>random</command></para></entry>
4130
<entry colname = "2"><para>Records are returned in some random order.</para></entry>
4133
<entry colname = "1"><para><command>cyclic</command></para></entry>
4134
<entry colname = "2"><para>Records are returned in a round-robin
4135
order.</para></entry>
4138
</tgroup></informaltable>
4139
<para>For example:</para>
7106
<sect3 id="rrset_ordering">
7107
<title id="rrset_ordering_title">RRset Ordering</title>
7109
When multiple records are returned in an answer it may be
7110
useful to configure the order of the records placed into the
7112
The <command>rrset-order</command> statement permits
7114
of the ordering of the records in a multiple record response.
7115
See also the <command>sortlist</command> statement,
7116
<xref linkend="the_sortlist_statement"/>.
7120
An <command>order_spec</command> is defined as
7124
<optional>class <replaceable>class_name</replaceable></optional>
7125
<optional>type <replaceable>type_name</replaceable></optional>
7126
<optional>name <replaceable>"domain_name"</replaceable></optional>
7127
order <replaceable>ordering</replaceable>
7130
If no class is specified, the default is <command>ANY</command>.
7131
If no type is specified, the default is <command>ANY</command>.
7132
If no name is specified, the default is "<command>*</command>" (asterisk).
7135
The legal values for <command>ordering</command> are:
7137
<informaltable colsep="0" rowsep="0">
7138
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7139
<colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
7140
<colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
7144
<para><command>fixed</command></para>
7148
Records are returned in the order they
7149
are defined in the zone file.
7155
<para><command>random</command></para>
7159
Records are returned in some random order.
7165
<para><command>cyclic</command></para>
7169
Records are returned in a cyclic round-robin order.
7172
If <acronym>BIND</acronym> is configured with the
7173
"--enable-fixed-rrset" option at compile time, then
7174
the initial ordering of the RRset will match the
7175
one specified in the zone file.
4140
7186
<programlisting>rrset-order {
4141
7187
class IN type A name "host.example.com" order random;
4144
7190
</programlisting>
4145
<para>will cause any responses for type A records in class IN that
4146
have "<literal>host.example.com</literal>" as a suffix, to always be returned
4147
in random order. All other records are returned in cyclic order.</para>
4148
<para>If multiple <command>rrset-order</command> statements appear,
4149
they are not combined — the last one applies.</para>
4152
<simpara>The <command>rrset-order</command> statement
4153
is not yet fully implemented in <acronym>BIND</acronym> 9.
4154
BIND 9 currently does not support "fixed" ordering.
4158
<sect3 id="tuning"><title>Tuning</title>
4162
<varlistentry><term><command>lame-ttl</command></term>
4163
<listitem><para>Sets the number of seconds to cache a
4164
lame server indication. 0 disables caching. (This is
4165
<emphasis role="bold">NOT</emphasis> recommended.)
4166
Default is <literal>600</literal> (10 minutes). Maximum value is
4167
<literal>1800</literal> (30 minutes).</para>
4169
</listitem></varlistentry>
4171
<varlistentry><term><command>max-ncache-ttl</command></term>
4172
<listitem><para>To reduce network traffic and increase performance
4173
the server stores negative answers. <command>max-ncache-ttl</command> is
4174
used to set a maximum retention time for these answers in the server
4175
in seconds. The default
4176
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
4177
<command>max-ncache-ttl</command> cannot exceed 7 days and will
4178
be silently truncated to 7 days if set to a greater value.</para>
4179
</listitem></varlistentry>
4181
<varlistentry><term><command>max-cache-ttl</command></term>
4182
<listitem><para><command>max-cache-ttl</command> sets
4183
the maximum time for which the server will cache ordinary (positive)
4184
answers. The default is one week (7 days).</para>
4185
</listitem></varlistentry>
4187
<varlistentry><term><command>min-roots</command></term>
4188
<listitem><para>The minimum number of root servers that
4189
is required for a request for the root servers to be accepted. Default
4190
is <userinput>2</userinput>.</para>
4192
<simpara>Not implemented in <acronym>BIND</acronym>9.</simpara></note>
4193
</listitem></varlistentry>
4195
<varlistentry><term><command>sig-validity-interval</command></term>
4196
<listitem><para>Specifies the number of days into the
4197
future when DNSSEC signatures automatically generated as a result
4198
of dynamic updates (<xref linkend="dynamic_update"/>)
4199
will expire. The default is <literal>30</literal> days.
4200
The maximum value is 10 years (3660 days). The signature
4201
inception time is unconditionally set to one hour before the current time
4202
to allow for a limited amount of clock skew.</para>
4203
</listitem></varlistentry>
4206
<term><command>min-refresh-time</command></term>
4207
<term><command>max-refresh-time</command></term>
4208
<term><command>min-retry-time</command></term>
4209
<term><command>max-retry-time</command></term>
4211
These options control the server's behavior on refreshing a zone
4212
(querying for SOA changes) or retrying failed transfers.
4213
Usually the SOA values for the zone are used, but these values
4214
are set by the master, giving slave server administrators little
4215
control over their contents.
4217
These options allow the administrator to set a minimum and maximum
4218
refresh and retry time either per-zone, per-view, or globally.
4219
These options are valid for slave and stub zones,
4220
and clamp the SOA refresh and retry times to the specified values.
4221
</para></listitem></varlistentry>
4224
<term><command>edns-udp-size</command></term>
4226
<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
4227
size. Valid values are 512 to 4096 (values outside this range will be
4228
silently adjusted). The default value is 4096. The usual reason for
4229
setting edns-udp-size to a non default value it to get UDP answers to
4230
pass through broken firewalls that block fragmented packets and/or
4231
block UDP packets that are greater than 512 bytes.
4232
</para></listitem></varlistentry>
4237
<sect3 id="builtin">
4238
<title>Built-in server information zones</title>
4240
<para>The server provides some helpful diagnostic information
4241
through a number of built-in zones under the
4242
pseudo-top-level-domain <literal>bind</literal> in the
4243
<command>CHAOS</command> class. These zones are part of a
4244
built-in view (see <xref linkend="view_statement_grammar"/>) of class
4245
<command>CHAOS</command> which is separate from the default view of
4246
class <command>IN</command>; therefore, any global server options
4247
such as <command>allow-query</command> do not apply the these zones.
4248
If you feel the need to disable these zones, use the options
4249
below, or hide the built-in <command>CHAOS</command> view by
4250
defining an explicit view of class <command>CHAOS</command>
4251
that matches all clients.</para>
4255
<varlistentry><term><command>version</command></term>
4256
<listitem><para>The version the server should report
4257
via a query of the name <literal>version.bind</literal>
4258
with type <command>TXT</command>, class <command>CHAOS</command>.
4259
The default is the real version number of this server.
4260
Specifying <command>version none</command>
4261
disables processing of the queries.</para>
4262
</listitem></varlistentry>
4264
<varlistentry><term><command>hostname</command></term>
4265
<listitem><para>The hostname the server should report via a query of
4266
the name <filename>hostname.bind</filename>
4267
with type <command>TXT</command>, class <command>CHAOS</command>.
4268
This defaults to the hostname of the machine hosting the name server as
4269
found by gethostname(). The primary purpose of such queries is to
4270
identify which of a group of anycast servers is actually
4271
answering your queries. Specifying <command>hostname none;</command>
4272
disables processing of the queries.</para>
4273
</listitem></varlistentry>
4275
<varlistentry><term><command>server-id</command></term>
4276
<listitem><para>The ID of the server should report via a query of
4277
the name <filename>ID.SERVER</filename>
4278
with type <command>TXT</command>, class <command>CHAOS</command>.
4279
The primary purpose of such queries is to
4280
identify which of a group of anycast servers is actually
4281
answering your queries. Specifying <command>server-id none;</command>
4282
disables processing of the queries.
4283
Specifying <command>server-id hostname;</command> will cause named to
4284
use the hostname as found by gethostname().
4285
The default <command>server-id</command> is <command>none</command>.
4287
</listitem></varlistentry>
4293
<sect3 id="statsfile">
4294
<title>The Statistics File</title>
4296
<para>The statistics file generated by <acronym>BIND</acronym> 9
4297
is similar, but not identical, to that
4298
generated by <acronym>BIND</acronym> 8.
4300
<para>The statistics dump begins with the line <command>+++ Statistics Dump
4301
+++ (973798949)</command>, where the number in parentheses is a standard
4302
Unix-style timestamp, measured as seconds since January 1, 1970. Following
4303
that line are a series of lines containing a counter type, the value of the
4304
counter, optionally a zone name, and optionally a view name.
4305
The lines without view and zone listed are global statistics for the entire server.
4306
Lines with a zone and view name for the given view and zone (the view name is
4307
omitted for the default view). The statistics dump ends
4308
with the line <command>--- Statistics Dump --- (973798949)</command>, where the
4309
number is identical to the number in the beginning line.</para>
4310
<para>The following statistics counters are maintained:</para>
4312
colsep = "0" rowsep = "0"><tgroup cols = "2"
4313
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
4314
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
4315
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
4318
<entry colname = "1"><para><command>success</command></para></entry>
4319
<entry colname = "2"><para>The number of
4320
successful queries made to the server or zone. A successful query
4321
is defined as query which returns a NOERROR response with at least
4322
one answer RR.</para></entry>
4325
<entry colname = "1"><para><command>referral</command></para></entry>
4326
<entry colname = "2"><para>The number of queries which resulted
4327
in referral responses.</para></entry>
4330
<entry colname = "1"><para><command>nxrrset</command></para></entry>
4331
<entry colname = "2"><para>The number of queries which resulted in
4332
NOERROR responses with no data.</para></entry>
4335
<entry colname = "1"><para><command>nxdomain</command></para></entry>
4336
<entry colname = "2"><para>The number
4337
of queries which resulted in NXDOMAIN responses.</para></entry>
4340
<entry colname = "1"><para><command>failure</command></para></entry>
4341
<entry colname = "2"><para>The number of queries which resulted in a
4342
failure response other than those above.</para></entry>
4345
<entry colname = "1"><para><command>recursion</command></para></entry>
4346
<entry colname = "2"><para>The number of queries which caused the server
4347
to perform recursion in order to find the final answer.</para></entry>
4350
</tgroup></informaltable>
4353
Each query received by the server will cause exactly one of
4354
<command>success</command>,
4355
<command>referral</command>,
4356
<command>nxrrset</command>,
4357
<command>nxdomain</command>, or
4358
<command>failure</command>
4359
to be incremented, and may additionally cause the
4360
<command>recursion</command> counter to be incremented.
4367
<sect2 id="server_statement_grammar">
4368
<title><command>server</command> Statement Grammar</title>
4370
<programlisting>server <replaceable>ip_addr</replaceable> {
7193
will cause any responses for type A records in class IN that
7194
have "<literal>host.example.com</literal>" as a
7195
suffix, to always be returned
7196
in random order. All other records are returned in cyclic order.
7199
If multiple <command>rrset-order</command> statements
7201
they are not combined — the last one applies.
7206
In this release of <acronym>BIND</acronym> 9, the
7207
<command>rrset-order</command> statement does not support
7208
"fixed" ordering by default. Fixed ordering can be enabled
7209
at compile time by specifying "--enable-fixed-rrset" on
7210
the "configure" command line.
7216
<title>Tuning</title>
7221
<term><command>lame-ttl</command></term>
7224
Sets the number of seconds to cache a
7225
lame server indication. 0 disables caching. (This is
7226
<emphasis role="bold">NOT</emphasis> recommended.)
7227
The default is <literal>600</literal> (10 minutes) and the
7229
<literal>1800</literal> (30 minutes).
7236
<term><command>max-ncache-ttl</command></term>
7239
To reduce network traffic and increase performance,
7240
the server stores negative answers. <command>max-ncache-ttl</command> is
7241
used to set a maximum retention time for these answers in
7243
in seconds. The default
7244
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7245
<command>max-ncache-ttl</command> cannot exceed
7247
be silently truncated to 7 days if set to a greater value.
7253
<term><command>max-cache-ttl</command></term>
7256
Sets the maximum time for which the server will
7257
cache ordinary (positive) answers. The default is
7264
<term><command>min-roots</command></term>
7267
The minimum number of root servers that
7268
is required for a request for the root servers to be
7269
accepted. The default
7270
is <userinput>2</userinput>.
7274
Not implemented in <acronym>BIND</acronym> 9.
7281
<term><command>sig-validity-interval</command></term>
7284
Specifies the number of days into the
7285
future when DNSSEC signatures automatically generated as a
7287
of dynamic updates (<xref linkend="dynamic_update"/>)
7288
will expire. The default is <literal>30</literal> days.
7289
The maximum value is 10 years (3660 days). The signature
7290
inception time is unconditionally set to one hour before the
7292
to allow for a limited amount of clock skew.
7298
<term><command>min-refresh-time</command></term>
7299
<term><command>max-refresh-time</command></term>
7300
<term><command>min-retry-time</command></term>
7301
<term><command>max-retry-time</command></term>
7304
These options control the server's behavior on refreshing a
7306
(querying for SOA changes) or retrying failed transfers.
7307
Usually the SOA values for the zone are used, but these
7309
are set by the master, giving slave server administrators
7311
control over their contents.
7314
These options allow the administrator to set a minimum and
7316
refresh and retry time either per-zone, per-view, or
7318
These options are valid for slave and stub zones,
7319
and clamp the SOA refresh and retry times to the specified
7326
<term><command>edns-udp-size</command></term>
7329
Sets the advertised EDNS UDP buffer size in bytes. Valid
7330
values are 512 to 4096 (values outside this range
7331
will be silently adjusted). The default value is
7332
4096. The usual reason for setting edns-udp-size to
7333
a non-default value is to get UDP answers to pass
7334
through broken firewalls that block fragmented
7335
packets and/or block UDP packets that are greater
7342
<term><command>max-udp-size</command></term>
7345
Sets the maximum EDNS UDP message size named will
7346
send in bytes. Valid values are 512 to 4096 (values outside
7347
this range will be silently adjusted). The default
7348
value is 4096. The usual reason for setting
7349
max-udp-size to a non-default value is to get UDP
7350
answers to pass through broken firewalls that
7351
block fragmented packets and/or block UDP packets
7352
that are greater than 512 bytes.
7353
This is independent of the advertised receive
7354
buffer (<command>edns-udp-size</command>).
7360
<term><command>masterfile-format</command></term>
7363
the file format of zone files (see
7364
<xref linkend="zonefile_format"/>).
7365
The default value is <constant>text</constant>, which is the
7366
standard textual representation. Files in other formats
7367
than <constant>text</constant> are typically expected
7368
to be generated by the <command>named-compilezone</command> tool.
7369
Note that when a zone file in a different format than
7370
<constant>text</constant> is loaded, <command>named</command>
7371
may omit some of the checks which would be performed for a
7372
file in the <constant>text</constant> format. In particular,
7373
<command>check-names</command> checks do not apply
7374
for the <constant>raw</constant> format. This means
7375
a zone file in the <constant>raw</constant> format
7376
must be generated with the same check level as that
7377
specified in the <command>named</command> configuration
7378
file. This statement sets the
7379
<command>masterfile-format</command> for all zones,
7380
but can be overridden on a per-zone or per-view basis
7381
by including a <command>masterfile-format</command>
7382
statement within the <command>zone</command> or
7383
<command>view</command> block in the configuration
7390
<term><command>clients-per-query</command></term>
7391
<term><command>max-clients-per-query</command></term>
7394
initial value (minimum) and maximum number of recursive
7395
simultanious clients for any given query
7396
(<qname,qtype,qclass>) that the server will accept
7397
before dropping additional clients. named will attempt to
7398
self tune this value and changes will be logged. The
7399
default values are 10 and 100.
7402
This value should reflect how many queries come in for
7403
a given name in the time it takes to resolve that name.
7404
If the number of queries exceed this value, named will
7405
assume that it is dealing with a non-responsive zone
7406
and will drop additional queries. If it gets a response
7407
after dropping queries, it will raise the estimate. The
7408
estimate will then be lowered in 20 minutes if it has
7412
If <command>clients-per-query</command> is set to zero,
7413
then there is no limit on the number of clients per query
7414
and no queries will be dropped.
7417
If <command>max-clients-per-query</command> is set to zero,
7418
then there is no upper bound other than imposed by
7419
<command>recursive-clients</command>.
7425
<term><command>notify-delay</command></term>
7428
The delay, in seconds, between sending sets of notify
7429
messages for a zone. The default is zero.
7437
<sect3 id="builtin">
7438
<title>Built-in server information zones</title>
7441
The server provides some helpful diagnostic information
7442
through a number of built-in zones under the
7443
pseudo-top-level-domain <literal>bind</literal> in the
7444
<command>CHAOS</command> class. These zones are part
7446
built-in view (see <xref linkend="view_statement_grammar"/>) of
7448
<command>CHAOS</command> which is separate from the
7450
class <command>IN</command>; therefore, any global
7452
such as <command>allow-query</command> do not apply
7454
If you feel the need to disable these zones, use the options
7455
below, or hide the built-in <command>CHAOS</command>
7457
defining an explicit view of class <command>CHAOS</command>
7458
that matches all clients.
7464
<term><command>version</command></term>
7467
The version the server should report
7468
via a query of the name <literal>version.bind</literal>
7469
with type <command>TXT</command>, class <command>CHAOS</command>.
7470
The default is the real version number of this server.
7471
Specifying <command>version none</command>
7472
disables processing of the queries.
7478
<term><command>hostname</command></term>
7481
The hostname the server should report via a query of
7482
the name <filename>hostname.bind</filename>
7483
with type <command>TXT</command>, class <command>CHAOS</command>.
7484
This defaults to the hostname of the machine hosting the
7486
found by the gethostname() function. The primary purpose of such queries
7488
identify which of a group of anycast servers is actually
7489
answering your queries. Specifying <command>hostname none;</command>
7490
disables processing of the queries.
7496
<term><command>server-id</command></term>
7499
The ID the server should report when receiving a Name
7500
Server Identifier (NSID) query, or a query of the name
7501
<filename>ID.SERVER</filename> with type
7502
<command>TXT</command>, class <command>CHAOS</command>.
7503
The primary purpose of such queries is to
7504
identify which of a group of anycast servers is actually
7505
answering your queries. Specifying <command>server-id none;</command>
7506
disables processing of the queries.
7507
Specifying <command>server-id hostname;</command> will cause named to
7508
use the hostname as found by the gethostname() function.
7509
The default <command>server-id</command> is <command>none</command>.
7519
<title>Built-in Empty Zones</title>
7521
Named has some built-in empty zones (SOA and NS records only).
7522
These are for zones that should normally be answered locally
7523
and which queries should not be sent to the Internet's root
7524
servers. The official servers which cover these namespaces
7525
return NXDOMAIN responses to these queries. In particular,
7526
these cover the reverse namespace for addresses from RFC 1918 and
7527
RFC 3330. They also include the reverse namespace for IPv6 local
7528
address (locally assigned), IPv6 link local addresses, the IPv6
7529
loopback address and the IPv6 unknown addresss.
7532
Named will attempt to determine if a built in zone already exists
7533
or is active (covered by a forward-only forwarding declaration)
7534
and will not not create a empty zone in that case.
7537
The current list of empty zones is:
7539
<listitem>10.IN-ADDR.ARPA</listitem>
7540
<listitem>127.IN-ADDR.ARPA</listitem>
7541
<listitem>254.169.IN-ADDR.ARPA</listitem>
7542
<listitem>16.172.IN-ADDR.ARPA</listitem>
7543
<listitem>17.172.IN-ADDR.ARPA</listitem>
7544
<listitem>18.172.IN-ADDR.ARPA</listitem>
7545
<listitem>19.172.IN-ADDR.ARPA</listitem>
7546
<listitem>20.172.IN-ADDR.ARPA</listitem>
7547
<listitem>21.172.IN-ADDR.ARPA</listitem>
7548
<listitem>22.172.IN-ADDR.ARPA</listitem>
7549
<listitem>23.172.IN-ADDR.ARPA</listitem>
7550
<listitem>24.172.IN-ADDR.ARPA</listitem>
7551
<listitem>25.172.IN-ADDR.ARPA</listitem>
7552
<listitem>26.172.IN-ADDR.ARPA</listitem>
7553
<listitem>27.172.IN-ADDR.ARPA</listitem>
7554
<listitem>28.172.IN-ADDR.ARPA</listitem>
7555
<listitem>29.172.IN-ADDR.ARPA</listitem>
7556
<listitem>30.172.IN-ADDR.ARPA</listitem>
7557
<listitem>31.172.IN-ADDR.ARPA</listitem>
7558
<listitem>168.192.IN-ADDR.ARPA</listitem>
7559
<listitem>2.0.192.IN-ADDR.ARPA</listitem>
7560
<listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7561
<listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7562
<listitem>D.F.IP6.ARPA</listitem>
7563
<listitem>8.E.F.IP6.ARPA</listitem>
7564
<listitem>9.E.F.IP6.ARPA</listitem>
7565
<listitem>A.E.F.IP6.ARPA</listitem>
7566
<listitem>B.E.F.IP6.ARPA</listitem>
7570
Empty zones are settable at the view level and only apply to
7571
views of class IN. Disabled empty zones are only inherited
7572
from options if there are no disabled empty zones specified
7573
at the view level. To override the options list of disabled
7574
zones, you can disable the root zone at the view level, for example:
7576
disable-empty-zone ".";
7580
If you are using the address ranges covered here, you should
7581
already have reverse zones covering the addresses you use.
7582
In practice this appears to not be the case with many queries
7583
being made to the infrastructure servers for names in these
7584
spaces. So many in fact that sacrificial servers were needed
7585
to be deployed to channel the query load away from the
7586
infrastructure servers.
7589
The real parent servers for these zones should disable all
7590
empty zone under the parent zone they serve. For the real
7591
root servers, this is all built in empty zones. This will
7592
enable them to return referrals to deeper in the tree.
7596
<term><command>empty-server</command></term>
7599
Specify what server name will appear in the returned
7600
SOA record for empty zones. If none is specified, then
7601
the zone's name will be used.
7607
<term><command>empty-contact</command></term>
7610
Specify what contact name will appear in the returned
7611
SOA record for empty zones. If none is specified, then
7618
<term><command>empty-zones-enable</command></term>
7621
Enable or disable all empty zones. By default they
7628
<term><command>disable-empty-zone</command></term>
7631
Disable individual empty zones. By default none are
7632
disabled. This option can be specified multiple times.
7640
<title>Additional Section Caching</title>
7643
The additional section cache, also called <command>acache</command>,
7644
is an internal cache to improve the response performance of BIND 9.
7645
When additional section caching is enabled, BIND 9 will
7646
cache an internal short-cut to the additional section content for
7648
Note that <command>acache</command> is an internal caching
7649
mechanism of BIND 9, and is not related to the DNS caching
7654
Additional section caching does not change the
7655
response content (except the RRsets ordering of the additional
7656
section, see below), but can improve the response performance
7658
It is particularly effective when BIND 9 acts as an authoritative
7659
server for a zone that has many delegations with many glue RRs.
7663
In order to obtain the maximum performance improvement
7664
from additional section caching, setting
7665
<command>additional-from-cache</command>
7666
to <command>no</command> is recommended, since the current
7667
implementation of <command>acache</command>
7668
does not short-cut of additional section information from the
7673
One obvious disadvantage of <command>acache</command> is
7674
that it requires much more
7675
memory for the internal cached data.
7676
Thus, if the response performance does not matter and memory
7677
consumption is much more critical, the
7678
<command>acache</command> mechanism can be
7679
disabled by setting <command>acache-enable</command> to
7680
<command>no</command>.
7681
It is also possible to specify the upper limit of memory
7683
for acache by using <command>max-acache-size</command>.
7687
Additional section caching also has a minor effect on the
7688
RRset ordering in the additional section.
7689
Without <command>acache</command>,
7690
<command>cyclic</command> order is effective for the additional
7691
section as well as the answer and authority sections.
7692
However, additional section caching fixes the ordering when it
7693
first caches an RRset for the additional section, and the same
7694
ordering will be kept in succeeding responses, regardless of the
7695
setting of <command>rrset-order</command>.
7696
The effect of this should be minor, however, since an
7697
RRset in the additional section
7698
typically only contains a small number of RRs (and in many cases
7699
it only contains a single RR), in which case the
7700
ordering does not matter much.
7704
The following is a summary of options related to
7705
<command>acache</command>.
7711
<term><command>acache-enable</command></term>
7714
If <command>yes</command>, additional section caching is
7715
enabled. The default value is <command>no</command>.
7721
<term><command>acache-cleaning-interval</command></term>
7724
The server will remove stale cache entries, based on an LRU
7726
algorithm, every <command>acache-cleaning-interval</command> minutes.
7727
The default is 60 minutes.
7728
If set to 0, no periodic cleaning will occur.
7734
<term><command>max-acache-size</command></term>
7737
The maximum amount of memory in bytes to use for the server's acache.
7738
When the amount of data in the acache reaches this limit,
7740
will clean more aggressively so that the limit is not
7742
In a server with multiple views, the limit applies
7744
acache of each view.
7745
The default is <literal>16M</literal>.
7756
<sect2 id="statschannels">
7757
<title><command>statistics-channels</command> Statement Grammar</title>
7759
<programlisting><command>statistics-channels</command> {
7760
[ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
7767
<title><command>statistics-channels</command> Statement Definition and
7771
The <command>statistics-channels</command> statement
7772
declares communication channels to be used by system
7773
administrators to get access to statistics information of
7778
This statement intends to be flexible to support multiple
7779
communication protocols in the future, but currently only
7780
HTTP access is supported.
7781
It requires that BIND 9 be compiled with libxml2;
7782
the <command>statistics-channels</command> statement is
7783
still accepted even if it is built without the library,
7784
but any HTTP access will fail with an error.
7788
An <command>inet</command> control channel is a TCP socket
7789
listening at the specified <command>ip_port</command> on the
7790
specified <command>ip_addr</command>, which can be an IPv4 or IPv6
7791
address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
7792
interpreted as the IPv4 wildcard address; connections will be
7793
accepted on any of the system's IPv4 addresses.
7794
To listen on the IPv6 wildcard address,
7795
use an <command>ip_addr</command> of <literal>::</literal>.
7799
If no port is specified, port 80 is used for HTTP channels.
7800
The asterisk "<literal>*</literal>" cannot be used for
7801
<command>ip_port</command>.
7805
The attempt of opening a statistics channel is
7806
restricted by the optional <command>allow</command> clause.
7807
Connections to the statistics channel are permitted based on the
7808
<command>address_match_list</command>.
7809
If no <command>allow</command> clause is present,
7810
<command>named</command> accepts connection
7811
attempts from any address; since the statistics may
7812
contain sensitive internal information, it is highly
7813
recommended to restrict the source of connection requests
7818
If no <command>statistics-channels</command> statement is present,
7819
<command>named</command> will not open any communication channels.
7824
<sect2 id="server_statement_grammar">
7825
<title><command>server</command> Statement Grammar</title>
7827
<programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
4371
7828
<optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
4372
7829
<optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4373
7830
<optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4374
7831
<optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
7832
<optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
7833
<optional> max-udp-size <replaceable>number</replaceable> ; </optional>
4375
7834
<optional> transfers <replaceable>number</replaceable> ; </optional>
4376
7835
<optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
4377
7836
<optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
4378
7837
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4379
7838
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7839
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7840
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7841
<optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7842
<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7843
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
7844
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
7845
<optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
4381
7847
</programlisting>
4385
<sect2 id="server_statement_definition_and_usage">
4386
<title><command>server</command> Statement Definition and Usage</title>
4388
<para>The <command>server</command> statement defines characteristics
4389
to be associated with a remote name server.</para>
4392
The <command>server</command> statement can occur at the top level of the
4393
configuration file or inside a <command>view</command> statement.
4394
If a <command>view</command> statement contains
4395
one or more <command>server</command> statements, only those
4396
apply to the view and any top-level ones are ignored.
4397
If a view contains no <command>server</command> statements,
4398
any top-level <command>server</command> statements are used as
4402
<para>If you discover that a remote server is giving out bad data,
4403
marking it as bogus will prevent further queries to it. The default
4404
value of <command>bogus</command> is <command>no</command>.</para>
4405
<para>The <command>provide-ixfr</command> clause determines whether
4406
the local server, acting as master, will respond with an incremental
4407
zone transfer when the given remote server, a slave, requests it.
4408
If set to <command>yes</command>, incremental transfer will be provided
4409
whenever possible. If set to <command>no</command>, all transfers
4410
to the remote server will be non-incremental. If not set, the value
4411
of the <command>provide-ixfr</command> option in the view or
4412
global options block is used as a default.</para>
4414
<para>The <command>request-ixfr</command> clause determines whether
4415
the local server, acting as a slave, will request incremental zone
4416
transfers from the given remote server, a master. If not set, the
4417
value of the <command>request-ixfr</command> option in the view or
4418
global options block is used as a default.</para>
4420
<para>IXFR requests to servers that do not support IXFR will automatically
4421
fall back to AXFR. Therefore, there is no need to manually list
4422
which servers support IXFR and which ones do not; the global default
4423
of <command>yes</command> should always work.
4424
The purpose of the <command>provide-ixfr</command> and
4425
<command>request-ixfr</command> clauses is
4426
to make it possible to disable the use of IXFR even when both master
4427
and slave claim to support it, for example if one of the servers
4428
is buggy and crashes or corrupts data when IXFR is used.</para>
4430
<para>The <command>edns</command> clause determines whether the local server
4431
will attempt to use EDNS when communicating with the remote server. The
4432
default is <command>yes</command>.</para>
4434
<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
4435
uses one DNS message per resource record transferred. <command>many-answers</command> packs
4436
as many resource records as possible into a message. <command>many-answers</command> is
4437
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
4438
8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
4439
to use for a server with the <command>transfer-format</command> option.
4440
If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
4441
by the <command>options</command> statement will be used.</para>
4443
<para><command>transfers</command> is used to limit the number of
4444
concurrent inbound zone transfers from the specified server. If
4445
no <command>transfers</command> clause is specified, the limit is
4446
set according to the <command>transfers-per-ns</command> option.</para>
4448
<para>The <command>keys</command> clause identifies a
4449
<command>key_id</command> defined by the <command>key</command> statement,
4450
to be used for transaction security (TSIG, <xref linkend="tsig"/>)
4451
when talking to the remote server.
4452
When a request is sent to the remote server, a request signature
4453
will be generated using the key specified here and appended to the
4454
message. A request originating from the remote server is not required
4455
to be signed by this key.</para>
4457
<para>Although the grammar of the <command>keys</command> clause
4458
allows for multiple keys, only a single key per server is currently
4461
<para>The <command>transfer-source</command> and
4462
<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
4463
address to be used for zone transfer with the remote server, respectively.
4464
For an IPv4 remote server, only <command>transfer-source</command> can
4466
Similarly, for an IPv6 remote server, only
4467
<command>transfer-source-v6</command> can be specified.
4468
Form more details, see the description of
4469
<command>transfer-source</command> and
4470
<command>transfer-source-v6</command> in
4471
<xref linkend="zone_transfers"/>.</para>
4475
<sect2><title><command>trusted-keys</command> Statement Grammar</title>
4476
<programlisting>trusted-keys {
7851
<sect2 id="server_statement_definition_and_usage">
7852
<title><command>server</command> Statement Definition and
7856
The <command>server</command> statement defines
7858
to be associated with a remote name server. If a prefix length is
7859
specified, then a range of servers is covered. Only the most
7861
server clause applies regardless of the order in
7862
<filename>named.conf</filename>.
7866
The <command>server</command> statement can occur at
7867
the top level of the
7868
configuration file or inside a <command>view</command>
7870
If a <command>view</command> statement contains
7871
one or more <command>server</command> statements, only
7873
apply to the view and any top-level ones are ignored.
7874
If a view contains no <command>server</command>
7876
any top-level <command>server</command> statements are
7882
If you discover that a remote server is giving out bad data,
7883
marking it as bogus will prevent further queries to it. The
7885
value of <command>bogus</command> is <command>no</command>.
7888
The <command>provide-ixfr</command> clause determines
7890
the local server, acting as master, will respond with an
7892
zone transfer when the given remote server, a slave, requests it.
7893
If set to <command>yes</command>, incremental transfer
7895
whenever possible. If set to <command>no</command>,
7897
to the remote server will be non-incremental. If not set, the
7899
of the <command>provide-ixfr</command> option in the
7901
global options block is used as a default.
7905
The <command>request-ixfr</command> clause determines
7907
the local server, acting as a slave, will request incremental zone
7908
transfers from the given remote server, a master. If not set, the
7909
value of the <command>request-ixfr</command> option in
7911
global options block is used as a default.
7915
IXFR requests to servers that do not support IXFR will
7917
fall back to AXFR. Therefore, there is no need to manually list
7918
which servers support IXFR and which ones do not; the global
7920
of <command>yes</command> should always work.
7921
The purpose of the <command>provide-ixfr</command> and
7922
<command>request-ixfr</command> clauses is
7923
to make it possible to disable the use of IXFR even when both
7925
and slave claim to support it, for example if one of the servers
7926
is buggy and crashes or corrupts data when IXFR is used.
7930
The <command>edns</command> clause determines whether
7931
the local server will attempt to use EDNS when communicating
7932
with the remote server. The default is <command>yes</command>.
7936
The <command>edns-udp-size</command> option sets the EDNS UDP size
7937
that is advertised by named when querying the remote server.
7938
Valid values are 512 to 4096 bytes (values outside this range will be
7939
silently adjusted). This option is useful when you wish to
7940
advertises a different value to this server than the value you
7941
advertise globally, for example, when there is a firewall at the
7942
remote site that is blocking large replies.
7946
The <command>max-udp-size</command> option sets the
7947
maximum EDNS UDP message size named will send. Valid
7948
values are 512 to 4096 bytes (values outside this range will
7949
be silently adjusted). This option is useful when you
7950
know that there is a firewall that is blocking large
7955
The server supports two zone transfer methods. The first, <command>one-answer</command>,
7956
uses one DNS message per resource record transferred. <command>many-answers</command> packs
7957
as many resource records as possible into a message. <command>many-answers</command> is
7958
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7959
8.x, and patched versions of <acronym>BIND</acronym>
7960
4.9.5. You can specify which method
7961
to use for a server with the <command>transfer-format</command> option.
7962
If <command>transfer-format</command> is not
7963
specified, the <command>transfer-format</command>
7965
by the <command>options</command> statement will be
7969
<para><command>transfers</command>
7970
is used to limit the number of concurrent inbound zone
7971
transfers from the specified server. If no
7972
<command>transfers</command> clause is specified, the
7973
limit is set according to the
7974
<command>transfers-per-ns</command> option.
7978
The <command>keys</command> clause identifies a
7979
<command>key_id</command> defined by the <command>key</command> statement,
7980
to be used for transaction security (TSIG, <xref linkend="tsig"/>)
7981
when talking to the remote server.
7982
When a request is sent to the remote server, a request signature
7983
will be generated using the key specified here and appended to the
7984
message. A request originating from the remote server is not
7986
to be signed by this key.
7990
Although the grammar of the <command>keys</command>
7992
allows for multiple keys, only a single key per server is
7998
The <command>transfer-source</command> and
7999
<command>transfer-source-v6</command> clauses specify
8000
the IPv4 and IPv6 source
8001
address to be used for zone transfer with the remote server,
8003
For an IPv4 remote server, only <command>transfer-source</command> can
8005
Similarly, for an IPv6 remote server, only
8006
<command>transfer-source-v6</command> can be
8008
For more details, see the description of
8009
<command>transfer-source</command> and
8010
<command>transfer-source-v6</command> in
8011
<xref linkend="zone_transfers"/>.
8015
The <command>notify-source</command> and
8016
<command>notify-source-v6</command> clauses specify the
8017
IPv4 and IPv6 source address to be used for notify
8018
messages sent to remote servers, respectively. For an
8019
IPv4 remote server, only <command>notify-source</command>
8020
can be specified. Similarly, for an IPv6 remote server,
8021
only <command>notify-source-v6</command> can be specified.
8025
The <command>query-source</command> and
8026
<command>query-source-v6</command> clauses specify the
8027
IPv4 and IPv6 source address to be used for queries
8028
sent to remote servers, respectively. For an IPv4
8029
remote server, only <command>query-source</command> can
8030
be specified. Similarly, for an IPv6 remote server,
8031
only <command>query-source-v6</command> can be specified.
8037
<title><command>trusted-keys</command> Statement Grammar</title>
8039
<programlisting><command>trusted-keys</command> {
4477
8040
<replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
4478
8041
<optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
4480
8043
</programlisting>
4482
<sect2><title><command>trusted-keys</command> Statement Definition
4484
<para>The <command>trusted-keys</command> statement defines DNSSEC
4485
security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
4486
zone is known, but cannot be securely obtained through DNS, either
4487
because it is the DNS root zone or because its parent zone is unsigned.
4488
Once a key has been configured as a trusted key, it is treated as
4489
if it had been validated and proven secure. The resolver attempts
4490
DNSSEC validation on all DNS data in subdomains of a security root.</para>
4491
<para>The <command>trusted-keys</command> statement can contain
4492
multiple key entries, each consisting of the key's domain name,
4493
flags, protocol, algorithm, and the base-64 representation of the
4494
key data.</para></sect2>
4496
<sect2 id="view_statement_grammar">
4497
<title><command>view</command> Statement Grammar</title>
4498
<programlisting>view <replaceable>view_name</replaceable>
8047
<title><command>trusted-keys</command> Statement Definition
8050
The <command>trusted-keys</command> statement defines
8051
DNSSEC security roots. DNSSEC is described in <xref
8052
linkend="DNSSEC"/>. A security root is defined when the
8053
public key for a non-authoritative zone is known, but
8054
cannot be securely obtained through DNS, either because
8055
it is the DNS root zone or because its parent zone is
8056
unsigned. Once a key has been configured as a trusted
8057
key, it is treated as if it had been validated and
8058
proven secure. The resolver attempts DNSSEC validation
8059
on all DNS data in subdomains of a security root.
8062
All keys (and corresponding zones) listed in
8063
<command>trusted-keys</command> are deemed to exist regardless
8064
of what parent zones say. Similarly for all keys listed in
8065
<command>trusted-keys</command> only those keys are
8066
used to validate the DNSKEY RRset. The parent's DS RRset
8070
The <command>trusted-keys</command> statement can contain
8071
multiple key entries, each consisting of the key's
8072
domain name, flags, protocol, algorithm, and the Base-64
8073
representation of the key data.
8077
<sect2 id="view_statement_grammar">
8078
<title><command>view</command> Statement Grammar</title>
8080
<programlisting><command>view</command> <replaceable>view_name</replaceable>
4499
8081
<optional><replaceable>class</replaceable></optional> {
4500
match-clients { <replaceable>address_match_list</replaceable> } ;
4501
match-destinations { <replaceable>address_match_list</replaceable> } ;
8082
match-clients { <replaceable>address_match_list</replaceable> };
8083
match-destinations { <replaceable>address_match_list</replaceable> };
4502
8084
match-recursive-only <replaceable>yes_or_no</replaceable> ;
4503
8085
<optional> <replaceable>view_option</replaceable>; ...</optional>
4504
8086
<optional> <replaceable>zone_statement</replaceable>; ...</optional>
4506
</programlisting></sect2>
4507
<sect2><title><command>view</command> Statement Definition and Usage</title>
4509
<para>The <command>view</command> statement is a powerful new feature
4510
of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
4511
depending on who is asking. It is particularly useful for implementing
4512
split DNS setups without having to run multiple servers.</para>
4514
<para>Each <command>view</command> statement defines a view of the
4515
DNS namespace that will be seen by a subset of clients. A client matches
4516
a view if its source IP address matches the
4517
<varname>address_match_list</varname> of the view's
4518
<command>match-clients</command> clause and its destination IP address matches
4519
the <varname>address_match_list</varname> of the view's
4520
<command>match-destinations</command> clause. If not specified, both
4521
<command>match-clients</command> and <command>match-destinations</command>
4522
default to matching all addresses. In addition to checking IP addresses
4523
<command>match-clients</command> and <command>match-destinations</command>
4524
can also take <command>keys</command> which provide an mechanism for the
4525
client to select the view. A view can also be specified
4526
as <command>match-recursive-only</command>, which means that only recursive
4527
requests from matching clients will match that view.
4528
The order of the <command>view</command> statements is significant —
4529
a client request will be resolved in the context of the first
4530
<command>view</command> that it matches.</para>
4532
<para>Zones defined within a <command>view</command> statement will
4533
be only be accessible to clients that match the <command>view</command>.
4534
By defining a zone of the same name in multiple views, different
4535
zone data can be given to different clients, for example, "internal"
4536
and "external" clients in a split DNS setup.</para>
4538
<para>Many of the options given in the <command>options</command> statement
4539
can also be used within a <command>view</command> statement, and then
4540
apply only when resolving queries with that view. When no view-specific
4541
value is given, the value in the <command>options</command> statement
4542
is used as a default. Also, zone options can have default values specified
4543
in the <command>view</command> statement; these view-specific defaults
4544
take precedence over those in the <command>options</command> statement.</para>
4546
<para>Views are class specific. If no class is given, class IN
4547
is assumed. Note that all non-IN views must contain a hint zone,
4548
since only the IN class has compiled-in default hints.</para>
4550
<para>If there are no <command>view</command> statements in the config
4551
file, a default view that matches any client is automatically created
4552
in class IN. Any <command>zone</command> statements specified on
4553
the top level of the configuration file are considered to be part of
4554
this default view, and the <command>options</command> statement will
4555
apply to the default view. If any explicit <command>view</command>
4556
statements are present, all <command>zone</command> statements must
4557
occur inside <command>view</command> statements.</para>
4559
<para>Here is an example of a typical split DNS setup implemented
4560
using <command>view</command> statements.</para>
8092
<title><command>view</command> Statement Definition and Usage</title>
8095
The <command>view</command> statement is a powerful
8097
of <acronym>BIND</acronym> 9 that lets a name server
8098
answer a DNS query differently
8099
depending on who is asking. It is particularly useful for
8101
split DNS setups without having to run multiple servers.
8105
Each <command>view</command> statement defines a view
8107
DNS namespace that will be seen by a subset of clients. A client
8109
a view if its source IP address matches the
8110
<varname>address_match_list</varname> of the view's
8111
<command>match-clients</command> clause and its
8112
destination IP address matches
8113
the <varname>address_match_list</varname> of the
8115
<command>match-destinations</command> clause. If not
8117
<command>match-clients</command> and <command>match-destinations</command>
8118
default to matching all addresses. In addition to checking IP
8120
<command>match-clients</command> and <command>match-destinations</command>
8121
can also take <command>keys</command> which provide an
8123
client to select the view. A view can also be specified
8124
as <command>match-recursive-only</command>, which
8125
means that only recursive
8126
requests from matching clients will match that view.
8127
The order of the <command>view</command> statements is
8129
a client request will be resolved in the context of the first
8130
<command>view</command> that it matches.
8134
Zones defined within a <command>view</command>
8136
be only be accessible to clients that match the <command>view</command>.
8137
By defining a zone of the same name in multiple views, different
8138
zone data can be given to different clients, for example,
8140
and "external" clients in a split DNS setup.
8144
Many of the options given in the <command>options</command> statement
8145
can also be used within a <command>view</command>
8147
apply only when resolving queries with that view. When no
8149
value is given, the value in the <command>options</command> statement
8150
is used as a default. Also, zone options can have default values
8152
in the <command>view</command> statement; these
8153
view-specific defaults
8154
take precedence over those in the <command>options</command> statement.
8158
Views are class specific. If no class is given, class IN
8159
is assumed. Note that all non-IN views must contain a hint zone,
8160
since only the IN class has compiled-in default hints.
8164
If there are no <command>view</command> statements in
8166
file, a default view that matches any client is automatically
8168
in class IN. Any <command>zone</command> statements
8170
the top level of the configuration file are considered to be part
8172
this default view, and the <command>options</command>
8174
apply to the default view. If any explicit <command>view</command>
8175
statements are present, all <command>zone</command>
8177
occur inside <command>view</command> statements.
8181
Here is an example of a typical split DNS setup implemented
8182
using <command>view</command> statements:
4561
8185
<programlisting>view "internal" {
4562
8186
// This should match our internal networks.
4563
8187
match-clients { 10.0.0.0/8; };
4631
8255
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4632
8256
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4633
8257
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4634
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
4635
8258
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
8259
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8262
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8264
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8265
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8266
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8267
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8268
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8269
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8270
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
8271
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8272
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8273
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8274
<optional> file <replaceable>string</replaceable> ; </optional>
8275
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8276
<optional> journal <replaceable>string</replaceable> ; </optional>
8277
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8278
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8279
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8280
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8281
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8282
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8283
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8284
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8285
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8286
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8287
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8288
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8289
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8290
<optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8291
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8292
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8293
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8294
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8295
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8296
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8297
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8298
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8299
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8300
<optional> database <replaceable>string</replaceable> ; </optional>
8301
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8302
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8303
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8304
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8305
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8306
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8309
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8311
file <replaceable>string</replaceable> ;
8312
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8313
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8316
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8318
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8319
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8320
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8321
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8322
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8323
<optional> file <replaceable>string</replaceable> ; </optional>
8324
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8325
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8326
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8327
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8328
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8329
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8330
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8331
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8332
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8333
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8334
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8335
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8336
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8337
<optional> database <replaceable>string</replaceable> ; </optional>
8338
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8339
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8340
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8341
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8342
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8345
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8347
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8348
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8349
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8352
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8353
type delegation-only;
4638
8356
</programlisting>
4640
<sect2><title><command>zone</command> Statement Definition and Usage</title>
4641
<sect3><title>Zone Types</title>
4642
<informaltable colsep = "0" rowsep = "0">
4643
<tgroup cols = "2" colsep = "0" rowsep = "0"
4644
tgroupstyle = "3Level-table">
4645
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
4646
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
4649
<entry colname = "1"><para><varname>master</varname></para></entry>
4650
<entry colname = "2"><para>The server has a master copy of the data
4651
for the zone and will be able to provide authoritative answers for
4655
<entry colname = "1"><para><varname>slave</varname></para></entry>
4656
<entry colname = "2"><para>A slave zone is a replica of a master
4657
zone. The <command>masters</command> list specifies one or more IP addresses
4658
of master servers that the slave contacts to update its copy of the zone.
4659
Masters list elements can also be names of other masters lists.
4660
By default, transfers are made from port 53 on the servers; this can
4661
be changed for all servers by specifying a port number before the
4662
list of IP addresses, or on a per-server basis after the IP address.
4663
Authentication to the master can also be done with per-server TSIG keys.
4664
If a file is specified, then the
4665
replica will be written to this file whenever the zone is changed,
4666
and reloaded from this file on a server restart. Use of a file is
4667
recommended, since it often speeds server start-up and eliminates
4668
a needless waste of bandwidth. Note that for large numbers (in the
4669
tens or hundreds of thousands) of zones per server, it is best to
4670
use a two level naming scheme for zone file names. For example,
4671
a slave server for the zone <literal>example.com</literal> might place
4672
the zone contents into a file called
4673
<filename>ex/example.com</filename> where <filename>ex/</filename> is
4674
just the first two letters of the zone name. (Most operating systems
4675
behave very slowly if you put 100 000 files into
4676
a single directory.)</para></entry>
4679
<entry colname = "1"><para><varname>stub</varname></para></entry>
4680
<entry colname = "2"><para>A stub zone is similar to a slave zone,
4681
except that it replicates only the NS records of a master zone instead
4682
of the entire zone. Stub zones are not a standard part of the DNS;
4683
they are a feature specific to the <acronym>BIND</acronym> implementation.
4686
<para>Stub zones can be used to eliminate the need for glue NS record
4687
in a parent zone at the expense of maintaining a stub zone entry and
4688
a set of name server addresses in <filename>named.conf</filename>.
4689
This usage is not recommended for new configurations, and BIND 9
4690
supports it only in a limited way.
4691
In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
4692
included the NS records from stub children of that zone. This meant
4693
that, in some cases, users could get away with configuring child stubs
4694
only in the master server for the parent zone. <acronym>BIND</acronym>
4695
9 never mixes together zone data from different zones in this
4696
way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
4697
zone has child stub zones configured, all the slave servers for the
4698
parent zone also need to have the same child stub zones
4701
<para>Stub zones can also be used as a way of forcing the resolution
4702
of a given domain to use a particular set of authoritative servers.
4703
For example, the caching name servers on a private network using
4704
RFC1981 addressing may be configured with stub zones for
4705
<literal>10.in-addr.arpa</literal>
4706
to use a set of internal name servers as the authoritative
4707
servers for that domain.</para>
4711
<entry colname = "1"><para><varname>forward</varname></para></entry>
4712
<entry colname = "2"><para>A "forward zone" is a way to configure
4713
forwarding on a per-domain basis. A <command>zone</command> statement
4714
of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
4715
which will apply to queries within the domain given by the zone
4716
name. If no <command>forwarders</command> statement is present or
4717
an empty list for <command>forwarders</command> is given, then no
4718
forwarding will be done for the domain, canceling the effects of
4719
any forwarders in the <command>options</command> statement. Thus
4720
if you want to use this type of zone to change the behavior of the
4721
global <command>forward</command> option (that is, "forward first
4722
to", then "forward only", or vice versa, but want to use the same
4723
servers as set globally) you need to re-specify the global forwarders.</para>
4727
<entry colname = "1"><para><varname>hint</varname></para></entry>
4728
<entry colname = "2"><para>The initial set of root name servers is
4729
specified using a "hint zone". When the server starts up, it uses
4730
the root hints to find a root name server and get the most recent
4731
list of root name servers. If no hint zone is specified for class
4732
IN, the server uses a compiled-in default set of root servers hints.
4733
Classes other than IN have no built-in defaults hints.</para></entry>
4736
<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
4737
<entry colname = "2"><para>This is used to enforce the delegation only
4738
status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
4739
is received without a explicit or implicit delegation in the authority
4740
section will be treated as NXDOMAIN. This does not apply to the zone
4741
apex. This SHOULD NOT be applied to leaf zones.</para>
4742
<para><varname>delegation-only</varname> has no effect on answers received
4743
from forwarders.</para></entry>
4746
</tgroup></informaltable></sect3>
4748
<sect3><title>Class</title>
4749
<para>The zone's name may optionally be followed by a class. If
4750
a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
4751
is assumed. This is correct for the vast majority of cases.</para>
4752
<para>The <literal>hesiod</literal> class is
4753
named for an information service from MIT's Project Athena. It is
4754
used to share information about various systems databases, such
4755
as users, groups, printers and so on. The keyword
4756
<literal>HS</literal> is
4757
a synonym for hesiod.</para>
4758
<para>Another MIT development is CHAOSnet, a LAN protocol created
4759
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
4762
<title>Zone Options</title>
4766
<varlistentry><term><command>allow-notify</command></term>
4767
<listitem><para>See the description of
4768
<command>allow-notify</command> in <xref linkend="access_control"/></para>
4769
</listitem></varlistentry>
4771
<varlistentry><term><command>allow-query</command></term>
4772
<listitem><para>See the description of
4773
<command>allow-query</command> in <xref linkend="access_control"/></para>
4774
</listitem></varlistentry>
4776
<varlistentry><term><command>allow-transfer</command></term>
4777
<listitem><para>See the description of <command>allow-transfer</command>
4778
in <xref linkend="access_control"/>.</para>
4779
</listitem></varlistentry>
4781
<varlistentry><term><command>allow-update</command></term>
4782
<listitem><para>Specifies which hosts are allowed to
4783
submit Dynamic DNS updates for master zones. The default is to deny
4784
updates from all hosts. Note that allowing updates based
4785
on the requestor's IP address is insecure; see
4786
<xref linkend="dynamic_update_security"/> for details.
4788
</listitem></varlistentry>
4790
<varlistentry><term><command>update-policy</command></term>
4791
<listitem><para>Specifies a "Simple Secure Update" policy. See
4792
<xref linkend="dynamic_update_policies"/>.</para>
4793
</listitem></varlistentry>
4795
<varlistentry><term><command>allow-update-forwarding</command></term>
4796
<listitem><para>See the description of <command>allow-update-forwarding</command>
4797
in <xref linkend="access_control"/>.</para>
4798
</listitem></varlistentry>
4800
<varlistentry><term><command>also-notify</command></term>
4801
<listitem><para>Only meaningful if <command>notify</command> is
4802
active for this zone. The set of machines that will receive a
4803
<literal>DNS NOTIFY</literal> message
4804
for this zone is made up of all the listed name servers (other than
4805
the primary master) for the zone plus any IP addresses specified
4806
with <command>also-notify</command>. A port may be specified
4807
with each <command>also-notify</command> address to send the notify
4808
messages to a port other than the default of 53.
4809
<command>also-notify</command> is not meaningful for stub zones.
4810
The default is the empty list.</para>
4811
</listitem></varlistentry>
4813
<varlistentry><term><command>check-names</command></term>
4815
This option is used to restrict the character set and syntax of
4816
certain domain names in master files and/or DNS responses received from the
4817
network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
4818
zones the default is <command>warn</command>.
4820
</listitem></varlistentry>
4822
<varlistentry><term><command>database</command></term>
4823
<listitem><para>Specify the type of database to be used for storing the
4824
zone data. The string following the <command>database</command> keyword
4825
is interpreted as a list of whitespace-delimited words. The first word
4826
identifies the database type, and any subsequent words are passed
4827
as arguments to the database to be interpreted in a way specific
4828
to the database type.</para>
4829
<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
4830
red-black-tree database. This database does not take arguments.</para>
4831
<para>Other values are possible if additional database drivers
4832
have been linked into the server. Some sample drivers are included
4833
with the distribution but none are linked in by default.</para>
4834
</listitem></varlistentry>
4836
<varlistentry><term><command>dialup</command></term>
4837
<listitem><para>See the description of
4838
<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
4839
</listitem></varlistentry>
4841
<varlistentry><term><command>delegation-only</command></term>
4842
<listitem><para>The flag only applies to hint and stub zones. If set
4843
to <userinput>yes</userinput> then the zone will also be treated as if it
4844
is also a delegation-only type zone.
4846
</listitem></varlistentry>
4848
<varlistentry><term><command>forward</command></term>
4849
<listitem><para>Only meaningful if the zone has a forwarders
4850
list. The <command>only</command> value causes the lookup to fail
4851
after trying the forwarders and getting no answer, while <command>first</command> would
4852
allow a normal lookup to be tried.</para>
4853
</listitem></varlistentry>
4855
<varlistentry><term><command>forwarders</command></term>
4856
<listitem><para>Used to override the list of global forwarders.
4857
If it is not specified in a zone of type <command>forward</command>,
4858
no forwarding is done for the zone; the global options are not used.</para>
4859
</listitem></varlistentry>
4861
<varlistentry><term><command>ixfr-base</command></term>
4862
<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
4863
of the transaction log (journal) file for dynamic update and IXFR.
4864
<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
4865
file by appending "<filename>.jnl</filename>" to the name of the
4867
</listitem></varlistentry>
4869
<varlistentry><term><command>ixfr-tmp-file</command></term>
4870
<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
4871
Ignored in <acronym>BIND</acronym> 9.</para>
4872
</listitem></varlistentry>
4874
<varlistentry><term><command>max-transfer-time-in</command></term>
4875
<listitem><para>See the description of
4876
<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
4877
</listitem></varlistentry>
4879
<varlistentry><term><command>max-transfer-idle-in</command></term>
4880
<listitem><para>See the description of
4881
<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
4882
</listitem></varlistentry>
4884
<varlistentry><term><command>max-transfer-time-out</command></term>
4885
<listitem><para>See the description of
4886
<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
4887
</listitem></varlistentry>
4889
<varlistentry><term><command>max-transfer-idle-out</command></term>
4890
<listitem><para>See the description of
4891
<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
4892
</listitem></varlistentry>
4894
<varlistentry><term><command>notify</command></term>
4895
<listitem><para>See the description of
4896
<command>notify</command> in <xref linkend="boolean_options"/>.</para>
4897
</listitem></varlistentry>
4899
<varlistentry><term><command>pubkey</command></term>
4900
<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
4901
a public zone key for verification of signatures in DNSSEC signed
4902
zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
4903
on load and ignores the option.</para>
4904
</listitem></varlistentry>
4906
<varlistentry><term><command>zone-statistics</command></term>
4907
<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
4908
information for this zone, which can be dumped to the
4909
<command>statistics-file</command> defined in the server options.</para>
4910
</listitem></varlistentry>
4912
<varlistentry><term><command>sig-validity-interval</command></term>
4913
<listitem><para>See the description of
4914
<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
4915
</listitem></varlistentry>
4917
<varlistentry><term><command>transfer-source</command></term>
4918
<listitem><para>See the description of
4919
<command>transfer-source</command> in <xref linkend="zone_transfers"/>
4921
</listitem></varlistentry>
4923
<varlistentry><term><command>transfer-source-v6</command></term>
4924
<listitem><para>See the description of
4925
<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
4927
</listitem></varlistentry>
4929
<varlistentry><term><command>alt-transfer-source</command></term>
4930
<listitem><para>See the description of
4931
<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>
4933
</listitem></varlistentry>
4935
<varlistentry><term><command>alt-transfer-source-v6</command></term>
4936
<listitem><para>See the description of
4937
<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>
4939
</listitem></varlistentry>
4941
<varlistentry><term><command>use-alt-transfer-source</command></term>
4942
<listitem><para>See the description of
4943
<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>
4945
</listitem></varlistentry>
4948
<varlistentry><term><command>notify-source</command></term>
4949
<listitem><para>See the description of
4950
<command>notify-source</command> in <xref linkend="zone_transfers"/>
4952
</listitem></varlistentry>
4954
<varlistentry><term><command>notify-source-v6</command></term>
4955
<listitem><para>See the description of
4956
<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
4958
</listitem></varlistentry>
4961
<term><command>min-refresh-time</command></term>
4962
<term><command>max-refresh-time</command></term>
4963
<term><command>min-retry-time</command></term>
4964
<term><command>max-retry-time</command></term>
4966
See the description in <xref linkend="tuning"/>.
4967
</para></listitem></varlistentry>
4969
<varlistentry><term><command>ixfr-from-differences</command></term>
4970
<listitem><para>See the description of
4971
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
4972
</listitem></varlistentry>
4974
<varlistentry><term><command>key-directory</command></term>
4975
<listitem><para>See the description of
4976
<command>key-directory</command> in <xref linkend="options"/></para>
4977
</listitem></varlistentry>
4979
<varlistentry><term><command>multi-master</command></term>
4980
<listitem><para>See the description of
4981
<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
4982
</listitem></varlistentry>
4987
<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
4988
<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
4989
the right to perform dynamic updates to a zone,
4990
configured by the <command>allow-update</command> and
4991
<command>update-policy</command> option, respectively.</para>
4992
<para>The <command>allow-update</command> clause works the same
4993
way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
4994
permission to update any record of any name in the zone.</para>
4995
<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
4996
9 and allows more fine-grained control over what updates are allowed.
4997
A set of rules is specified, where each rule either grants or denies
4998
permissions for one or more names to be updated by one or more identities.
4999
If the dynamic update request message is signed (that is, it includes
5000
either a TSIG or SIG(0) record), the identity of the signer can
5001
be determined.</para>
5002
<para>Rules are specified in the <command>update-policy</command> zone
5003
option, and are only meaningful for master zones. When the <command>update-policy</command> statement
5004
is present, it is a configuration error for the <command>allow-update</command> statement
5005
to be present. The <command>update-policy</command> statement only
5006
examines the signer of a message; the source address is not relevant.</para>
5007
<para>This is how a rule definition looks:</para>
8360
<title><command>zone</command> Statement Definition and Usage</title>
8362
<title>Zone Types</title>
8363
<informaltable colsep="0" rowsep="0">
8364
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8365
<!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8366
<!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8367
<colspec colname="1" colnum="1" colsep="0"/>
8368
<colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8373
<varname>master</varname>
8378
The server has a master copy of the data
8379
for the zone and will be able to provide authoritative
8388
<varname>slave</varname>
8393
A slave zone is a replica of a master
8394
zone. The <command>masters</command> list
8395
specifies one or more IP addresses
8396
of master servers that the slave contacts to update
8397
its copy of the zone.
8398
Masters list elements can also be names of other
8400
By default, transfers are made from port 53 on the
8402
be changed for all servers by specifying a port number
8404
list of IP addresses, or on a per-server basis after
8406
Authentication to the master can also be done with
8407
per-server TSIG keys.
8408
If a file is specified, then the
8409
replica will be written to this file whenever the zone
8411
and reloaded from this file on a server restart. Use
8413
recommended, since it often speeds server startup and
8415
a needless waste of bandwidth. Note that for large
8417
tens or hundreds of thousands) of zones per server, it
8419
use a two-level naming scheme for zone filenames. For
8421
a slave server for the zone <literal>example.com</literal> might place
8422
the zone contents into a file called
8423
<filename>ex/example.com</filename> where <filename>ex/</filename> is
8424
just the first two letters of the zone name. (Most
8426
behave very slowly if you put 100 000 files into
8427
a single directory.)
8434
<varname>stub</varname>
8439
A stub zone is similar to a slave zone,
8440
except that it replicates only the NS records of a
8442
of the entire zone. Stub zones are not a standard part
8444
they are a feature specific to the <acronym>BIND</acronym> implementation.
8448
Stub zones can be used to eliminate the need for glue
8450
in a parent zone at the expense of maintaining a stub
8452
a set of name server addresses in <filename>named.conf</filename>.
8453
This usage is not recommended for new configurations,
8455
supports it only in a limited way.
8456
In <acronym>BIND</acronym> 4/8, zone
8457
transfers of a parent zone
8458
included the NS records from stub children of that
8460
that, in some cases, users could get away with
8461
configuring child stubs
8462
only in the master server for the parent zone. <acronym>BIND</acronym>
8463
9 never mixes together zone data from different zones
8465
way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8466
zone has child stub zones configured, all the slave
8468
parent zone also need to have the same child stub
8474
Stub zones can also be used as a way of forcing the
8476
of a given domain to use a particular set of
8477
authoritative servers.
8478
For example, the caching name servers on a private
8480
RFC1918 addressing may be configured with stub zones
8482
<literal>10.in-addr.arpa</literal>
8483
to use a set of internal name servers as the
8485
servers for that domain.
8492
<varname>forward</varname>
8497
A "forward zone" is a way to configure
8498
forwarding on a per-domain basis. A <command>zone</command> statement
8499
of type <command>forward</command> can
8500
contain a <command>forward</command>
8501
and/or <command>forwarders</command>
8503
which will apply to queries within the domain given by
8505
name. If no <command>forwarders</command>
8506
statement is present or
8507
an empty list for <command>forwarders</command> is given, then no
8508
forwarding will be done for the domain, canceling the
8510
any forwarders in the <command>options</command> statement. Thus
8511
if you want to use this type of zone to change the
8513
global <command>forward</command> option
8514
(that is, "forward first"
8515
to, then "forward only", or vice versa, but want to
8517
servers as set globally) you need to re-specify the
8525
<varname>hint</varname>
8530
The initial set of root name servers is
8531
specified using a "hint zone". When the server starts
8533
the root hints to find a root name server and get the
8535
list of root name servers. If no hint zone is
8537
IN, the server uses a compiled-in default set of root
8539
Classes other than IN have no built-in defaults hints.
8546
<varname>delegation-only</varname>
8551
This is used to enforce the delegation-only
8552
status of infrastructure zones (e.g. COM, NET, ORG).
8554
is received without an explicit or implicit delegation
8556
section will be treated as NXDOMAIN. This does not
8558
apex. This should not be applied to leaf zones.
8561
<varname>delegation-only</varname> has no
8562
effect on answers received
8573
<title>Class</title>
8575
The zone's name may optionally be followed by a class. If
8576
a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
8577
is assumed. This is correct for the vast majority of cases.
8580
The <literal>hesiod</literal> class is
8581
named for an information service from MIT's Project Athena. It
8583
used to share information about various systems databases, such
8584
as users, groups, printers and so on. The keyword
8585
<literal>HS</literal> is
8586
a synonym for hesiod.
8589
Another MIT development is Chaosnet, a LAN protocol created
8590
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
8595
<title>Zone Options</title>
8600
<term><command>allow-notify</command></term>
8603
See the description of
8604
<command>allow-notify</command> in <xref linkend="access_control"/>.
8610
<term><command>allow-query</command></term>
8613
See the description of
8614
<command>allow-query</command> in <xref linkend="access_control"/>.
8620
<term><command>allow-query-on</command></term>
8623
See the description of
8624
<command>allow-query-on</command> in <xref linkend="access_control"/>.
8630
<term><command>allow-transfer</command></term>
8633
See the description of <command>allow-transfer</command>
8634
in <xref linkend="access_control"/>.
8640
<term><command>allow-update</command></term>
8643
See the description of <command>allow-update</command>
8644
in <xref linkend="access_control"/>.
8650
<term><command>update-policy</command></term>
8653
Specifies a "Simple Secure Update" policy. See
8654
<xref linkend="dynamic_update_policies"/>.
8660
<term><command>allow-update-forwarding</command></term>
8663
See the description of <command>allow-update-forwarding</command>
8664
in <xref linkend="access_control"/>.
8670
<term><command>also-notify</command></term>
8673
Only meaningful if <command>notify</command>
8675
active for this zone. The set of machines that will
8677
<literal>DNS NOTIFY</literal> message
8678
for this zone is made up of all the listed name servers
8680
the primary master) for the zone plus any IP addresses
8682
with <command>also-notify</command>. A port
8684
with each <command>also-notify</command>
8685
address to send the notify
8686
messages to a port other than the default of 53.
8687
<command>also-notify</command> is not
8688
meaningful for stub zones.
8689
The default is the empty list.
8695
<term><command>check-names</command></term>
8698
This option is used to restrict the character set and
8700
certain domain names in master files and/or DNS responses
8702
network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
8703
zones the default is <command>warn</command>.
8709
<term><command>check-mx</command></term>
8712
See the description of
8713
<command>check-mx</command> in <xref linkend="boolean_options"/>.
8719
<term><command>check-wildcard</command></term>
8722
See the description of
8723
<command>check-wildcard</command> in <xref linkend="boolean_options"/>.
8729
<term><command>check-integrity</command></term>
8732
See the description of
8733
<command>check-integrity</command> in <xref linkend="boolean_options"/>.
8739
<term><command>check-sibling</command></term>
8742
See the description of
8743
<command>check-sibling</command> in <xref linkend="boolean_options"/>.
8749
<term><command>zero-no-soa-ttl</command></term>
8752
See the description of
8753
<command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
8759
<term><command>update-check-ksk</command></term>
8762
See the description of
8763
<command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
8769
<term><command>try-tcp-refresh</command></term>
8772
See the description of
8773
<command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
8779
<term><command>database</command></term>
8782
Specify the type of database to be used for storing the
8783
zone data. The string following the <command>database</command> keyword
8784
is interpreted as a list of whitespace-delimited words.
8786
identifies the database type, and any subsequent words are
8788
as arguments to the database to be interpreted in a way
8790
to the database type.
8793
The default is <userinput>"rbt"</userinput>, BIND 9's
8795
red-black-tree database. This database does not take
8799
Other values are possible if additional database drivers
8800
have been linked into the server. Some sample drivers are
8802
with the distribution but none are linked in by default.
8808
<term><command>dialup</command></term>
8811
See the description of
8812
<command>dialup</command> in <xref linkend="boolean_options"/>.
8818
<term><command>delegation-only</command></term>
8821
The flag only applies to hint and stub zones. If set
8822
to <userinput>yes</userinput>, then the zone will also be
8824
is also a delegation-only type zone.
8830
<term><command>forward</command></term>
8833
Only meaningful if the zone has a forwarders
8834
list. The <command>only</command> value causes
8836
after trying the forwarders and getting no answer, while <command>first</command> would
8837
allow a normal lookup to be tried.
8843
<term><command>forwarders</command></term>
8846
Used to override the list of global forwarders.
8847
If it is not specified in a zone of type <command>forward</command>,
8848
no forwarding is done for the zone and the global options are
8855
<term><command>ixfr-base</command></term>
8858
Was used in <acronym>BIND</acronym> 8 to
8860
of the transaction log (journal) file for dynamic update
8862
<acronym>BIND</acronym> 9 ignores the option
8863
and constructs the name of the journal
8864
file by appending "<filename>.jnl</filename>"
8872
<term><command>ixfr-tmp-file</command></term>
8875
Was an undocumented option in <acronym>BIND</acronym> 8.
8876
Ignored in <acronym>BIND</acronym> 9.
8882
<term><command>journal</command></term>
8885
Allow the default journal's filename to be overridden.
8886
The default is the zone's filename with "<filename>.jnl</filename>" appended.
8887
This is applicable to <command>master</command> and <command>slave</command> zones.
8893
<term><command>max-transfer-time-in</command></term>
8896
See the description of
8897
<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
8903
<term><command>max-transfer-idle-in</command></term>
8906
See the description of
8907
<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
8913
<term><command>max-transfer-time-out</command></term>
8916
See the description of
8917
<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
8923
<term><command>max-transfer-idle-out</command></term>
8926
See the description of
8927
<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
8933
<term><command>notify</command></term>
8936
See the description of
8937
<command>notify</command> in <xref linkend="boolean_options"/>.
8943
<term><command>notify-delay</command></term>
8946
See the description of
8947
<command>notify-delay</command> in <xref linkend="tuning"/>.
8953
<term><command>notify-to-soa</command></term>
8956
See the description of
8957
<command>notify-to-soa</command> in
8958
<xref linkend="boolean_options"/>.
8964
<term><command>pubkey</command></term>
8967
In <acronym>BIND</acronym> 8, this option was
8968
intended for specifying
8969
a public zone key for verification of signatures in DNSSEC
8971
zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
8972
on load and ignores the option.
8978
<term><command>zone-statistics</command></term>
8981
If <userinput>yes</userinput>, the server will keep
8983
information for this zone, which can be dumped to the
8984
<command>statistics-file</command> defined in
8991
<term><command>sig-validity-interval</command></term>
8994
See the description of
8995
<command>sig-validity-interval</command> in <xref linkend="tuning"/>.
9001
<term><command>transfer-source</command></term>
9004
See the description of
9005
<command>transfer-source</command> in <xref linkend="zone_transfers"/>.
9011
<term><command>transfer-source-v6</command></term>
9014
See the description of
9015
<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9021
<term><command>alt-transfer-source</command></term>
9024
See the description of
9025
<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9031
<term><command>alt-transfer-source-v6</command></term>
9034
See the description of
9035
<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9041
<term><command>use-alt-transfer-source</command></term>
9044
See the description of
9045
<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9052
<term><command>notify-source</command></term>
9055
See the description of
9056
<command>notify-source</command> in <xref linkend="zone_transfers"/>.
9062
<term><command>notify-source-v6</command></term>
9065
See the description of
9066
<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
9072
<term><command>min-refresh-time</command></term>
9073
<term><command>max-refresh-time</command></term>
9074
<term><command>min-retry-time</command></term>
9075
<term><command>max-retry-time</command></term>
9078
See the description in <xref linkend="tuning"/>.
9084
<term><command>ixfr-from-differences</command></term>
9087
See the description of
9088
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
9094
<term><command>key-directory</command></term>
9097
See the description of
9098
<command>key-directory</command> in <xref linkend="options"/>.
9104
<term><command>multi-master</command></term>
9107
See the description of <command>multi-master</command> in
9108
<xref linkend="boolean_options"/>.
9114
<term><command>masterfile-format</command></term>
9117
See the description of <command>masterfile-format</command>
9118
in <xref linkend="tuning"/>.
9126
<sect3 id="dynamic_update_policies">
9127
<title>Dynamic Update Policies</title>
9128
<para><acronym>BIND</acronym> 9 supports two alternative
9129
methods of granting clients the right to perform
9130
dynamic updates to a zone, configured by the
9131
<command>allow-update</command> and
9132
<command>update-policy</command> option, respectively.
9135
The <command>allow-update</command> clause works the
9136
same way as in previous versions of <acronym>BIND</acronym>.
9137
It grants given clients the permission to update any
9138
record of any name in the zone.
9141
The <command>update-policy</command> clause is new
9142
in <acronym>BIND</acronym> 9 and allows more fine-grained
9143
control over what updates are allowed. A set of rules
9144
is specified, where each rule either grants or denies
9145
permissions for one or more names to be updated by
9146
one or more identities. If the dynamic update request
9147
message is signed (that is, it includes either a TSIG
9148
or SIG(0) record), the identity of the signer can be
9152
Rules are specified in the <command>update-policy</command>
9153
zone option, and are only meaningful for master zones.
9154
When the <command>update-policy</command> statement
9155
is present, it is a configuration error for the
9156
<command>allow-update</command> statement to be
9157
present. The <command>update-policy</command> statement
9158
only examines the signer of a message; the source
9159
address is not relevant.
9163
This is how a rule definition looks:
5008
9166
<programlisting>
5009
9167
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
5010
9168
</programlisting>
5011
<para>Each rule grants or denies privileges. Once a message has
5012
successfully matched a rule, the operation is immediately granted
5013
or denied and no further rules are examined. A rule is matched
5014
when the signer matches the identity field, the name matches the
5015
name field in accordance with the nametype field, and the type matches
5016
the types specified in the type field.</para>
5018
<para>The identity field specifies a name or a wildcard name. Normally, this
5019
is the name of the TSIG or SIG(0) key used to sign the update request. When a
5020
TKEY exchange has been used to create a shared secret, the identity of the
5021
shared secret is the same as the identity of the key used to authenticate the
5022
TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
5023
wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
5024
to multiple identities. The <replaceable>identity</replaceable> field must
5025
contain a fully qualified domain name.</para>
5027
<para>The <replaceable>nametype</replaceable> field has 4 values:
5028
<varname>name</varname>, <varname>subdomain</varname>,
5029
<varname>wildcard</varname>, and <varname>self</varname>.
5032
<tgroup cols = "2" colsep = "0"
5033
rowsep = "0" tgroupstyle = "4Level-table">
5034
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
5035
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
5038
<entry colname = "1"><para><varname>name</varname></para></entry>
5039
<entry colname = "2"><para>Exact-match semantics. This rule matches when the
5040
name being updated is identical to the contents of the
5041
<replaceable>name</replaceable> field.</para></entry>
5044
<entry colname = "1"><para><varname>subdomain</varname></para></entry>
5045
<entry colname = "2"><para>This rule matches when the name being updated
5046
is a subdomain of, or identical to, the contents of the
5047
<replaceable>name</replaceable> field.</para></entry>
5050
<entry colname = "1"><para><varname>wildcard</varname></para></entry>
5051
<entry colname = "2"><para>The <replaceable>name</replaceable> field is
5052
subject to DNS wildcard expansion, and this rule matches when the name
5053
being updated name is a valid expansion of the wildcard.</para></entry>
5056
<entry colname = "1"><para><varname>self</varname></para></entry>
5057
<entry colname = "2"><para>This rule matches when the name being updated
5058
matches the contents of the <replaceable>identity</replaceable> field.
5059
The <replaceable>name</replaceable> field is ignored, but should be
5060
the same as the <replaceable>identity</replaceable> field. The
5061
<varname>self</varname> nametype is most useful when allowing using
5062
one key per name to update, where the key has the same name as the name
5063
to be updated. The <replaceable>identity</replaceable> would be
5064
specified as <constant>*</constant> in this case.</para></entry>
5067
</tgroup></informaltable>
5069
<para>In all cases, the <replaceable>name</replaceable> field must
5070
specify a fully qualified domain name.</para>
5072
<para>If no types are explicitly specified, this rule matches all types except
5073
SIG, NS, SOA, and NXT. Types may be specified by name, including
5074
"ANY" (ANY matches all types except NXT, which can never be updated).
5075
Note that when an attempt is made to delete all records associated with a
5076
name, the rules are checked for each existing record type.
5082
<title>Zone File</title>
5083
<sect2 id="types_of_resource_records_and_when_to_use_them">
5084
<title>Types of Resource Records and When to Use Them</title>
5085
<para>This section, largely borrowed from RFC 1034, describes the
5086
concept of a Resource Record (RR) and explains when each is used.
5087
Since the publication of RFC 1034, several new RRs have been identified
5088
and implemented in the DNS. These are also included.</para>
5090
<title>Resource Records</title>
5092
<para>A domain name identifies a node. Each node has a set of
5093
resource information, which may be empty. The set of resource
5094
information associated with a particular name is composed of
5095
separate RRs. The order of RRs in a set is not significant and
5096
need not be preserved by name servers, resolvers, or other
5097
parts of the DNS. However, sorting of multiple RRs is
5098
permitted for optimization purposes, for example, to specify
5099
that a particular nearby server be tried first. See <xref
5100
linkend="the_sortlist_statement"/> and <xref
5101
linkend="rrset_ordering"/>.</para>
5103
<para>The components of a Resource Record are:</para>
5104
<informaltable colsep = "0"
5105
rowsep = "0"><tgroup cols = "2" colsep = "0"
5106
rowsep = "0" tgroupstyle = "4Level-table">
5107
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
5108
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
5111
<entry colname = "1"><para>owner name</para></entry>
5112
<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
5115
<entry colname = "1"><para>type</para></entry>
5116
<entry colname = "2"><para>an encoded 16 bit value that specifies
5117
the type of the resource record.</para></entry>
5120
<entry colname = "1"><para>TTL</para></entry>
5121
<entry colname = "2"><para>the time to live of the RR. This field
5122
is a 32 bit integer in units of seconds, and is primarily used by
5123
resolvers when they cache RRs. The TTL describes how long a RR can
5124
be cached before it should be discarded.</para></entry>
5127
<entry colname = "1"><para>class</para></entry>
5128
<entry colname = "2"><para>an encoded 16 bit value that identifies
5129
a protocol family or instance of a protocol.</para></entry>
5132
<entry colname = "1"><para>RDATA</para></entry>
5133
<entry colname = "2"><para>the resource data. The format of the
5134
data is type (and sometimes class) specific.</para></entry>
5137
</tgroup></informaltable>
5138
<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
5139
<informaltable colsep = "0"
5140
rowsep = "0"><tgroup cols = "2" colsep = "0"
5141
rowsep = "0" tgroupstyle = "4Level-table">
5142
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5143
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
5146
<entry colname = "1"><para>A</para></entry>
5147
<entry colname = "2"><para>a host address. In the IN class, this is a
5148
32-bit IP address. Described in RFC 1035.</para></entry>
5151
<entry colname = "1"><para>AAAA</para></entry>
5152
<entry colname = "2"><para>IPv6 address. Described in RFC 1886.</para></entry>
5155
<entry colname = "1"><para>A6</para></entry>
5156
<entry colname = "2"><para>IPv6 address. This can be a partial
5157
address (a suffix) and an indirection to the name where the rest of the
5158
address (the prefix) can be found. Experimental. Described in RFC 2874.</para></entry>
5161
<entry colname = "1"><para>AFSDB</para></entry>
5162
<entry colname = "2"><para>location of AFS database servers.
5163
Experimental. Described in RFC 1183.</para></entry>
5166
<entry colname = "1"><para>APL</para></entry>
5167
<entry colname = "2"><para>address prefix list. Experimental.
5168
Described in RFC 3123.</para></entry>
5171
<entry colname = "1"><para>CERT</para></entry>
5172
<entry colname = "2"><para>holds a digital certificate.
5173
Described in RFC 2538.</para></entry>
5176
<entry colname = "1"><para>CNAME</para></entry>
5177
<entry colname = "2"><para>identifies the canonical name of an alias.
5178
Described in RFC 1035.</para></entry>
5181
<entry colname = "1"><para>DNAME</para></entry>
5182
<entry colname = "2"><para>Replaces the domain name specified with
5183
another name to be looked up, effectively aliasing an entire
5184
subtree of the domain name space rather than a single record
5185
as in the case of the CNAME RR.
5186
Described in RFC 2672.</para></entry>
5189
<entry colname = "1"><para>GPOS</para></entry>
5190
<entry colname = "2"><para>Specifies the global position. Superseded by LOC.</para></entry>
5193
<entry colname = "1"><para>HINFO</para></entry>
5194
<entry colname = "2"><para>identifies the CPU and OS used by a host.
5195
Described in RFC 1035.</para></entry>
5198
<entry colname = "1"><para>ISDN</para></entry>
5199
<entry colname = "2"><para>representation of ISDN addresses.
5200
Experimental. Described in RFC 1183.</para></entry>
5203
<entry colname = "1"><para>KEY</para></entry>
5204
<entry colname = "2"><para>stores a public key associated with a
5205
DNS name. Described in RFC 2535.</para></entry>
5208
<entry colname = "1"><para>KX</para></entry>
5209
<entry colname = "2"><para>identifies a key exchanger for this
5210
DNS name. Described in RFC 2230.</para></entry>
5213
<entry colname = "1"><para>LOC</para></entry>
5214
<entry colname = "2"><para>for storing GPS info. Described in RFC 1876.
5215
Experimental.</para></entry>
5218
<entry colname = "1"><para>MX</para></entry>
5219
<entry colname = "2"><para>identifies a mail exchange for the domain.
5220
a 16 bit preference value (lower is better)
5221
followed by the host name of the mail exchange.
5222
Described in RFC 974, RFC 1035.</para></entry>
5225
<entry colname = "1"><para>NAPTR</para></entry>
5226
<entry colname = "2"><para>name authority pointer. Described in RFC 2915.</para></entry>
5229
<entry colname = "1"><para>NSAP</para></entry>
5230
<entry colname = "2"><para>a network service access point.
5231
Described in RFC 1706.</para></entry>
5234
<entry colname = "1"><para>NS</para></entry>
5235
<entry colname = "2"><para>the authoritative name server for the
5236
domain. Described in RFC 1035.</para></entry>
5239
<entry colname = "1"><para>NXT</para></entry>
5240
<entry colname = "2"><para>used in DNSSEC to securely indicate that
5241
RRs with an owner name in a certain name interval do not exist in
5242
a zone and indicate what RR types are present for an existing name.
5243
Described in RFC 2535.</para></entry>
5246
<entry colname = "1"><para>PTR</para></entry>
5247
<entry colname = "2"><para>a pointer to another part of the domain
5248
name space. Described in RFC 1035.</para></entry>
5251
<entry colname = "1"><para>PX</para></entry>
5252
<entry colname = "2"><para>provides mappings between RFC 822 and X.400
5253
addresses. Described in RFC 2163.</para></entry>
5256
<entry colname = "1"><para>RP</para></entry>
5257
<entry colname = "2"><para>information on persons responsible
5258
for the domain. Experimental. Described in RFC 1183.</para></entry>
5261
<entry colname = "1"><para>RT</para></entry>
5262
<entry colname = "2"><para>route-through binding for hosts that
5263
do not have their own direct wide area network addresses.
5264
Experimental. Described in RFC 1183.</para></entry>
5267
<entry colname = "1"><para>SIG</para></entry>
5268
<entry colname = "2"><para>("signature") contains data authenticated
5269
in the secure DNS. Described in RFC 2535.</para></entry>
5272
<entry colname = "1"><para>SOA</para></entry>
5273
<entry colname = "2"><para>identifies the start of a zone of authority.
5274
Described in RFC 1035.</para></entry>
5277
<entry colname = "1"><para>SRV</para></entry>
5278
<entry colname = "2"><para>information about well known network
5279
services (replaces WKS). Described in RFC 2782.</para></entry>
5282
<entry colname = "1"><para>TXT</para></entry>
5283
<entry colname = "2"><para>text records. Described in RFC 1035.</para></entry>
5286
<entry colname = "1"><para>WKS</para></entry>
5287
<entry colname = "2"><para>information about which well known
5288
network services, such as SMTP, that a domain supports. Historical.
5292
<entry colname = "1"><para>X25</para></entry>
5293
<entry colname = "2"><para>representation of X.25 network addresses.
5294
Experimental. Described in RFC 1183.</para></entry>
5297
</tgroup></informaltable>
5298
<para>The following <emphasis>classes</emphasis> of resource records
5299
are currently valid in the DNS:</para><informaltable colsep = "0"
5300
rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
5301
tgroupstyle = "4Level-table">
5302
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5303
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
5307
<entry colname = "1"><para>IN</para></entry>
5308
<entry colname = "2"><para>The Internet.</para></entry>
5312
<entry colname = "1"><para>CH</para></entry>
5313
<entry colname = "2"><para>
5314
CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
5315
Rarely used for its historical purpose, but reused for BIND's
5316
built-in server information zones, e.g.,
5317
<literal>version.bind</literal>.
5322
<entry colname = "1"><para>HS</para></entry>
5323
<entry colname = "2"><para>
5324
Hesiod, an information service
5325
developed by MIT's Project Athena. It is used to share information
5326
about various systems databases, such as users, groups, printers
5332
</tgroup></informaltable>
5334
<para>The owner name is often implicit, rather than forming an integral
5335
part of the RR. For example, many name servers internally form tree
5336
or hash structures for the name space, and chain RRs off nodes.
5337
The remaining RR parts are the fixed header (type, class, TTL)
5338
which is consistent for all RRs, and a variable part (RDATA) that
5339
fits the needs of the resource being described.</para>
5340
<para>The meaning of the TTL field is a time limit on how long an
5341
RR can be kept in a cache. This limit does not apply to authoritative
5342
data in zones; it is also timed out, but by the refreshing policies
5343
for the zone. The TTL is assigned by the administrator for the
5344
zone where the data originates. While short TTLs can be used to
5345
minimize caching, and a zero TTL prohibits caching, the realities
5346
of Internet performance suggest that these times should be on the
5347
order of days for the typical host. If a change can be anticipated,
5348
the TTL can be reduced prior to the change to minimize inconsistency
5349
during the change, and then increased back to its former value following
5351
<para>The data in the RDATA section of RRs is carried as a combination
5352
of binary strings and domain names. The domain names are frequently
5353
used as "pointers" to other data in the DNS.</para></sect3>
5354
<sect3><title>Textual expression of RRs</title>
5355
<para>RRs are represented in binary form in the packets of the DNS
5356
protocol, and are usually represented in highly encoded form when
5357
stored in a name server or resolver. In the examples provided in
5358
RFC 1034, a style similar to that used in master files was employed
5359
in order to show the contents of RRs. In this format, most RRs
5360
are shown on a single line, although continuation lines are possible
5361
using parentheses.</para>
5362
<para>The start of the line gives the owner of the RR. If a line
5363
begins with a blank, then the owner is assumed to be the same as
5364
that of the previous RR. Blank lines are often included for readability.</para>
5365
<para>Following the owner, we list the TTL, type, and class of the
5366
RR. Class and type use the mnemonics defined above, and TTL is
5367
an integer before the type field. In order to avoid ambiguity in
5368
parsing, type and class mnemonics are disjoint, TTLs are integers,
5369
and the type mnemonic is always last. The IN class and TTL values
5370
are often omitted from examples in the interests of clarity.</para>
5371
<para>The resource data or RDATA section of the RR are given using
5372
knowledge of the typical representation for the data.</para>
5373
<para>For example, we might show the RRs carried in a message as:</para> <informaltable
5374
colsep = "0" rowsep = "0"><tgroup cols = "3"
5375
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
5376
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
5377
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
5378
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
5381
<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
5382
<entry colname = "2"><para><literal>MX</literal></para></entry>
5383
<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
5386
<entry colname = "1"><para></para></entry>
5387
<entry colname = "2"><para><literal>MX</literal></para></entry>
5388
<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
5391
<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
5392
<entry colname = "2"><para><literal>A</literal></para></entry>
5393
<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
5396
<entry colname = "1"><para></para></entry>
5397
<entry colname = "2"><para><literal>A</literal></para></entry>
5398
<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
5401
<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
5402
<entry colname = "2"><para><literal>A</literal></para></entry>
5403
<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
5406
<entry colname = "1"><para></para></entry>
5407
<entry colname = "2"><para><literal>A</literal></para></entry>
5408
<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
5411
</tgroup></informaltable>
5412
<para>The MX RRs have an RDATA section which consists of a 16 bit
5413
number followed by a domain name. The address RRs use a standard
5414
IP address format to contain a 32 bit internet address.</para>
5415
<para>This example shows six RRs, with two RRs at each of three
5416
domain names.</para>
5417
<para>Similarly we might see:</para><informaltable colsep = "0"
5418
rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
5419
tgroupstyle = "4Level-table">
5420
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
5421
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
5422
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
5425
<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
5426
<entry colname = "2"><para><literal>A</literal></para></entry>
5427
<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
5430
<entry colname = "1"><para><literal>CH</literal></para></entry>
5431
<entry colname = "2"><para><literal>A</literal></para></entry>
5432
<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
5435
</tgroup></informaltable>
5436
<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
5437
each of a different class.</para></sect3></sect2>
5439
<sect2><title>Discussion of MX Records</title>
5441
<para>As described above, domain servers store information as a
5442
series of resource records, each of which contains a particular
5443
piece of information about a given domain name (which is usually,
5444
but not always, a host). The simplest way to think of a RR is as
5445
a typed pair of data, a domain name matched with a relevant datum,
5446
and stored with some additional type information to help systems
5447
determine when the RR is relevant.</para>
5449
<para>MX records are used to control delivery of email. The data
5450
specified in the record is a priority and a domain name. The priority
5451
controls the order in which email delivery is attempted, with the
5452
lowest number first. If two priorities are the same, a server is
5453
chosen randomly. If no servers at a given priority are responding,
5454
the mail transport agent will fall back to the next largest priority.
5455
Priority numbers do not have any absolute meaning — they are relevant
5456
only respective to other MX records for that domain name. The domain
5457
name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
5458
an associated A record — CNAME is not sufficient.</para>
5459
<para>For a given domain, if there is both a CNAME record and an
5460
MX record, the MX record is in error, and will be ignored. Instead,
5461
the mail will be delivered to the server specified in the MX record
5462
pointed to by the CNAME.</para>
5463
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
5464
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5465
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
5466
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
5467
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
5468
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
5469
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
5472
<entry colname = "1"><para><literal>example.com.</literal></para></entry>
5473
<entry colname = "2"><para><literal>IN</literal></para></entry>
5474
<entry colname = "3"><para><literal>MX</literal></para></entry>
5475
<entry colname = "4"><para><literal>10</literal></para></entry>
5476
<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
5479
<entry colname = "1"><para></para></entry>
5480
<entry colname = "2"><para><literal>IN</literal></para></entry>
5481
<entry colname = "3"><para><literal>MX</literal></para></entry>
5482
<entry colname = "4"><para><literal>10</literal></para></entry>
5483
<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
5486
<entry colname = "1"><para></para></entry>
5487
<entry colname = "2"><para><literal>IN</literal></para></entry>
5488
<entry colname = "3"><para><literal>MX</literal></para></entry>
5489
<entry colname = "4"><para><literal>20</literal></para></entry>
5490
<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
5493
<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
5494
<entry colname = "2"><para><literal>IN</literal></para></entry>
5495
<entry colname = "3"><para><literal>A</literal></para></entry>
5496
<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
5497
<entry colname = "5"><para></para></entry>
5500
<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
5501
<entry colname = "2"><para><literal>IN</literal></para></entry>
5502
<entry colname = "3"><para><literal>A</literal></para></entry>
5503
<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
5504
<entry colname = "5"><para></para></entry>
5507
</tgroup></informaltable><para>For example:</para>
5508
<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
5509
<literal>mail2.example.com</literal> (in
5510
any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
5511
be attempted.</para></sect2>
5512
<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
5513
<para>The time to live of the RR field is a 32 bit integer represented
5514
in units of seconds, and is primarily used by resolvers when they
5515
cache RRs. The TTL describes how long a RR can be cached before it
5516
should be discarded. The following three types of TTL are currently
5517
used in a zone file.</para>
5518
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
5519
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5520
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
5521
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
5524
<entry colname = "1"><para>SOA</para></entry>
5525
<entry colname = "2"><para>The last field in the SOA is the negative
5526
caching TTL. This controls how long other servers will cache no-such-domain
5527
(NXDOMAIN) responses from you.</para><para>The maximum time for
5528
negative caching is 3 hours (3h).</para></entry>
5531
<entry colname = "1"><para>$TTL</para></entry>
5532
<entry colname = "2"><para>The $TTL directive at the top of the
5533
zone file (before the SOA) gives a default TTL for every RR without
5534
a specific TTL set.</para></entry>
5537
<entry colname = "1"><para>RR TTLs</para></entry>
5538
<entry colname = "2"><para>Each RR can have a TTL as the second
5539
field in the RR, which will control how long other servers can cache
5540
the it.</para></entry>
5543
</tgroup></informaltable>
5544
<para>All of these TTLs default to units of seconds, though units
5545
can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
5546
<sect2><title>Inverse Mapping in IPv4</title>
5547
<para>Reverse name resolution (that is, translation from IP address
5548
to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
5549
and PTR records. Entries in the in-addr.arpa domain are made in
5550
least-to-most significant order, read left to right. This is the
5551
opposite order to the way IP addresses are usually written. Thus,
5552
a machine with an IP address of 10.1.2.3 would have a corresponding
5553
in-addr.arpa name of
5554
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
5555
whose data field is the name of the machine or, optionally, multiple
5556
PTR records if the machine has more than one name. For example,
5557
in the <optional>example.com</optional> domain:</para>
5558
<informaltable colsep = "0" rowsep = "0">
5559
<tgroup cols = "2" colsep = "0" rowsep = "0"
5560
tgroupstyle = "3Level-table">
5561
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
5562
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
5565
<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
5566
<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
5569
<entry colname = "1"><para><literal>3</literal></para></entry>
5570
<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
5573
</tgroup></informaltable>
5575
<para>The <command>$ORIGIN</command> lines in the examples
5576
are for providing context to the examples only-they do not necessarily
5577
appear in the actual usage. They are only used here to indicate
5578
that the example is relative to the listed origin.</para></note></sect2>
5579
<sect2><title>Other Zone File Directives</title>
5580
<para>The Master File Format was initially defined in RFC 1035 and
5581
has subsequently been extended. While the Master File Format itself
5582
is class independent all records in a Master File must be of the same
5584
<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
5585
and <command>$TTL.</command></para>
5586
<sect3><title>The <command>$ORIGIN</command> Directive</title>
5587
<para>Syntax: <command>$ORIGIN
5588
</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
5589
<para><command>$ORIGIN</command> sets the domain name that will
5590
be appended to any unqualified records. When a zone is first read
5591
in there is an implicit <command>$ORIGIN</command> <<varname>zone-name</varname>><command>.</command> The
5592
current <command>$ORIGIN</command> is appended to the domain specified
5593
in the <command>$ORIGIN</command> argument if it is not absolute.</para>
5594
<programlisting>$ORIGIN example.com.
5595
WWW CNAME MAIN-SERVER</programlisting>
5596
<para>is equivalent to</para>
5597
<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
5598
<sect3><title>The <command>$INCLUDE</command> Directive</title>
5599
<para>Syntax: <command>$INCLUDE</command>
5600
<replaceable>filename</replaceable> <optional>
5601
<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
5602
<para>Read and process the file <filename>filename</filename> as
5603
if it were included into the file at this point. If <command>origin</command> is
5604
specified the file is processed with <command>$ORIGIN</command> set
5605
to that value, otherwise the current <command>$ORIGIN</command> is
5607
<para>The origin and the current domain name
5608
revert to the values they had prior to the <command>$INCLUDE</command> once
5609
the file has been read.</para>
5611
RFC 1035 specifies that the current origin should be restored after
5612
an <command>$INCLUDE</command>, but it is silent on whether the current
5613
domain name should also be restored. BIND 9 restores both of them.
5614
This could be construed as a deviation from RFC 1035, a feature, or both.
5617
<sect3><title>The <command>$TTL</command> Directive</title>
5618
<para>Syntax: <command>$TTL</command>
5619
<replaceable>default-ttl</replaceable> <optional>
5620
<replaceable>comment</replaceable> </optional></para>
5621
<para>Set the default Time To Live (TTL) for subsequent records
5622
with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
5623
<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
5624
<sect2><title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
5625
<para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
5626
<para><command>$GENERATE</command> is used to create a series of
5627
resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
5628
be used to easily generate the sets of records required to support
5629
sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
9171
Each rule grants or denies privileges. Once a message has
9172
successfully matched a rule, the operation is immediately
9174
or denied and no further rules are examined. A rule is matched
9175
when the signer matches the identity field, the name matches the
9176
name field in accordance with the nametype field, and the type
9178
the types specified in the type field.
9181
The identity field specifies a name or a wildcard
9182
name. Normally, this is the name of the TSIG or
9183
SIG(0) key used to sign the update request. When a
9184
TKEY exchange has been used to create a shared secret,
9185
the identity of the shared secret is the same as the
9186
identity of the key used to authenticate the TKEY
9187
exchange. TKEY is also the negotiation method used
9188
by GSS-TSIG, which establishes an identity that is
9189
the Kerberos principal of the client, such as
9190
<userinput>"user@host.domain"</userinput>. When the
9191
<replaceable>identity</replaceable> field specifies
9192
a wildcard name, it is subject to DNS wildcard
9193
expansion, so the rule will apply to multiple identities.
9194
The <replaceable>identity</replaceable> field must
9195
contain a fully-qualified domain name.
9199
The <replaceable>nametype</replaceable> field has 6
9201
<varname>name</varname>, <varname>subdomain</varname>,
9202
<varname>wildcard</varname>, <varname>self</varname>,
9203
<varname>selfsub</varname>, and <varname>selfwild</varname>.
9206
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9207
<colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9208
<colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9213
<varname>name</varname>
9215
</entry> <entry colname="2">
9217
Exact-match semantics. This rule matches
9218
when the name being updated is identical
9219
to the contents of the
9220
<replaceable>name</replaceable> field.
9227
<varname>subdomain</varname>
9229
</entry> <entry colname="2">
9231
This rule matches when the name being updated
9232
is a subdomain of, or identical to, the
9233
contents of the <replaceable>name</replaceable>
9241
<varname>wildcard</varname>
9243
</entry> <entry colname="2">
9245
The <replaceable>name</replaceable> field
9246
is subject to DNS wildcard expansion, and
9247
this rule matches when the name being updated
9248
name is a valid expansion of the wildcard.
9255
<varname>self</varname>
9260
This rule matches when the name being updated
9261
matches the contents of the
9262
<replaceable>identity</replaceable> field.
9263
The <replaceable>name</replaceable> field
9264
is ignored, but should be the same as the
9265
<replaceable>identity</replaceable> field.
9266
The <varname>self</varname> nametype is
9267
most useful when allowing using one key per
9268
name to update, where the key has the same
9269
name as the name to be updated. The
9270
<replaceable>identity</replaceable> would
9271
be specified as <constant>*</constant> (an asterisk) in
9279
<varname>selfsub</varname>
9281
</entry> <entry colname="2">
9283
This rule is similar to <varname>self</varname>
9284
except that subdomains of <varname>self</varname>
9285
can also be updated.
9292
<varname>selfwild</varname>
9294
</entry> <entry colname="2">
9296
This rule is similar to <varname>self</varname>
9297
except that only subdomains of
9298
<varname>self</varname> can be updated.
9307
In all cases, the <replaceable>name</replaceable>
9309
specify a fully-qualified domain name.
9313
If no types are explicitly specified, this rule matches all
9315
RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
9316
"ANY" (ANY matches all types except NSEC, which can never be
9318
Note that when an attempt is made to delete all records
9320
name, the rules are checked for each existing record type.
9326
<title>Zone File</title>
9327
<sect2 id="types_of_resource_records_and_when_to_use_them">
9328
<title>Types of Resource Records and When to Use Them</title>
9330
This section, largely borrowed from RFC 1034, describes the
9331
concept of a Resource Record (RR) and explains when each is used.
9332
Since the publication of RFC 1034, several new RRs have been
9334
and implemented in the DNS. These are also included.
9337
<title>Resource Records</title>
9340
A domain name identifies a node. Each node has a set of
9341
resource information, which may be empty. The set of resource
9342
information associated with a particular name is composed of
9343
separate RRs. The order of RRs in a set is not significant and
9344
need not be preserved by name servers, resolvers, or other
9345
parts of the DNS. However, sorting of multiple RRs is
9346
permitted for optimization purposes, for example, to specify
9347
that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9351
The components of a Resource Record are:
9353
<informaltable colsep="0" rowsep="0">
9354
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9355
<colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9356
<colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9366
The domain name where the RR is found.
9378
An encoded 16-bit value that specifies
9379
the type of the resource record.
9391
The time-to-live of the RR. This field
9392
is a 32-bit integer in units of seconds, and is
9394
resolvers when they cache RRs. The TTL describes how
9396
be cached before it should be discarded.
9408
An encoded 16-bit value that identifies
9409
a protocol family or instance of a protocol.
9421
The resource data. The format of the
9422
data is type (and sometimes class) specific.
9430
The following are <emphasis>types</emphasis> of valid RRs:
9432
<informaltable colsep="0" rowsep="0">
9433
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9434
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9435
<colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9445
A host address. In the IN class, this is a
9446
32-bit IP address. Described in RFC 1035.
9458
IPv6 address. Described in RFC 1886.
9470
IPv6 address. This can be a partial
9471
address (a suffix) and an indirection to the name
9472
where the rest of the
9473
address (the prefix) can be found. Experimental.
9474
Described in RFC 2874.
9486
Location of AFS database servers.
9487
Experimental. Described in RFC 1183.
9499
Address prefix list. Experimental.
9500
Described in RFC 3123.
9512
Holds a digital certificate.
9513
Described in RFC 2538.
9525
Identifies the canonical name of an alias.
9526
Described in RFC 1035.
9538
Replaces the domain name specified with
9539
another name to be looked up, effectively aliasing an
9541
subtree of the domain name space rather than a single
9543
as in the case of the CNAME RR.
9544
Described in RFC 2672.
9556
Stores a public key associated with a signed
9557
DNS zone. Described in RFC 4034.
9569
Stores the hash of a public key associated with a
9570
signed DNS zone. Described in RFC 4034.
9582
Specifies the global position. Superseded by LOC.
9594
Identifies the CPU and OS used by a host.
9595
Described in RFC 1035.
9607
Representation of ISDN addresses.
9608
Experimental. Described in RFC 1183.
9620
Stores a public key associated with a
9621
DNS name. Used in original DNSSEC; replaced
9622
by DNSKEY in DNSSECbis, but still used with
9623
SIG(0). Described in RFCs 2535 and 2931.
9635
Identifies a key exchanger for this
9636
DNS name. Described in RFC 2230.
9648
For storing GPS info. Described in RFC 1876.
9661
Identifies a mail exchange for the domain with
9662
a 16-bit preference value (lower is better)
9663
followed by the host name of the mail exchange.
9664
Described in RFC 974, RFC 1035.
9676
Name authority pointer. Described in RFC 2915.
9688
A network service access point.
9689
Described in RFC 1706.
9701
The authoritative name server for the
9702
domain. Described in RFC 1035.
9714
Used in DNSSECbis to securely indicate that
9715
RRs with an owner name in a certain name interval do
9717
a zone and indicate what RR types are present for an
9719
Described in RFC 4034.
9731
Used in DNSSEC to securely indicate that
9732
RRs with an owner name in a certain name interval do
9734
a zone and indicate what RR types are present for an
9736
Used in original DNSSEC; replaced by NSEC in
9738
Described in RFC 2535.
9750
A pointer to another part of the domain
9751
name space. Described in RFC 1035.
9763
Provides mappings between RFC 822 and X.400
9764
addresses. Described in RFC 2163.
9776
Information on persons responsible
9777
for the domain. Experimental. Described in RFC 1183.
9789
Contains DNSSECbis signature data. Described
9802
Route-through binding for hosts that
9803
do not have their own direct wide area network
9805
Experimental. Described in RFC 1183.
9817
Contains DNSSEC signature data. Used in
9818
original DNSSEC; replaced by RRSIG in
9819
DNSSECbis, but still used for SIG(0).
9820
Described in RFCs 2535 and 2931.
9832
Identifies the start of a zone of authority.
9833
Described in RFC 1035.
9845
Information about well known network
9846
services (replaces WKS). Described in RFC 2782.
9858
Text records. Described in RFC 1035.
9870
Information about which well known
9871
network services, such as SMTP, that a domain
9872
supports. Historical.
9884
Representation of X.25 network addresses.
9885
Experimental. Described in RFC 1183.
9893
The following <emphasis>classes</emphasis> of resource records
9894
are currently valid in the DNS:
9896
<informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9897
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9898
<colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9922
Chaosnet, a LAN protocol created at MIT in the
9924
Rarely used for its historical purpose, but reused for
9926
built-in server information zones, e.g.,
9927
<literal>version.bind</literal>.
9940
Hesiod, an information service
9941
developed by MIT's Project Athena. It is used to share
9943
about various systems databases, such as users,
9955
The owner name is often implicit, rather than forming an
9957
part of the RR. For example, many name servers internally form
9959
or hash structures for the name space, and chain RRs off nodes.
9960
The remaining RR parts are the fixed header (type, class, TTL)
9961
which is consistent for all RRs, and a variable part (RDATA)
9963
fits the needs of the resource being described.
9966
The meaning of the TTL field is a time limit on how long an
9967
RR can be kept in a cache. This limit does not apply to
9969
data in zones; it is also timed out, but by the refreshing
9971
for the zone. The TTL is assigned by the administrator for the
9972
zone where the data originates. While short TTLs can be used to
9973
minimize caching, and a zero TTL prohibits caching, the
9975
of Internet performance suggest that these times should be on
9977
order of days for the typical host. If a change can be
9979
the TTL can be reduced prior to the change to minimize
9981
during the change, and then increased back to its former value
9986
The data in the RDATA section of RRs is carried as a combination
9987
of binary strings and domain names. The domain names are
9989
used as "pointers" to other data in the DNS.
9993
<title>Textual expression of RRs</title>
9995
RRs are represented in binary form in the packets of the DNS
9996
protocol, and are usually represented in highly encoded form
9998
stored in a name server or resolver. In the examples provided
10000
RFC 1034, a style similar to that used in master files was
10002
in order to show the contents of RRs. In this format, most RRs
10003
are shown on a single line, although continuation lines are
10008
The start of the line gives the owner of the RR. If a line
10009
begins with a blank, then the owner is assumed to be the same as
10010
that of the previous RR. Blank lines are often included for
10014
Following the owner, we list the TTL, type, and class of the
10015
RR. Class and type use the mnemonics defined above, and TTL is
10016
an integer before the type field. In order to avoid ambiguity
10018
parsing, type and class mnemonics are disjoint, TTLs are
10020
and the type mnemonic is always last. The IN class and TTL
10022
are often omitted from examples in the interests of clarity.
10025
The resource data or RDATA section of the RR are given using
10026
knowledge of the typical representation for the data.
10029
For example, we might show the RRs carried in a message as:
10031
<informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10032
<colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
10033
<colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
10034
<colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
10037
<entry colname="1">
10039
<literal>ISI.EDU.</literal>
10042
<entry colname="2">
10044
<literal>MX</literal>
10047
<entry colname="3">
10049
<literal>10 VENERA.ISI.EDU.</literal>
10054
<entry colname="1">
10057
<entry colname="2">
10059
<literal>MX</literal>
10062
<entry colname="3">
10064
<literal>10 VAXA.ISI.EDU</literal>
10069
<entry colname="1">
10071
<literal>VENERA.ISI.EDU</literal>
10074
<entry colname="2">
10076
<literal>A</literal>
10079
<entry colname="3">
10081
<literal>128.9.0.32</literal>
10086
<entry colname="1">
10089
<entry colname="2">
10091
<literal>A</literal>
10094
<entry colname="3">
10096
<literal>10.1.0.52</literal>
10101
<entry colname="1">
10103
<literal>VAXA.ISI.EDU</literal>
10106
<entry colname="2">
10108
<literal>A</literal>
10111
<entry colname="3">
10113
<literal>10.2.0.27</literal>
10118
<entry colname="1">
10121
<entry colname="2">
10123
<literal>A</literal>
10126
<entry colname="3">
10128
<literal>128.9.0.33</literal>
10136
The MX RRs have an RDATA section which consists of a 16-bit
10137
number followed by a domain name. The address RRs use a
10139
IP address format to contain a 32-bit internet address.
10142
The above example shows six RRs, with two RRs at each of three
10146
Similarly we might see:
10148
<informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10149
<colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
10150
<colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
10151
<colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
10154
<entry colname="1">
10156
<literal>XX.LCS.MIT.EDU.</literal>
10159
<entry colname="2">
10161
<literal>IN A</literal>
10164
<entry colname="3">
10166
<literal>10.0.0.44</literal>
10171
<entry colname="1"/>
10172
<entry colname="2">
10174
<literal>CH A</literal>
10177
<entry colname="3">
10179
<literal>MIT.EDU. 2420</literal>
10187
This example shows two addresses for
10188
<literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10194
<title>Discussion of MX Records</title>
10197
As described above, domain servers store information as a
10198
series of resource records, each of which contains a particular
10199
piece of information about a given domain name (which is usually,
10200
but not always, a host). The simplest way to think of a RR is as
10201
a typed pair of data, a domain name matched with a relevant datum,
10202
and stored with some additional type information to help systems
10203
determine when the RR is relevant.
10207
MX records are used to control delivery of email. The data
10208
specified in the record is a priority and a domain name. The
10210
controls the order in which email delivery is attempted, with the
10211
lowest number first. If two priorities are the same, a server is
10212
chosen randomly. If no servers at a given priority are responding,
10213
the mail transport agent will fall back to the next largest
10215
Priority numbers do not have any absolute meaning — they are
10217
only respective to other MX records for that domain name. The
10219
name given is the machine to which the mail will be delivered.
10220
It <emphasis>must</emphasis> have an associated address record
10221
(A or AAAA) — CNAME is not sufficient.
10224
For a given domain, if there is both a CNAME record and an
10225
MX record, the MX record is in error, and will be ignored.
10227
the mail will be delivered to the server specified in the MX
10229
pointed to by the CNAME.
10234
<informaltable colsep="0" rowsep="0">
10235
<tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10236
<colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10237
<colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10238
<colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10239
<colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10240
<colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10243
<entry colname="1">
10245
<literal>example.com.</literal>
10248
<entry colname="2">
10250
<literal>IN</literal>
10253
<entry colname="3">
10255
<literal>MX</literal>
10258
<entry colname="4">
10260
<literal>10</literal>
10263
<entry colname="5">
10265
<literal>mail.example.com.</literal>
10270
<entry colname="1">
10273
<entry colname="2">
10275
<literal>IN</literal>
10278
<entry colname="3">
10280
<literal>MX</literal>
10283
<entry colname="4">
10285
<literal>10</literal>
10288
<entry colname="5">
10290
<literal>mail2.example.com.</literal>
10295
<entry colname="1">
10298
<entry colname="2">
10300
<literal>IN</literal>
10303
<entry colname="3">
10305
<literal>MX</literal>
10308
<entry colname="4">
10310
<literal>20</literal>
10313
<entry colname="5">
10315
<literal>mail.backup.org.</literal>
10320
<entry colname="1">
10322
<literal>mail.example.com.</literal>
10325
<entry colname="2">
10327
<literal>IN</literal>
10330
<entry colname="3">
10332
<literal>A</literal>
10335
<entry colname="4">
10337
<literal>10.0.0.1</literal>
10340
<entry colname="5">
10345
<entry colname="1">
10347
<literal>mail2.example.com.</literal>
10350
<entry colname="2">
10352
<literal>IN</literal>
10355
<entry colname="3">
10357
<literal>A</literal>
10360
<entry colname="4">
10362
<literal>10.0.0.2</literal>
10365
<entry colname="5">
10371
</informaltable><para>
10372
Mail delivery will be attempted to <literal>mail.example.com</literal> and
10373
<literal>mail2.example.com</literal> (in
10374
any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
10378
<sect2 id="Setting_TTLs">
10379
<title>Setting TTLs</title>
10381
The time-to-live of the RR field is a 32-bit integer represented
10382
in units of seconds, and is primarily used by resolvers when they
10383
cache RRs. The TTL describes how long a RR can be cached before it
10384
should be discarded. The following three types of TTL are
10386
used in a zone file.
10388
<informaltable colsep="0" rowsep="0">
10389
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10390
<colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
10391
<colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
10394
<entry colname="1">
10399
<entry colname="2">
10401
The last field in the SOA is the negative
10402
caching TTL. This controls how long other servers will
10403
cache no-such-domain
10404
(NXDOMAIN) responses from you.
10407
The maximum time for
10408
negative caching is 3 hours (3h).
10413
<entry colname="1">
10418
<entry colname="2">
10420
The $TTL directive at the top of the
10421
zone file (before the SOA) gives a default TTL for every
10423
a specific TTL set.
10428
<entry colname="1">
10433
<entry colname="2">
10435
Each RR can have a TTL as the second
10436
field in the RR, which will control how long other
10446
All of these TTLs default to units of seconds, though units
10447
can be explicitly specified, for example, <literal>1h30m</literal>.
10451
<title>Inverse Mapping in IPv4</title>
10453
Reverse name resolution (that is, translation from IP address
10454
to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
10455
and PTR records. Entries in the in-addr.arpa domain are made in
10456
least-to-most significant order, read left to right. This is the
10457
opposite order to the way IP addresses are usually written. Thus,
10458
a machine with an IP address of 10.1.2.3 would have a
10460
in-addr.arpa name of
10461
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10462
whose data field is the name of the machine or, optionally,
10464
PTR records if the machine has more than one name. For example,
10465
in the <optional>example.com</optional> domain:
10467
<informaltable colsep="0" rowsep="0">
10468
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10469
<colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
10470
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
10473
<entry colname="1">
10475
<literal>$ORIGIN</literal>
10478
<entry colname="2">
10480
<literal>2.1.10.in-addr.arpa</literal>
10485
<entry colname="1">
10487
<literal>3</literal>
10490
<entry colname="2">
10492
<literal>IN PTR foo.example.com.</literal>
10501
The <command>$ORIGIN</command> lines in the examples
10502
are for providing context to the examples only — they do not
10504
appear in the actual usage. They are only used here to indicate
10505
that the example is relative to the listed origin.
10510
<title>Other Zone File Directives</title>
10512
The Master File Format was initially defined in RFC 1035 and
10513
has subsequently been extended. While the Master File Format
10515
is class independent all records in a Master File must be of the
10520
Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
10521
and <command>$TTL.</command>
10524
<title>The <command>$ORIGIN</command> Directive</title>
10526
Syntax: <command>$ORIGIN</command>
10527
<replaceable>domain-name</replaceable>
10528
<optional><replaceable>comment</replaceable></optional>
10530
<para><command>$ORIGIN</command>
10531
sets the domain name that will be appended to any
10532
unqualified records. When a zone is first read in there
10533
is an implicit <command>$ORIGIN</command>
10534
<<varname>zone-name</varname>><command>.</command>
10535
The current <command>$ORIGIN</command> is appended to
10536
the domain specified in the <command>$ORIGIN</command>
10537
argument if it is not absolute.
10541
$ORIGIN example.com.
10542
WWW CNAME MAIN-SERVER
10550
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10555
<title>The <command>$INCLUDE</command> Directive</title>
10557
Syntax: <command>$INCLUDE</command>
10558
<replaceable>filename</replaceable>
10560
<replaceable>origin</replaceable> </optional>
10561
<optional> <replaceable>comment</replaceable> </optional>
10564
Read and process the file <filename>filename</filename> as
10565
if it were included into the file at this point. If <command>origin</command> is
10566
specified the file is processed with <command>$ORIGIN</command> set
10567
to that value, otherwise the current <command>$ORIGIN</command> is
10571
The origin and the current domain name
10572
revert to the values they had prior to the <command>$INCLUDE</command> once
10573
the file has been read.
10577
RFC 1035 specifies that the current origin should be restored
10579
an <command>$INCLUDE</command>, but it is silent
10580
on whether the current
10581
domain name should also be restored. BIND 9 restores both of
10583
This could be construed as a deviation from RFC 1035, a
10589
<title>The <command>$TTL</command> Directive</title>
10591
Syntax: <command>$TTL</command>
10592
<replaceable>default-ttl</replaceable>
10594
<replaceable>comment</replaceable> </optional>
10597
Set the default Time To Live (TTL) for subsequent records
10598
with undefined TTLs. Valid TTLs are of the range 0-2147483647
10601
<para><command>$TTL</command>
10602
is defined in RFC 2308.
10607
<title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
10609
Syntax: <command>$GENERATE</command>
10610
<replaceable>range</replaceable>
10611
<replaceable>lhs</replaceable>
10612
<optional><replaceable>ttl</replaceable></optional>
10613
<optional><replaceable>class</replaceable></optional>
10614
<replaceable>type</replaceable>
10615
<replaceable>rhs</replaceable>
10616
<optional><replaceable>comment</replaceable></optional>
10618
<para><command>$GENERATE</command>
10619
is used to create a series of resource records that only
10620
differ from each other by an
10621
iterator. <command>$GENERATE</command> can be used to
10622
easily generate the sets of records required to support
10623
sub /24 reverse delegations described in RFC 2317:
10624
Classless IN-ADDR.ARPA delegation.
5631
10627
<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
5632
10628
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
5633
10629
$GENERATE 1-127 $ CNAME $.0</programlisting>
5634
<para>is equivalent to</para>
5635
<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
10635
<programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
5636
10636
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
5637
10637
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
5638
10638
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
5640
10640
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
5641
10641
</programlisting>
5642
<informaltable colsep = "0" rowsep = "0">
5643
<tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5644
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5645
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
5648
<entry colname = "1"><para><command>range</command></para></entry>
5649
<entry colname = "2"><para>This can be one of two forms: start-stop
5650
or start-stop/step. If the first form is used then step is set to
5651
1. All of start, stop and step must be positive.</para></entry>
5654
<entry colname = "1"><para><command>lhs</command></para></entry>
5655
<entry colname = "2"><para><command>lhs</command> describes the
5656
owner name of the resource records to be created. Any single <command>$</command> symbols
5657
within the <command>lhs</command> side are replaced by the iterator
5659
To get a $ in the output you need to escape the <command>$</command>
5660
using a backslash <command>\</command>,
5661
e.g. <command>\$</command>. The <command>$</command> may optionally be followed
5662
by modifiers which change the offset from the iterator, field width and base.
5663
Modifiers are introduced by a <command>{</command> immediately following the
5664
<command>$</command> as <command>${offset[,width[,base]]}</command>.
5665
e.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
5666
prints the result as a decimal in a zero padded field of with 3. Available
5667
output forms are decimal (<command>d</command>), octal (<command>o</command>)
5668
and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
5669
The default modifier is <command>${0,0,d}</command>.
5670
If the <command>lhs</command> is not
5671
absolute, the current <command>$ORIGIN</command> is appended to
5673
<para>For compatibility with earlier versions <command>$$</command> is still
5674
recognized a indicating a literal $ in the output.</para></entry>
5677
<entry colname = "1"><para><command>ttl</command></para></entry>
5678
<entry colname = "2"><para><command>ttl</command> specifies the
5679
ttl of the generated records. If not specified this will be
5680
inherited using the normal ttl inheritance rules.</para>
5681
<para><command>class</command> and <command>ttl</command> can be
5682
entered in either order.</para></entry>
5685
<entry colname = "1"><para><command>class</command></para></entry>
5686
<entry colname = "2"><para><command>class</command> specifies the
5687
class of the generated records. This must match the zone class if
5688
it is specified.</para>
5689
<para><command>class</command> and <command>ttl</command> can be
5690
entered in either order.</para></entry>
5693
<entry colname = "1"><para><command>type</command></para></entry>
5694
<entry colname = "2"><para>At present the only supported types are
5695
PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
5698
<entry colname = "1"><para><command>rhs</command></para></entry>
5699
<entry colname = "2"><para>rhs is a domain name. It is processed
5700
similarly to lhs.</para></entry>
5703
</tgroup></informaltable>
5704
<para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
5705
and not part of the standard zone file format.</para>
5706
<para>BIND 8 does not support the optional TTL and CLASS fields.</para>
5710
<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
5711
<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
5712
<para>Access Control Lists (ACLs), are address match lists that
5713
you can set up and nickname for future use in <command>allow-notify</command>,
5714
<command>allow-query</command>, <command>allow-recursion</command>,
5715
<command>blackhole</command>, <command>allow-transfer</command>,
5717
<para>Using ACLs allows you to have finer control over who can access
5718
your name server, without cluttering up your config files with huge
5719
lists of IP addresses.</para>
5720
<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
5721
control access to your server. Limiting access to your server by
5722
outside parties can help prevent spoofing and DoS attacks against
5724
<para>Here is an example of how to properly apply ACLs:</para>
10643
<informaltable colsep="0" rowsep="0">
10644
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10645
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10646
<colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
10649
<entry colname="1">
10650
<para><command>range</command></para>
10652
<entry colname="2">
10654
This can be one of two forms: start-stop
10655
or start-stop/step. If the first form is used, then step
10657
1. All of start, stop and step must be positive.
10662
<entry colname="1">
10663
<para><command>lhs</command></para>
10665
<entry colname="2">
10667
describes the owner name of the resource records
10668
to be created. Any single <command>$</command>
10670
symbols within the <command>lhs</command> side
10671
are replaced by the iterator value.
10673
To get a $ in the output, you need to escape the
10674
<command>$</command> using a backslash
10675
<command>\</command>,
10676
e.g. <command>\$</command>. The
10677
<command>$</command> may optionally be followed
10678
by modifiers which change the offset from the
10679
iterator, field width and base.
10681
Modifiers are introduced by a
10682
<command>{</command> (left brace) immediately following the
10683
<command>$</command> as
10684
<command>${offset[,width[,base]]}</command>.
10685
For example, <command>${-20,3,d}</command>
10686
subtracts 20 from the current value, prints the
10687
result as a decimal in a zero-padded field of
10690
Available output forms are decimal
10691
(<command>d</command>), octal
10692
(<command>o</command>) and hexadecimal
10693
(<command>x</command> or <command>X</command>
10694
for uppercase). The default modifier is
10695
<command>${0,0,d}</command>. If the
10696
<command>lhs</command> is not absolute, the
10697
current <command>$ORIGIN</command> is appended
10701
For compatibility with earlier versions, <command>$$</command> is still
10702
recognized as indicating a literal $ in the output.
10707
<entry colname="1">
10708
<para><command>ttl</command></para>
10710
<entry colname="2">
10712
Specifies the time-to-live of the generated records. If
10713
not specified this will be inherited using the
10714
normal ttl inheritance rules.
10716
<para><command>class</command>
10717
and <command>ttl</command> can be
10718
entered in either order.
10723
<entry colname="1">
10724
<para><command>class</command></para>
10726
<entry colname="2">
10728
Specifies the class of the generated records.
10729
This must match the zone class if it is
10732
<para><command>class</command>
10733
and <command>ttl</command> can be
10734
entered in either order.
10739
<entry colname="1">
10740
<para><command>type</command></para>
10742
<entry colname="2">
10744
At present the only supported types are
10745
PTR, CNAME, DNAME, A, AAAA and NS.
10750
<entry colname="1">
10751
<para><command>rhs</command></para>
10753
<entry colname="2">
10755
<command>rhs</command> is a domain name. It is processed
10764
The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
10765
and not part of the standard zone file format.
10768
BIND 8 does not support the optional TTL and CLASS fields.
10772
<sect2 id="zonefile_format">
10773
<title>Additional File Formats</title>
10775
In addition to the standard textual format, BIND 9
10776
supports the ability to read or dump to zone files in
10777
other formats. The <constant>raw</constant> format is
10778
currently available as an additional format. It is a
10779
binary format representing BIND 9's internal data
10780
structure directly, thereby remarkably improving the
10784
For a primary server, a zone file in the
10785
<constant>raw</constant> format is expected to be
10786
generated from a textual zone file by the
10787
<command>named-compilezone</command> command. For a
10788
secondary server or for a dynamic zone, it is automatically
10789
generated (if this format is specified by the
10790
<command>masterfile-format</command> option) when
10791
<command>named</command> dumps the zone contents after
10792
zone transfer or when applying prior updates.
10795
If a zone file in a binary format needs manual modification,
10796
it first must be converted to a textual form by the
10797
<command>named-compilezone</command> command. All
10798
necessary modification should go to the text file, which
10799
should then be converted to the binary form by the
10800
<command>named-compilezone</command> command again.
10803
Although the <constant>raw</constant> format uses the
10804
network byte order and avoids architecture-dependent
10805
data alignment so that it is as much portable as
10806
possible, it is primarily expected to be used inside
10807
the same single system. In order to export a zone
10808
file in the <constant>raw</constant> format or make a
10809
portable backup of the file, it is recommended to
10810
convert the file to the standard textual representation.
10816
<title>BIND9 Statistics</title>
10818
<acronym>BIND</acronym> 9 maintains lots of statistics
10819
information and provides several interfaces for users to
10820
get access to the statistics.
10821
The available statistics include all statistics counters
10822
that were available in <acronym>BIND</acronym> 8 and
10823
are meaningful in <acronym>BIND</acronym> 9,
10824
and other information that is considered useful.
10828
The statistics information is categorized into the following
10832
<informaltable frame="all">
10834
<colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
10835
<colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
10839
<entry colname="1">
10840
<para>Incoming Requests</para>
10842
<entry colname="2">
10844
The number of incoming DNS requests for each OPCODE.
10850
<entry colname="1">
10851
<para>Incoming Queries</para>
10853
<entry colname="2">
10855
The number of incoming queries for each RR type.
10861
<entry colname="1">
10862
<para>Outgoing Queries</para>
10864
<entry colname="2">
10866
The number of outgoing queries for each RR
10867
type sent from the internal resolver.
10868
Maintained per view.
10874
<entry colname="1">
10875
<para>Name Server Statistics</para>
10877
<entry colname="2">
10879
Statistics counters about incoming request processing.
10885
<entry colname="1">
10886
<para>Zone Maintenance Statistics</para>
10888
<entry colname="2">
10890
Statistics counters regarding zone maintenance
10891
operations such as zone transfers.
10897
<entry colname="1">
10898
<para>Resolver Statistics</para>
10900
<entry colname="2">
10902
Statistics counters about name resolution
10903
performed in the internal resolver.
10904
Maintained per view.
10910
<entry colname="1">
10911
<para>Cache DB RRsets</para>
10913
<entry colname="2">
10915
The number of RRsets per RR type (positive
10916
or negative) and nonexistent names stored in the
10918
Maintained per view.
10928
A subset of Name Server Statistics is collected and shown
10929
per zone for which the server has the authority when
10930
<command>zone-statistics</command> is set to
10931
<userinput>yes</userinput>.
10932
These statistics counters are shown with their zone and view
10934
In some cases the view names are omitted for the default view.
10938
There are currently two user interfaces to get access to the
10940
One is in the plain text format dumped to the file specified
10941
by the <command>statistics-file</command> configuration option.
10942
The other is remotely accessible via a statistics channel
10943
when the <command>statistics-channels</command> statement
10944
is specified in the configuration file
10945
(see <xref linkend="statschannels"/>.)
10948
<sect3 id="statsfile">
10949
<title>The Statistics File</title>
10951
The text format statistics dump begins with a line, like:
10954
<command>+++ Statistics Dump +++ (973798949)</command>
10957
The number in parentheses is a standard
10958
Unix-style timestamp, measured as seconds since January 1, 1970.
10961
that line is a set of statistics information, which is categorized
10962
as described above.
10963
Each section begins with a line, like:
10967
<command>++ Name Server Statistics ++</command>
10971
Each section consists of lines, each containing the statistics
10972
counter value followed by its textual description.
10973
See below for available counters.
10974
For brevity, counters that have a value of 0 are not shown
10975
in the statistics file.
10979
The statistics dump ends with the line where the
10980
number is identical to the number in the beginning line; for example:
10983
<command>--- Statistics Dump --- (973798949)</command>
10988
<title>Statistics Counters</title>
10990
The following tables summarize statistics counters that
10991
<acronym>BIND</acronym> 9 provides.
10992
For each row of the tables, the leftmost column is the
10993
abbreviated symbol name of that counter.
10994
These symbols are shown in the statistics information
10995
accessed via an HTTP statistics channel.
10996
The rightmost column gives the description of the counter,
10997
which is also shown in the statistics file
10998
(but, in this document, possibly with slight modification
10999
for better readability).
11000
Additional notes may also be provided in this column.
11001
When a middle column exists between these two columns,
11002
it gives the corresponding counter name of the
11003
<acronym>BIND</acronym> 8 statistics, if applicable.
11007
<title>Name Server Statistics Counters</title>
11009
<informaltable colsep="0" rowsep="0">
11010
<tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11011
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11012
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11013
<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11016
<entry colname="1">
11018
<emphasis>Symbol</emphasis>
11021
<entry colname="2">
11023
<emphasis>BIND8 Symbol</emphasis>
11026
<entry colname="3">
11028
<emphasis>Description</emphasis>
11034
<entry colname="1">
11035
<para><command>Requestv4</command></para>
11037
<entry colname="2">
11038
<para><command>RQ</command></para>
11040
<entry colname="3">
11042
IPv4 requests received.
11043
Note: this also counts non query requests.
11048
<entry colname="1">
11049
<para><command>Requestv6</command></para>
11051
<entry colname="2">
11052
<para><command>RQ</command></para>
11054
<entry colname="3">
11056
IPv6 requests received.
11057
Note: this also counts non query requests.
11062
<entry colname="1">
11063
<para><command>ReqEdns0</command></para>
11065
<entry colname="2">
11066
<para><command></command></para>
11068
<entry colname="3">
11070
Requests with EDNS(0) received.
11075
<entry colname="1">
11076
<para><command>ReqBadEDNSVer</command></para>
11078
<entry colname="2">
11079
<para><command></command></para>
11081
<entry colname="3">
11083
Requests with unsupported EDNS version received.
11088
<entry colname="1">
11089
<para><command>ReqTSIG</command></para>
11091
<entry colname="2">
11092
<para><command></command></para>
11094
<entry colname="3">
11096
Requests with TSIG received.
11101
<entry colname="1">
11102
<para><command>ReqSIG0</command></para>
11104
<entry colname="2">
11105
<para><command></command></para>
11107
<entry colname="3">
11109
Requests with SIG(0) received.
11114
<entry colname="1">
11115
<para><command>ReqBadSIG</command></para>
11117
<entry colname="2">
11118
<para><command></command></para>
11120
<entry colname="3">
11122
Requests with invalid (TSIG or SIG(0)) signature.
11127
<entry colname="1">
11128
<para><command>ReqTCP</command></para>
11130
<entry colname="2">
11131
<para><command>RTCP</command></para>
11133
<entry colname="3">
11135
TCP requests received.
11140
<entry colname="1">
11141
<para><command>AuthQryRej</command></para>
11143
<entry colname="2">
11144
<para><command>RUQ</command></para>
11146
<entry colname="3">
11148
Authoritative (non recursive) queries rejected.
11153
<entry colname="1">
11154
<para><command>RecQryRej</command></para>
11156
<entry colname="2">
11157
<para><command>RURQ</command></para>
11159
<entry colname="3">
11161
Recursive queries rejected.
11166
<entry colname="1">
11167
<para><command>XfrRej</command></para>
11169
<entry colname="2">
11170
<para><command>RUXFR</command></para>
11172
<entry colname="3">
11174
Zone transfer requests rejected.
11179
<entry colname="1">
11180
<para><command>UpdateRej</command></para>
11182
<entry colname="2">
11183
<para><command>RUUpd</command></para>
11185
<entry colname="3">
11187
Dynamic update requests rejected.
11192
<entry colname="1">
11193
<para><command>Response</command></para>
11195
<entry colname="2">
11196
<para><command>SAns</command></para>
11198
<entry colname="3">
11205
<entry colname="1">
11206
<para><command>RespTruncated</command></para>
11208
<entry colname="2">
11209
<para><command></command></para>
11211
<entry colname="3">
11213
Truncated responses sent.
11218
<entry colname="1">
11219
<para><command>RespEDNS0</command></para>
11221
<entry colname="2">
11222
<para><command></command></para>
11224
<entry colname="3">
11226
Responses with EDNS(0) sent.
11231
<entry colname="1">
11232
<para><command>RespTSIG</command></para>
11234
<entry colname="2">
11235
<para><command></command></para>
11237
<entry colname="3">
11239
Responses with TSIG sent.
11244
<entry colname="1">
11245
<para><command>RespSIG0</command></para>
11247
<entry colname="2">
11248
<para><command></command></para>
11250
<entry colname="3">
11252
Responses with SIG(0) sent.
11257
<entry colname="1">
11258
<para><command>QrySuccess</command></para>
11260
<entry colname="2">
11261
<para><command></command></para>
11263
<entry colname="3">
11265
Queries resulted in a successful answer.
11266
This means the query which returns a NOERROR response
11267
with at least one answer RR.
11268
This corresponds to the
11269
<command>success</command> counter
11270
of previous versions of
11271
<acronym>BIND</acronym> 9.
11276
<entry colname="1">
11277
<para><command>QryAuthAns</command></para>
11279
<entry colname="2">
11280
<para><command></command></para>
11282
<entry colname="3">
11284
Queries resulted in authoritative answer.
11289
<entry colname="1">
11290
<para><command>QryNoauthAns</command></para>
11292
<entry colname="2">
11293
<para><command>SNaAns</command></para>
11295
<entry colname="3">
11297
Queries resulted in non authoritative answer.
11302
<entry colname="1">
11303
<para><command>QryReferral</command></para>
11305
<entry colname="2">
11306
<para><command></command></para>
11308
<entry colname="3">
11310
Queries resulted in referral answer.
11311
This corresponds to the
11312
<command>referral</command> counter
11313
of previous versions of
11314
<acronym>BIND</acronym> 9.
11319
<entry colname="1">
11320
<para><command>QryNxrrset</command></para>
11322
<entry colname="2">
11323
<para><command></command></para>
11325
<entry colname="3">
11327
Queries resulted in NOERROR responses with no data.
11328
This corresponds to the
11329
<command>nxrrset</command> counter
11330
of previous versions of
11331
<acronym>BIND</acronym> 9.
11336
<entry colname="1">
11337
<para><command>QrySERVFAIL</command></para>
11339
<entry colname="2">
11340
<para><command>SFail</command></para>
11342
<entry colname="3">
11344
Queries resulted in SERVFAIL.
11349
<entry colname="1">
11350
<para><command>QryFORMERR</command></para>
11352
<entry colname="2">
11353
<para><command>SFErr</command></para>
11355
<entry colname="3">
11357
Queries resulted in FORMERR.
11362
<entry colname="1">
11363
<para><command>QryNXDOMAIN</command></para>
11365
<entry colname="2">
11366
<para><command>SNXD</command></para>
11368
<entry colname="3">
11370
Queries resulted in NXDOMAIN.
11371
This corresponds to the
11372
<command>nxdomain</command> counter
11373
of previous versions of
11374
<acronym>BIND</acronym> 9.
11379
<entry colname="1">
11380
<para><command>QryRecursion</command></para>
11382
<entry colname="2">
11383
<para><command>RFwdQ</command></para>
11385
<entry colname="3">
11387
Queries which caused the server
11388
to perform recursion in order to find the final answer.
11389
This corresponds to the
11390
<command>recursion</command> counter
11391
of previous versions of
11392
<acronym>BIND</acronym> 9.
11397
<entry colname="1">
11398
<para><command>QryDuplicate</command></para>
11400
<entry colname="2">
11401
<para><command>RDupQ</command></para>
11403
<entry colname="3">
11405
Queries which the server attempted to
11406
recurse but discovered an existing query with the same
11407
IP address, port, query ID, name, type and class
11408
already being processed.
11409
This corresponds to the
11410
<command>duplicate</command> counter
11411
of previous versions of
11412
<acronym>BIND</acronym> 9.
11417
<entry colname="1">
11418
<para><command>QryDropped</command></para>
11420
<entry colname="2">
11421
<para><command></command></para>
11423
<entry colname="3">
11425
Queries for which the server
11426
discovered an excessive number of existing
11427
recursive queries for the same name, type and
11428
class and were subsequently dropped.
11429
This corresponds to the
11430
<command>dropped</command> counter
11431
of previous versions of
11432
<acronym>BIND</acronym> 9.
11437
<entry colname="1">
11438
<para><command>QryFailure</command></para>
11440
<entry colname="2">
11441
<para><command></command></para>
11443
<entry colname="3">
11445
Other query failures.
11446
This corresponds to the
11447
<command>failure</command> counter
11448
of previous versions of
11449
<acronym>BIND</acronym> 9.
11454
<entry colname="1">
11455
<para><command>XfrReqDone</command></para>
11457
<entry colname="2">
11458
<para><command></command></para>
11460
<entry colname="3">
11462
Requested zone transfers completed.
11467
<entry colname="1">
11468
<para><command>UpdateReqFwd</command></para>
11470
<entry colname="2">
11471
<para><command></command></para>
11473
<entry colname="3">
11475
Update requests forwarded.
11480
<entry colname="1">
11481
<para><command>UpdateRespFwd</command></para>
11483
<entry colname="2">
11484
<para><command></command></para>
11486
<entry colname="3">
11488
Update responses forwarded.
11493
<entry colname="1">
11494
<para><command>UpdateFwdFail</command></para>
11496
<entry colname="2">
11497
<para><command></command></para>
11499
<entry colname="3">
11501
Dynamic update forward failed.
11506
<entry colname="1">
11507
<para><command>UpdateDone</command></para>
11509
<entry colname="2">
11510
<para><command></command></para>
11512
<entry colname="3">
11514
Dynamic updates completed.
11519
<entry colname="1">
11520
<para><command>UpdateFail</command></para>
11522
<entry colname="2">
11523
<para><command></command></para>
11525
<entry colname="3">
11527
Dynamic updates failed.
11532
<entry colname="1">
11533
<para><command>UpdateBadPrereq</command></para>
11535
<entry colname="2">
11536
<para><command></command></para>
11538
<entry colname="3">
11540
Dynamic updates rejected due to prerequisite failure.
11550
<title>Zone Maintenance Statistics Counters</title>
11552
<informaltable colsep="0" rowsep="0">
11553
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11554
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11555
<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
11558
<entry colname="1">
11560
<emphasis>Symbol</emphasis>
11563
<entry colname="2">
11565
<emphasis>Description</emphasis>
11571
<entry colname="1">
11572
<para><command>NotifyOutv4</command></para>
11574
<entry colname="2">
11576
IPv4 notifies sent.
11581
<entry colname="1">
11582
<para><command>NotifyOutv6</command></para>
11584
<entry colname="2">
11586
IPv6 notifies sent.
11591
<entry colname="1">
11592
<para><command>NotifyInv4</command></para>
11594
<entry colname="2">
11596
IPv4 notifies received.
11601
<entry colname="1">
11602
<para><command>NotifyInv6</command></para>
11604
<entry colname="2">
11606
IPv6 notifies received.
11611
<entry colname="1">
11612
<para><command>NotifyRej</command></para>
11614
<entry colname="2">
11616
Incoming notifies rejected.
11621
<entry colname="1">
11622
<para><command>SOAOutv4</command></para>
11624
<entry colname="2">
11626
IPv4 SOA queries sent.
11631
<entry colname="1">
11632
<para><command>SOAOutv6</command></para>
11634
<entry colname="2">
11636
IPv6 SOA queries sent.
11641
<entry colname="1">
11642
<para><command>AXFRReqv4</command></para>
11644
<entry colname="2">
11646
IPv4 AXFR requested.
11651
<entry colname="1">
11652
<para><command>AXFRReqv6</command></para>
11654
<entry colname="2">
11656
IPv6 AXFR requested.
11661
<entry colname="1">
11662
<para><command>IXFRReqv4</command></para>
11664
<entry colname="2">
11666
IPv4 IXFR requested.
11671
<entry colname="1">
11672
<para><command>IXFRReqv6</command></para>
11674
<entry colname="2">
11676
IPv6 IXFR requested.
11681
<entry colname="1">
11682
<para><command>XfrSuccess</command></para>
11684
<entry colname="2">
11686
Zone transfer requests succeeded.
11691
<entry colname="1">
11692
<para><command>XfrFail</command></para>
11694
<entry colname="2">
11696
Zone transfer requests failed.
11706
<title>Resolver Statistics Counters</title>
11708
<informaltable colsep="0" rowsep="0">
11709
<tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11710
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11711
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11712
<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11715
<entry colname="1">
11717
<emphasis>Symbol</emphasis>
11720
<entry colname="2">
11722
<emphasis>BIND8 Symbol</emphasis>
11725
<entry colname="3">
11727
<emphasis>Description</emphasis>
11734
<entry colname="1">
11735
<para><command>Queryv4</command></para>
11737
<entry colname="2">
11738
<para><command>SFwdQ</command></para>
11740
<entry colname="3">
11747
<entry colname="1">
11748
<para><command>Queryv6</command></para>
11750
<entry colname="2">
11751
<para><command>SFwdQ</command></para>
11753
<entry colname="3">
11760
<entry colname="1">
11761
<para><command>Responsev4</command></para>
11763
<entry colname="2">
11764
<para><command>RR</command></para>
11766
<entry colname="3">
11768
IPv4 responses received.
11773
<entry colname="1">
11774
<para><command>Responsev6</command></para>
11776
<entry colname="2">
11777
<para><command>RR</command></para>
11779
<entry colname="3">
11781
IPv6 responses received.
11786
<entry colname="1">
11787
<para><command>NXDOMAIN</command></para>
11789
<entry colname="2">
11790
<para><command>RNXD</command></para>
11792
<entry colname="3">
11799
<entry colname="1">
11800
<para><command>SERVFAIL</command></para>
11802
<entry colname="2">
11803
<para><command>RFail</command></para>
11805
<entry colname="3">
11812
<entry colname="1">
11813
<para><command>FORMERR</command></para>
11815
<entry colname="2">
11816
<para><command>RFErr</command></para>
11818
<entry colname="3">
11825
<entry colname="1">
11826
<para><command>OtherError</command></para>
11828
<entry colname="2">
11829
<para><command>RErr</command></para>
11831
<entry colname="3">
11833
Other errors received.
11838
<entry colname="1">
11839
<para><command>EDNS0Fail</command></para>
11841
<entry colname="2">
11842
<para><command></command></para>
11844
<entry colname="3">
11846
EDNS(0) query failures.
11851
<entry colname="1">
11852
<para><command>Mismatch</command></para>
11854
<entry colname="2">
11855
<para><command>RDupR</command></para>
11857
<entry colname="3">
11859
Mismatch responses received.
11860
When shown via an HTTP statistics channel,
11861
this counter is shown in the
11862
Name Server Statistics section for brevity.
11867
<entry colname="1">
11868
<para><command>Truncated</command></para>
11870
<entry colname="2">
11871
<para><command></command></para>
11873
<entry colname="3">
11875
Truncated responses received.
11880
<entry colname="1">
11881
<para><command>Lame</command></para>
11883
<entry colname="2">
11884
<para><command>RLame</command></para>
11886
<entry colname="3">
11888
Lame delegations received.
11893
<entry colname="1">
11894
<para><command>Retry</command></para>
11896
<entry colname="2">
11897
<para><command>SDupQ</command></para>
11899
<entry colname="3">
11901
Query retries performed.
11906
<entry colname="1">
11907
<para><command>GlueFetchv4</command></para>
11909
<entry colname="2">
11910
<para><command>SSysQ</command></para>
11912
<entry colname="3">
11914
IPv4 NS address fetches invoked.
11919
<entry colname="1">
11920
<para><command>GlueFetchv6</command></para>
11922
<entry colname="2">
11923
<para><command>SSysQ</command></para>
11925
<entry colname="3">
11927
IPv6 NS address fetches invoked.
11932
<entry colname="1">
11933
<para><command>GlueFetchv4Fail</command></para>
11935
<entry colname="2">
11936
<para><command></command></para>
11938
<entry colname="3">
11940
IPv4 NS address fetch failed.
11945
<entry colname="1">
11946
<para><command>GlueFetchv6Fail</command></para>
11948
<entry colname="2">
11949
<para><command></command></para>
11951
<entry colname="3">
11953
IPv6 NS address fetch failed.
11958
<entry colname="1">
11959
<para><command>ValAttempt</command></para>
11961
<entry colname="2">
11962
<para><command></command></para>
11964
<entry colname="3">
11966
DNSSEC validation attempted.
11971
<entry colname="1">
11972
<para><command>ValOk</command></para>
11974
<entry colname="2">
11975
<para><command></command></para>
11977
<entry colname="3">
11979
DNSSEC validation succeeded.
11984
<entry colname="1">
11985
<para><command>ValNegOk</command></para>
11987
<entry colname="2">
11988
<para><command></command></para>
11990
<entry colname="3">
11992
DNSSEC validation on negative information succeeded.
11997
<entry colname="1">
11998
<para><command>ValFail</command></para>
12000
<entry colname="2">
12001
<para><command></command></para>
12003
<entry colname="3">
12005
DNSSEC validation failed.
12017
<title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
12019
Most statistics counters that were available
12020
in <command>BIND</command> 8 are also supported in
12021
<command>BIND</command> 9 as shown in the above tables.
12022
Here are notes about other counters that do not appear
12028
<term><command>RFwdR,SFwdR</command></term>
12031
These counters are not supported
12032
because <command>BIND</command> 9 does not adopt
12033
the notion of <emphasis>forwarding</emphasis>
12034
as <command>BIND</command> 8 did.
12040
<term><command>RAXFR</command></term>
12043
This counter is accessible in the Incoming Queries section.
12049
<term><command>RIQ</command></term>
12052
This counter is accessible in the Incoming Requests section.
12058
<term><command>ROpts</command></term>
12061
This counter is not supported
12062
because <command>BIND</command> 9 does not care
12063
about IP options in the first place.
12069
<term><command>SErr</command></term>
12072
This counter could be implemented, but is not yet
12084
<chapter id="Bv9ARM.ch07">
12085
<title><acronym>BIND</acronym> 9 Security Considerations</title>
12086
<sect1 id="Access_Control_Lists">
12087
<title>Access Control Lists</title>
12089
Access Control Lists (ACLs), are address match lists that
12090
you can set up and nickname for future use in <command>allow-notify</command>,
12091
<command>allow-query</command>, <command>allow-query-on</command>,
12092
<command>allow-recursion</command>, <command>allow-recursion-on</command>,
12093
<command>blackhole</command>, <command>allow-transfer</command>,
12097
Using ACLs allows you to have finer control over who can access
12098
your name server, without cluttering up your config files with huge
12099
lists of IP addresses.
12102
It is a <emphasis>good idea</emphasis> to use ACLs, and to
12103
control access to your server. Limiting access to your server by
12104
outside parties can help prevent spoofing and denial of service (DoS) attacks against
12108
Here is an example of how to properly apply ACLs:
5725
12111
<programlisting>
5726
// Set up an ACL named "bogusnets" that will block RFC1918 space,
5727
// which is commonly used in spoofing attacks.
5728
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
12112
// Set up an ACL named "bogusnets" that will block RFC1918 space
12113
// and some reserved space, which is commonly used in spoofing attacks.
12115
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
12116
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
5729
12119
// Set up an ACL called our-nets. Replace this with the real IP numbers.
5730
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
12120
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
5737
12127
blackhole { bogusnets; };
5740
12131
zone "example.com" {
5742
12133
file "m/example.com";
5743
12134
allow-query { any; };
5745
12136
</programlisting>
5746
<para>This allows recursive queries of the server from the outside
5747
unless recursion has been previously disabled.</para>
5748
<para>For more information on how to use ACLs to protect your server,
5749
see the <emphasis>AUSCERT</emphasis> advisory at
5750
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
5751
<sect1><title><command>chroot</command> and <command>setuid</command> (for
5752
UNIX servers)</title>
5753
<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
5754
(<command>chroot()</command>) by specifying the "<option>-t</option>"
5755
option. This can help improve system security by placing <acronym>BIND</acronym> in
5756
a "sandbox", which will limit the damage done if a server is compromised.</para>
5757
<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
5758
ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
5759
We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
5760
<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
5761
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
5763
<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
5765
<sect2><title>The <command>chroot</command> Environment</title>
5767
<para>In order for a <command>chroot()</command> environment to
5768
work properly in a particular directory
5769
(for example, <filename>/var/named</filename>),
5770
you will need to set up an environment that includes everything
5771
<acronym>BIND</acronym> needs to run.
5772
From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
5773
the root of the filesystem. You will need to adjust the values of options like
5774
like <command>directory</command> and <command>pid-file</command> to account
5778
Unlike with earlier versions of BIND, you will typically
5779
<emphasis>not</emphasis> need to compile <command>named</command>
5780
statically nor install shared libraries under the new root.
5781
However, depending on your operating system, you may need
5782
to set up things like
5783
<filename>/dev/zero</filename>,
5784
<filename>/dev/random</filename>,
5785
<filename>/dev/log</filename>, and/or
5786
<filename>/etc/localtime</filename>.
5790
<sect2><title>Using the <command>setuid</command> Function</title>
5792
<para>Prior to running the <command>named</command> daemon, use
5793
the <command>touch</command> utility (to change file access and
5794
modification times) or the <command>chown</command> utility (to
5795
set the user id and/or group id) on files
5796
to which you want <acronym>BIND</acronym>
5797
to write. Note that if the <command>named</command> daemon is running as an
5798
unprivileged user, it will not be able to bind to new restricted ports if the
5799
server is reloaded.</para>
5803
<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title>
5805
<para>Access to the dynamic
5806
update facility should be strictly limited. In earlier versions of
5807
<acronym>BIND</acronym> the only way to do this was based on the IP
5808
address of the host requesting the update, by listing an IP address or
5809
network prefix in the <command>allow-update</command> zone option.
5810
This method is insecure since the source address of the update UDP packet
5811
is easily forged. Also note that if the IP addresses allowed by the
5812
<command>allow-update</command> option include the address of a slave
5813
server which performs forwarding of dynamic updates, the master can be
5814
trivially attacked by sending the update to the slave, which will
5815
forward it to the master with its own source IP address causing the
5816
master to approve it without question.</para>
5818
<para>For these reasons, we strongly recommend that updates be
5819
cryptographically authenticated by means of transaction signatures
5820
(TSIG). That is, the <command>allow-update</command> option should
5821
list only TSIG key names, not IP addresses or network
5822
prefixes. Alternatively, the new <command>update-policy</command>
5823
option can be used.</para>
5825
<para>Some sites choose to keep all dynamically updated DNS data
5826
in a subdomain and delegate that subdomain to a separate zone. This
5827
way, the top-level zone containing critical data such as the IP addresses
5828
of public web and mail servers need not allow dynamic update at
5833
<chapter id="Bv9ARM.ch08">
5834
<title>Troubleshooting</title>
5836
<title>Common Problems</title>
5838
<title>It's not working; how can I figure out what's wrong?</title>
5840
<para>The best solution to solving installation and
5841
configuration issues is to take preventative measures by setting
5842
up logging files beforehand. The log files provide a
5843
source of hints and information that can be used to figure out
5844
what went wrong and how to fix the problem.</para>
5849
<title>Incrementing and Changing the Serial Number</title>
5851
<para>Zone serial numbers are just numbers-they aren't date
5852
related. A lot of people set them to a number that represents a
5853
date, usually of the form YYYYMMDDRR. A number of people have been
5854
testing these numbers for Y2K compliance and have set the number
5855
to the year 2000 to see if it will work. They then try to restore
5856
the old serial number. This will cause problems because serial
5857
numbers are used to indicate that a zone has been updated. If the
5858
serial number on the slave server is lower than the serial number
5859
on the master, the slave server will attempt to update its copy of
5862
<para>Setting the serial number to a lower number on the master
5863
server than the slave server means that the slave will not perform
5864
updates to its copy of the zone.</para>
5866
<para>The solution to this is to add 2147483647 (2^31-1) to the
5867
number, reload the zone and make sure all slaves have updated to
5868
the new zone serial number, then reset the number to what you want
5869
it to be, and reload the zone again.</para>
5873
<title>Where Can I Get Help?</title>
5875
<para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
5876
of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
5877
levels of premium support are available and each level includes
5878
support for all <acronym>ISC</acronym> programs, significant discounts on products
5879
and training, and a recognized priority on bug fixes and
5880
non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
5881
support agreement package which includes services ranging from bug
5882
fix announcements to remote support. It also includes training in
5883
<acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
5885
<para>To discuss arrangements for support, contact
5886
<ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
5887
<acronym>ISC</acronym> web page at <ulink
5888
url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
5889
to read more.</para>
5892
<appendix id="Bv9ARM.ch09">
5893
<title>Appendices</title>
5895
<title>Acknowledgments</title>
5897
<title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
5899
<para>Although the "official" beginning of the Domain Name
5900
System occurred in 1984 with the publication of RFC 920, the
5901
core of the new system was described in 1983 in RFCs 882 and
5902
883. From 1984 to 1987, the ARPAnet (the precursor to today's
5903
Internet) became a testbed of experimentation for developing the
5904
new naming/addressing scheme in an rapidly expanding,
5905
operational network environment. New RFCs were written and
5906
published in 1987 that modified the original documents to
5907
incorporate improvements based on the working model. RFC 1034,
5908
"Domain Names-Concepts and Facilities", and RFC 1035, "Domain
5909
Names-Implementation and Specification" were published and
5910
became the standards upon which all <acronym>DNS</acronym> implementations are
5914
<para>The first working domain name server, called "Jeeves", was
5915
written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
5916
machines located at the University of Southern California's Information
5917
Sciences Institute (USC-ISI) and SRI International's Network Information
5918
Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
5919
Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
5920
graduate students at the University of California at Berkeley under
5921
a grant from the US Defense Advanced Research Projects Administration
5922
(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
5923
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
5924
Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
5925
project team. After that, additional work on the software package
5926
was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
5927
employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
5928
to 1987. Many other people also contributed to <acronym>BIND</acronym> development
5929
during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
5930
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
5931
handled by Mike Karels and O. Kure.</para>
5932
<para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
5933
Corporation (now Compaq Computer Corporation). Paul Vixie, then
5934
a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
5935
by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
5936
Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
5937
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
5938
Wolfhugel, and others.</para>
5939
<para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
5940
Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
5941
<para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
5942
by the Internet Software Consortium with support being provided
5943
by ISC's sponsors. As co-architects/programmers, Bob Halley and
5944
Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
5945
8 in May 1997.</para>
5946
<para><acronym>BIND</acronym> development work is made possible today by the sponsorship
5947
of several corporations, and by the tireless work efforts of numerous
5951
<sect1 id="historical_dns_information">
5953
<title>General <acronym>DNS</acronym> Reference Information</title>
5954
<sect2 id="ipv6addresses">
5955
<title>IPv6 addresses (AAAA)</title>
5956
<para>IPv6 addresses are 128-bit identifiers for interfaces and
5957
sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
5958
scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
5959
an identifier for a single interface; <emphasis>Anycast</emphasis>,
5960
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
5961
an identifier for a set of interfaces. Here we describe the global
5962
Unicast address scheme. For more information, see RFC 2374.</para>
5963
<para>The aggregatable global Unicast address format is as follows:</para>
5964
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
5965
colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
5966
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
5967
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
5968
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
5969
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
5970
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
5971
<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
5974
<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
5975
<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
5976
<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
5977
<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
5978
<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
5979
<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
5982
<entry colname = "1" colsep = "1"><para>FP</para></entry>
5983
<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
5984
<entry colname = "3" colsep = "1"><para>RES</para></entry>
5985
<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
5986
<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
5987
<entry colname = "6"><para>Interface ID</para></entry>
5990
<entry nameend = "4" namest = "1"><para><------ Public Topology
5991
------></para></entry>
5992
<entry colname = "5"><para></para></entry>
5993
<entry colname = "6"><para></para></entry>
5996
<entry colname = "1"><para></para></entry>
5997
<entry colname = "2"><para></para></entry>
5998
<entry colname = "3"><para></para></entry>
5999
<entry colname = "4"><para></para></entry>
6000
<entry colname = "5"><para><-Site Topology-></para></entry>
6001
<entry colname = "6"><para></para></entry>
6004
<entry colname = "1"><para></para></entry>
6005
<entry colname = "2"><para></para></entry>
6006
<entry colname = "3"><para></para></entry>
6007
<entry colname = "4"><para></para></entry>
6008
<entry colname = "5"><para></para></entry>
6009
<entry colname = "6"><para><------ Interface Identifier ------></para></entry>
6012
</tgroup></informaltable>
6014
<informaltable colsep = "0" rowsep = "0"><tgroup
6015
cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
6016
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
6017
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
6018
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
6021
<entry colname = "1"><para>FP</para></entry>
6022
<entry colname = "2"><para>=</para></entry>
6023
<entry colname = "3"><para>Format Prefix (001)</para></entry>
6026
<entry colname = "1"><para>TLA ID</para></entry>
6027
<entry colname = "2"><para>=</para></entry>
6028
<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
6031
<entry colname = "1"><para>RES</para></entry>
6032
<entry colname = "2"><para>=</para></entry>
6033
<entry colname = "3"><para>Reserved for future use</para></entry>
6036
<entry colname = "1"><para>NLA ID</para></entry>
6037
<entry colname = "2"><para>=</para></entry>
6038
<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
6041
<entry colname = "1"><para>SLA ID</para></entry>
6042
<entry colname = "2"><para>=</para></entry>
6043
<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
6046
<entry colname = "1"><para>INTERFACE ID</para></entry>
6047
<entry colname = "2"><para>=</para></entry>
6048
<entry colname = "3"><para>Interface Identifier</para></entry>
6051
</tgroup></informaltable></para>
6052
<para>The <emphasis>Public Topology</emphasis> is provided by the
6053
upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
6054
of the address range. The <emphasis>Site Topology</emphasis> is
6055
where you can subnet this space, much the same as subnetting an
6056
IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
6057
the address of an individual interface on a given network. (With
6058
IPv6, addresses belong to interfaces rather than machines.)</para>
6059
<para>The subnetting capability of IPv6 is much more flexible than
6060
that of IPv4: subnetting can now be carried out on bit boundaries,
6061
in much the same way as Classless InterDomain Routing (CIDR).</para>
6062
<para>The Interface Identifier must be unique on that network. On
6063
ethernet networks, one way to ensure this is to set the address
6064
to the first three bytes of the hardware address, "FFFE", then the
6065
last three bytes of the hardware address. The lowest significant
6066
bit of the first byte should then be complemented. Addresses are
6067
written as 32-bit blocks separated with a colon, and leading zeros
6068
of a block may be omitted, for example:</para>
6069
<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
6070
<para>IPv6 address specifications are likely to contain long strings
6071
of zeros, so the architects have included a shorthand for specifying
6072
them. The double colon (`::') indicates the longest possible string
6073
of zeros that can fit, and can be used only once in an address.</para>
6076
<sect1 id="bibliography">
6077
<title>Bibliography (and Suggested Reading)</title>
6079
<title>Request for Comments (RFCs)</title>
6080
<para>Specification documents for the Internet protocol suite, including
6081
the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
6082
series of technical notes. The standards themselves are defined
6083
by the Internet Engineering Task Force (IETF) and the Internet Engineering
6084
Steering Group (IESG). RFCs can be obtained online via FTP at
6085
<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
6086
the number of the RFC). RFCs are also available via the Web at
6087
<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
6091
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
6092
<title>Standards</title>
6094
<abbrev>RFC974</abbrev>
6096
<surname>Partridge</surname>
6097
<firstname>C.</firstname>
6099
<title>Mail Routing and the Domain System</title>
6100
<pubdate>January 1986</pubdate>
6103
<abbrev>RFC1034</abbrev>
6105
<surname>Mockapetris</surname>
6106
<firstname>P.V.</firstname>
6108
<title>Domain Names — Concepts and Facilities</title>
6109
<pubdate>November 1987</pubdate>
6112
<abbrev>RFC1035</abbrev>
6114
<surname>Mockapetris</surname>
6115
<firstname>P. V.</firstname>
6116
</author> <title>Domain Names — Implementation and
6117
Specification</title>
6118
<pubdate>November 1987</pubdate>
6121
<bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
6123
<title>Proposed Standards</title>
6124
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
6126
<abbrev>RFC2181</abbrev>
6128
<surname>Elz</surname>
6129
<firstname>R., R. Bush</firstname>
6131
<title>Clarifications to the <acronym>DNS</acronym> Specification</title>
6132
<pubdate>July 1997</pubdate>
6135
<abbrev>RFC2308</abbrev>
6137
<surname>Andrews</surname>
6138
<firstname>M.</firstname>
6140
<title>Negative Caching of <acronym>DNS</acronym> Queries</title>
6141
<pubdate>March 1998</pubdate>
6144
<abbrev>RFC1995</abbrev>
6146
<surname>Ohta</surname>
6147
<firstname>M.</firstname>
6149
<title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
6150
<pubdate>August 1996</pubdate>
6153
<abbrev>RFC1996</abbrev>
6155
<surname>Vixie</surname>
6156
<firstname>P.</firstname>
6158
<title>A Mechanism for Prompt Notification of Zone Changes</title>
6159
<pubdate>August 1996</pubdate>
6162
<abbrev>RFC2136</abbrev>
6165
<surname>Vixie</surname>
6166
<firstname>P.</firstname>
6169
<firstname>S.</firstname>
6170
<surname>Thomson</surname>
6173
<firstname>Y.</firstname>
6174
<surname>Rekhter</surname>
6177
<firstname>J.</firstname>
6178
<surname>Bound</surname>
6181
<title>Dynamic Updates in the Domain Name System</title>
6182
<pubdate>April 1997</pubdate>
6185
<abbrev>RFC2845</abbrev>
6188
<surname>Vixie</surname>
6189
<firstname>P.</firstname>
6192
<firstname>O.</firstname>
6193
<surname>Gudmundsson</surname>
6196
<firstname>D.</firstname>
6197
<surname>Eastlake</surname>
6198
<lineage>3rd</lineage></author>
6200
<firstname>B.</firstname>
6201
<surname>Wellington</surname>
6202
</author></authorgroup>
6203
<title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
6204
<pubdate>May 2000</pubdate>
6208
<title>Proposed Standards Still Under Development</title>
6210
<para><emphasis>Note:</emphasis> the following list of
6211
RFCs are undergoing major revision by the IETF.</para>
6214
<abbrev>RFC1886</abbrev>
6217
<surname>Thomson</surname>
6218
<firstname>S.</firstname>
6221
<firstname>C.</firstname>
6222
<surname>Huitema</surname>
6225
<title><acronym>DNS</acronym> Extensions to support IP version 6</title>
6226
<pubdate>December 1995</pubdate>
6229
<abbrev>RFC2065</abbrev>
6232
<surname>Eastlake</surname>
6233
<lineage>3rd</lineage>
6234
<firstname>D.</firstname>
6237
<firstname>C.</firstname>
6238
<surname>Kaufman</surname>
6241
<title>Domain Name System Security Extensions</title>
6242
<pubdate>January 1997</pubdate>
6245
<abbrev>RFC2137</abbrev>
6247
<surname>Eastlake</surname>
6248
<lineage>3rd</lineage>
6249
<firstname>D.</firstname>
6251
<title>Secure Domain Name System Dynamic Update</title>
6252
<pubdate>April 1997</pubdate>
6256
<title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
6258
<abbrev>RFC1535</abbrev>
6260
<surname>Gavron</surname>
6261
<firstname>E.</firstname>
6263
<title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
6264
<pubdate>October 1993</pubdate>
6267
<abbrev>RFC1536</abbrev>
6270
<surname>Kumar</surname>
6271
<firstname>A.</firstname>
6274
<firstname>J.</firstname>
6275
<surname>Postel</surname>
6278
<firstname>C.</firstname>
6279
<surname>Neuman</surname></author>
6281
<firstname>P.</firstname>
6282
<surname>Danzig</surname>
6285
<firstname>S.</firstname>
6286
<surname>Miller</surname>
6289
<title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
6290
<pubdate>October 1993</pubdate>
6293
<abbrev>RFC1982</abbrev>
6296
<surname>Elz</surname>
6297
<firstname>R.</firstname>
6300
<firstname>R.</firstname>
6301
<surname>Bush</surname>
6304
<title>Serial Number Arithmetic</title>
6305
<pubdate>August 1996</pubdate>
6309
<title>Resource Record Types</title>
6311
<abbrev>RFC1183</abbrev>
6314
<surname>Everhart</surname>
6315
<firstname>C.F.</firstname>
6318
<firstname>L. A.</firstname>
6319
<surname>Mamakos</surname>
6322
<firstname>R.</firstname>
6323
<surname>Ullmann</surname>
6326
<firstname>P.</firstname>
6327
<surname>Mockapetris</surname>
6330
<title>New <acronym>DNS</acronym> RR Definitions</title>
6331
<pubdate>October 1990</pubdate>
6334
<abbrev>RFC1706</abbrev>
6337
<surname>Manning</surname>
6338
<firstname>B.</firstname>
6341
<firstname>R.</firstname>
6342
<surname>Colella</surname>
6345
<title><acronym>DNS</acronym> NSAP Resource Records</title>
6346
<pubdate>October 1994</pubdate>
6349
<abbrev>RFC2168</abbrev>
6352
<surname>Daniel</surname>
6353
<firstname>R.</firstname>
6356
<firstname>M.</firstname>
6357
<surname>Mealling</surname>
6360
<title>Resolution of Uniform Resource Identifiers using
6361
the Domain Name System</title>
6362
<pubdate>June 1997</pubdate>
6365
<abbrev>RFC1876</abbrev>
6368
<surname>Davis</surname>
6369
<firstname>C.</firstname>
6372
<firstname>P.</firstname>
6373
<surname>Vixie</surname>
6376
<firstname>T.</firstname>
6377
<firstname>Goodwin</firstname>
6380
<firstname>I.</firstname>
6381
<surname>Dickinson</surname>
6384
<title>A Means for Expressing Location Information in the Domain
6386
<pubdate>January 1996</pubdate>
6389
<abbrev>RFC2052</abbrev>
6392
<surname>Gulbrandsen</surname>
6393
<firstname>A.</firstname>
6396
<firstname>P.</firstname>
6397
<surname>Vixie</surname>
6400
<title>A <acronym>DNS</acronym> RR for Specifying the Location of
6402
<pubdate>October 1996</pubdate>
6405
<abbrev>RFC2163</abbrev>
6407
<surname>Allocchio</surname>
6408
<firstname>A.</firstname>
6410
<title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
6411
Conformant Global Address Mapping</title>
6412
<pubdate>January 1998</pubdate>
6415
<abbrev>RFC2230</abbrev>
6417
<surname>Atkinson</surname>
6418
<firstname>R.</firstname>
6420
<title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
6421
<pubdate>October 1997</pubdate>
6425
<title><acronym>DNS</acronym> and the Internet</title>
6427
<abbrev>RFC1101</abbrev>
6429
<surname>Mockapetris</surname>
6430
<firstname>P. V.</firstname>
6432
<title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
6433
<pubdate>April 1989</pubdate>
6436
<abbrev>RFC1123</abbrev>
6438
<surname>Braden</surname>
6439
<surname>R.</surname>
6441
<title>Requirements for Internet Hosts - Application and Support</title>
6442
<pubdate>October 1989</pubdate>
6445
<abbrev>RFC1591</abbrev>
6447
<surname>Postel</surname>
6448
<firstname>J.</firstname></author>
6449
<title>Domain Name System Structure and Delegation</title>
6450
<pubdate>March 1994</pubdate></biblioentry>
6452
<abbrev>RFC2317</abbrev>
6455
<surname>Eidnes</surname>
6456
<firstname>H.</firstname>
6459
<firstname>G.</firstname>
6460
<surname>de Groot</surname>
6463
<firstname>P.</firstname>
6464
<surname>Vixie</surname>
6467
<title>Classless IN-ADDR.ARPA Delegation</title>
6468
<pubdate>March 1998</pubdate>
6472
<title><acronym>DNS</acronym> Operations</title>
6474
<abbrev>RFC1537</abbrev>
6476
<surname>Beertema</surname>
6477
<firstname>P.</firstname>
6479
<title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
6480
<pubdate>October 1993</pubdate>
6483
<abbrev>RFC1912</abbrev>
6485
<surname>Barr</surname>
6486
<firstname>D.</firstname>
6488
<title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
6489
<pubdate>February 1996</pubdate>
6492
<abbrev>RFC2010</abbrev>
6495
<surname>Manning</surname>
6496
<firstname>B.</firstname>
6499
<firstname>P.</firstname>
6500
<surname>Vixie</surname>
6503
<title>Operational Criteria for Root Name Servers.</title>
6504
<pubdate>October 1996</pubdate>
6507
<abbrev>RFC2219</abbrev>
6510
<surname>Hamilton</surname>
6511
<firstname>M.</firstname>
6514
<firstname>R.</firstname>
6515
<surname>Wright</surname>
6518
<title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
6519
<pubdate>October 1997</pubdate>
6523
<title>Other <acronym>DNS</acronym>-related RFCs</title>
6525
<para>Note: the following list of RFCs, although
6526
<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
6529
<abbrev>RFC1464</abbrev>
6531
<surname>Rosenbaum</surname>
6532
<firstname>R.</firstname>
6534
<title>Using the Domain Name System To Store Arbitrary String Attributes</title>
6535
<pubdate>May 1993</pubdate>
6538
<abbrev>RFC1713</abbrev>
6540
<surname>Romao</surname>
6541
<firstname>A.</firstname>
6543
<title>Tools for <acronym>DNS</acronym> Debugging</title>
6544
<pubdate>November 1994</pubdate></biblioentry>
6546
<abbrev>RFC1794</abbrev>
6548
<surname>Brisco</surname>
6549
<firstname>T.</firstname>
6551
<title><acronym>DNS</acronym> Support for Load Balancing</title>
6552
<pubdate>April 1995</pubdate>
6555
<abbrev>RFC2240</abbrev>
6557
<surname>Vaughan</surname>
6558
<firstname>O.</firstname></author>
6559
<title>A Legal Basis for Domain Name Allocation</title>
6560
<pubdate>November 1997</pubdate>
6563
<abbrev>RFC2345</abbrev>
6566
<surname>Klensin</surname>
6567
<firstname>J.</firstname>
6570
<firstname>T.</firstname>
6571
<surname>Wolf</surname>
6574
<firstname>G.</firstname>
6575
<surname>Oglesby</surname>
6578
<title>Domain Names and Company Name Retrieval</title>
6579
<pubdate>May 1998</pubdate>
6582
<abbrev>RFC2352</abbrev>
6584
<surname>Vaughan</surname>
6585
<firstname>O.</firstname>
6587
<title>A Convention For Using Legal Names as Domain Names</title>
6588
<pubdate>May 1998</pubdate>
6592
<title>Obsolete and Unimplemented Experimental RRs</title>
6594
<abbrev>RFC1712</abbrev>
6597
<surname>Farrell</surname>
6598
<firstname>C.</firstname>
6601
<firstname>M.</firstname>
6602
<surname>Schulze</surname>
6605
<firstname>S.</firstname>
6606
<surname>Pleitner</surname>
6609
<firstname>D.</firstname>
6610
<surname>Baldoni</surname>
6613
<title><acronym>DNS</acronym> Encoding of Geographical
6615
<pubdate>November 1994</pubdate>
6620
<sect2 id="internet_drafts">
6621
<title>Internet Drafts</title>
6622
<para>Internet Drafts (IDs) are rough-draft working documents of
6623
the Internet Engineering Task Force. They are, in essence, RFCs
6624
in the preliminary stages of development. Implementors are cautioned not
6625
to regard IDs as archival, and they should not be quoted or cited
6626
in any formal documents unless accompanied by the disclaimer that
6627
they are "works in progress." IDs have a lifespan of six months
6628
after which they are deleted unless updated by their authors.
6632
<title>Other Documents About <acronym>BIND</acronym></title>
6638
<surname>Albitz</surname>
6639
<firstname>Paul</firstname>
6642
<firstname>Cricket</firstname>
6643
<surname>Liu</surname>
6646
<title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
6649
<holder>Sebastopol, CA: O'Reilly and Associates</holder>
12139
This allows recursive queries of the server from the outside
12140
unless recursion has been previously disabled.
12143
For more information on how to use ACLs to protect your server,
12144
see the <emphasis>AUSCERT</emphasis> advisory at:
12147
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
12148
>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
12152
<title><command>Chroot</command> and <command>Setuid</command></title>
12154
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
12155
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
12156
option. This can help improve system security by placing <acronym>BIND</acronym> in
12157
a "sandbox", which will limit the damage done if a server is
12161
Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
12162
ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
12163
We suggest running as an unprivileged user when using the <command>chroot</command> feature.
12166
Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
12167
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
12171
<userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
12175
<title>The <command>chroot</command> Environment</title>
12178
In order for a <command>chroot</command> environment
12180
work properly in a particular directory
12181
(for example, <filename>/var/named</filename>),
12182
you will need to set up an environment that includes everything
12183
<acronym>BIND</acronym> needs to run.
12184
From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
12185
the root of the filesystem. You will need to adjust the values of
12187
like <command>directory</command> and <command>pid-file</command> to account
12191
Unlike with earlier versions of BIND, you typically will
12192
<emphasis>not</emphasis> need to compile <command>named</command>
12193
statically nor install shared libraries under the new root.
12194
However, depending on your operating system, you may need
12195
to set up things like
12196
<filename>/dev/zero</filename>,
12197
<filename>/dev/random</filename>,
12198
<filename>/dev/log</filename>, and
12199
<filename>/etc/localtime</filename>.
12204
<title>Using the <command>setuid</command> Function</title>
12207
Prior to running the <command>named</command> daemon,
12209
the <command>touch</command> utility (to change file
12211
modification times) or the <command>chown</command>
12213
set the user id and/or group id) on files
12214
to which you want <acronym>BIND</acronym>
12218
Note that if the <command>named</command> daemon is running as an
12219
unprivileged user, it will not be able to bind to new restricted
12220
ports if the server is reloaded.
12225
<sect1 id="dynamic_update_security">
12226
<title>Dynamic Update Security</title>
12229
Access to the dynamic
12230
update facility should be strictly limited. In earlier versions of
12231
<acronym>BIND</acronym>, the only way to do this was
12233
address of the host requesting the update, by listing an IP address
12235
network prefix in the <command>allow-update</command>
12237
This method is insecure since the source address of the update UDP
12239
is easily forged. Also note that if the IP addresses allowed by the
12240
<command>allow-update</command> option include the
12242
server which performs forwarding of dynamic updates, the master can
12244
trivially attacked by sending the update to the slave, which will
12245
forward it to the master with its own source IP address causing the
12246
master to approve it without question.
12250
For these reasons, we strongly recommend that updates be
12251
cryptographically authenticated by means of transaction signatures
12252
(TSIG). That is, the <command>allow-update</command>
12254
list only TSIG key names, not IP addresses or network
12255
prefixes. Alternatively, the new <command>update-policy</command>
12256
option can be used.
12260
Some sites choose to keep all dynamically-updated DNS data
12261
in a subdomain and delegate that subdomain to a separate zone. This
12262
way, the top-level zone containing critical data such as the IP
12264
of public web and mail servers need not allow dynamic update at
12271
<chapter id="Bv9ARM.ch08">
12272
<title>Troubleshooting</title>
12274
<title>Common Problems</title>
12276
<title>It's not working; how can I figure out what's wrong?</title>
12279
The best solution to solving installation and
12280
configuration issues is to take preventative measures by setting
12281
up logging files beforehand. The log files provide a
12282
source of hints and information that can be used to figure out
12283
what went wrong and how to fix the problem.
12289
<title>Incrementing and Changing the Serial Number</title>
12292
Zone serial numbers are just numbers — they aren't
12293
date related. A lot of people set them to a number that
12294
represents a date, usually of the form YYYYMMDDRR.
12295
Occasionally they will make a mistake and set them to a
12296
"date in the future" then try to correct them by setting
12297
them to the "current date". This causes problems because
12298
serial numbers are used to indicate that a zone has been
12299
updated. If the serial number on the slave server is
12300
lower than the serial number on the master, the slave
12301
server will attempt to update its copy of the zone.
12305
Setting the serial number to a lower number on the master
12306
server than the slave server means that the slave will not perform
12307
updates to its copy of the zone.
12311
The solution to this is to add 2147483647 (2^31-1) to the
12312
number, reload the zone and make sure all slaves have updated to
12313
the new zone serial number, then reset the number to what you want
12314
it to be, and reload the zone again.
12319
<title>Where Can I Get Help?</title>
12322
The Internet Systems Consortium
12323
(<acronym>ISC</acronym>) offers a wide range
12324
of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
12325
levels of premium support are available and each level includes
12326
support for all <acronym>ISC</acronym> programs,
12327
significant discounts on products
12328
and training, and a recognized priority on bug fixes and
12329
non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
12330
support agreement package which includes services ranging from bug
12331
fix announcements to remote support. It also includes training in
12332
<acronym>BIND</acronym> and <acronym>DHCP</acronym>.
12336
To discuss arrangements for support, contact
12337
<ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
12338
<acronym>ISC</acronym> web page at
12339
<ulink url="http://www.isc.org/services/support/"
12340
>http://www.isc.org/services/support/</ulink>
12345
<appendix id="Bv9ARM.ch09">
12346
<title>Appendices</title>
12348
<title>Acknowledgments</title>
12349
<sect2 id="historical_dns_information">
12350
<title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
12353
Although the "official" beginning of the Domain Name
12354
System occurred in 1984 with the publication of RFC 920, the
12355
core of the new system was described in 1983 in RFCs 882 and
12356
883. From 1984 to 1987, the ARPAnet (the precursor to today's
12357
Internet) became a testbed of experimentation for developing the
12358
new naming/addressing scheme in a rapidly expanding,
12359
operational network environment. New RFCs were written and
12360
published in 1987 that modified the original documents to
12361
incorporate improvements based on the working model. RFC 1034,
12362
"Domain Names-Concepts and Facilities", and RFC 1035, "Domain
12363
Names-Implementation and Specification" were published and
12364
became the standards upon which all <acronym>DNS</acronym> implementations are
12369
The first working domain name server, called "Jeeves", was
12370
written in 1983-84 by Paul Mockapetris for operation on DEC
12372
machines located at the University of Southern California's
12374
Sciences Institute (USC-ISI) and SRI International's Network
12376
Center (SRI-NIC). A <acronym>DNS</acronym> server for
12377
Unix machines, the Berkeley Internet
12378
Name Domain (<acronym>BIND</acronym>) package, was
12379
written soon after by a group of
12380
graduate students at the University of California at Berkeley
12382
a grant from the US Defense Advanced Research Projects
12387
Versions of <acronym>BIND</acronym> through
12388
4.8.3 were maintained by the Computer
12389
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
12390
Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
12391
project team. After that, additional work on the software package
12392
was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
12394
employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
12395
to 1987. Many other people also contributed to <acronym>BIND</acronym> development
12396
during that time: Doug Kingston, Craig Partridge, Smoot
12398
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
12399
handled by Mike Karels and Øivind Kure.
12402
<acronym>BIND</acronym> versions 4.9 and 4.9.1 were
12403
released by Digital Equipment
12404
Corporation (now Compaq Computer Corporation). Paul Vixie, then
12405
a DEC employee, became <acronym>BIND</acronym>'s
12406
primary caretaker. He was assisted
12407
by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
12409
Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
12410
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
12411
Wolfhugel, and others.
12414
In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
12415
Vixie Enterprises. Paul
12416
Vixie became <acronym>BIND</acronym>'s principal
12417
architect/programmer.
12420
<acronym>BIND</acronym> versions from 4.9.3 onward
12421
have been developed and maintained
12422
by the Internet Systems Consortium and its predecessor,
12423
the Internet Software Consortium, with support being provided
12427
As co-architects/programmers, Bob Halley and
12428
Paul Vixie released the first production-ready version of
12429
<acronym>BIND</acronym> version 8 in May 1997.
12432
BIND version 9 was released in September 2000 and is a
12433
major rewrite of nearly all aspects of the underlying
12437
BIND version 4 is officially deprecated and BIND version
12438
8 development is considered maintenance-only in favor
12439
of BIND version 9. No additional development is done
12440
on BIND version 4 or BIND version 8 other than for
12441
security-related patches.
12444
<acronym>BIND</acronym> development work is made
12445
possible today by the sponsorship
12446
of several corporations, and by the tireless work efforts of
12447
numerous individuals.
12452
<title>General <acronym>DNS</acronym> Reference Information</title>
12453
<sect2 id="ipv6addresses">
12454
<title>IPv6 addresses (AAAA)</title>
12456
IPv6 addresses are 128-bit identifiers for interfaces and
12457
sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
12458
scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
12459
an identifier for a single interface;
12460
<emphasis>Anycast</emphasis>,
12461
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
12462
an identifier for a set of interfaces. Here we describe the global
12463
Unicast address scheme. For more information, see RFC 3587,
12464
"Global Unicast Address Format."
12467
IPv6 unicast addresses consist of a
12468
<emphasis>global routing prefix</emphasis>, a
12469
<emphasis>subnet identifier</emphasis>, and an
12470
<emphasis>interface identifier</emphasis>.
12473
The global routing prefix is provided by the
12474
upstream provider or ISP, and (roughly) corresponds to the
12475
IPv4 <emphasis>network</emphasis> section
12476
of the address range.
12478
The subnet identifier is for local subnetting, much the
12479
same as subnetting an
12480
IPv4 /16 network into /24 subnets.
12482
The interface identifier is the address of an individual
12483
interface on a given network; in IPv6, addresses belong to
12484
interfaces rather than to machines.
12487
The subnetting capability of IPv6 is much more flexible than
12488
that of IPv4: subnetting can be carried out on bit boundaries,
12489
in much the same way as Classless InterDomain Routing
12490
(CIDR), and the DNS PTR representation ("nibble" format)
12491
makes setting up reverse zones easier.
12494
The Interface Identifier must be unique on the local link,
12495
and is usually generated automatically by the IPv6
12496
implementation, although it is usually possible to
12497
override the default setting if necessary. A typical IPv6
12498
address might look like:
12499
<command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
12502
IPv6 address specifications often contain long strings
12503
of zeros, so the architects have included a shorthand for
12505
them. The double colon (`::') indicates the longest possible
12507
of zeros that can fit, and can be used only once in an address.
12511
<sect1 id="bibliography">
12512
<title>Bibliography (and Suggested Reading)</title>
12514
<title>Request for Comments (RFCs)</title>
12516
Specification documents for the Internet protocol suite, including
12517
the <acronym>DNS</acronym>, are published as part of
12518
the Request for Comments (RFCs)
12519
series of technical notes. The standards themselves are defined
12520
by the Internet Engineering Task Force (IETF) and the Internet
12521
Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
12524
<ulink url="ftp://www.isi.edu/in-notes/">
12525
ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
12529
(where <replaceable>xxxx</replaceable> is
12530
the number of the RFC). RFCs are also available via the Web at:
12533
<ulink url="http://www.ietf.org/rfc/"
12534
>http://www.ietf.org/rfc/</ulink>.
12538
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
12539
<title>Standards</title>
12541
<abbrev>RFC974</abbrev>
12543
<surname>Partridge</surname>
12544
<firstname>C.</firstname>
12546
<title>Mail Routing and the Domain System</title>
12547
<pubdate>January 1986</pubdate>
12550
<abbrev>RFC1034</abbrev>
12552
<surname>Mockapetris</surname>
12553
<firstname>P.V.</firstname>
12555
<title>Domain Names — Concepts and Facilities</title>
12556
<pubdate>November 1987</pubdate>
12559
<abbrev>RFC1035</abbrev>
12561
<surname>Mockapetris</surname>
12562
<firstname>P. V.</firstname>
12563
</author> <title>Domain Names — Implementation and
12564
Specification</title>
12565
<pubdate>November 1987</pubdate>
12568
<bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
12570
<title>Proposed Standards</title>
12571
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
12573
<abbrev>RFC2181</abbrev>
12575
<surname>Elz</surname>
12576
<firstname>R., R. Bush</firstname>
12578
<title>Clarifications to the <acronym>DNS</acronym>
12579
Specification</title>
12580
<pubdate>July 1997</pubdate>
12583
<abbrev>RFC2308</abbrev>
12585
<surname>Andrews</surname>
12586
<firstname>M.</firstname>
12588
<title>Negative Caching of <acronym>DNS</acronym>
12590
<pubdate>March 1998</pubdate>
12593
<abbrev>RFC1995</abbrev>
12595
<surname>Ohta</surname>
12596
<firstname>M.</firstname>
12598
<title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
12599
<pubdate>August 1996</pubdate>
12602
<abbrev>RFC1996</abbrev>
12604
<surname>Vixie</surname>
12605
<firstname>P.</firstname>
12607
<title>A Mechanism for Prompt Notification of Zone Changes</title>
12608
<pubdate>August 1996</pubdate>
12611
<abbrev>RFC2136</abbrev>
12614
<surname>Vixie</surname>
12615
<firstname>P.</firstname>
12618
<firstname>S.</firstname>
12619
<surname>Thomson</surname>
12622
<firstname>Y.</firstname>
12623
<surname>Rekhter</surname>
12626
<firstname>J.</firstname>
12627
<surname>Bound</surname>
12630
<title>Dynamic Updates in the Domain Name System</title>
12631
<pubdate>April 1997</pubdate>
12634
<abbrev>RFC2671</abbrev>
12637
<firstname>P.</firstname>
12638
<surname>Vixie</surname>
12641
<title>Extension Mechanisms for DNS (EDNS0)</title>
12642
<pubdate>August 1997</pubdate>
12645
<abbrev>RFC2672</abbrev>
12648
<firstname>M.</firstname>
12649
<surname>Crawford</surname>
12652
<title>Non-Terminal DNS Name Redirection</title>
12653
<pubdate>August 1999</pubdate>
12656
<abbrev>RFC2845</abbrev>
12659
<surname>Vixie</surname>
12660
<firstname>P.</firstname>
12663
<firstname>O.</firstname>
12664
<surname>Gudmundsson</surname>
12667
<firstname>D.</firstname>
12668
<surname>Eastlake</surname>
12669
<lineage>3rd</lineage>
12672
<firstname>B.</firstname>
12673
<surname>Wellington</surname>
12676
<title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
12677
<pubdate>May 2000</pubdate>
12680
<abbrev>RFC2930</abbrev>
12683
<firstname>D.</firstname>
12684
<surname>Eastlake</surname>
12685
<lineage>3rd</lineage>
12688
<title>Secret Key Establishment for DNS (TKEY RR)</title>
12689
<pubdate>September 2000</pubdate>
12692
<abbrev>RFC2931</abbrev>
12695
<firstname>D.</firstname>
12696
<surname>Eastlake</surname>
12697
<lineage>3rd</lineage>
12700
<title>DNS Request and Transaction Signatures (SIG(0)s)</title>
12701
<pubdate>September 2000</pubdate>
12704
<abbrev>RFC3007</abbrev>
12707
<firstname>B.</firstname>
12708
<surname>Wellington</surname>
12711
<title>Secure Domain Name System (DNS) Dynamic Update</title>
12712
<pubdate>November 2000</pubdate>
12715
<abbrev>RFC3645</abbrev>
12718
<firstname>S.</firstname>
12719
<surname>Kwan</surname>
12722
<firstname>P.</firstname>
12723
<surname>Garg</surname>
12726
<firstname>J.</firstname>
12727
<surname>Gilroy</surname>
12730
<firstname>L.</firstname>
12731
<surname>Esibov</surname>
12734
<firstname>J.</firstname>
12735
<surname>Westhead</surname>
12738
<firstname>R.</firstname>
12739
<surname>Hall</surname>
12742
<title>Generic Security Service Algorithm for Secret
12743
Key Transaction Authentication for DNS
12745
<pubdate>October 2003</pubdate>
12749
<title><acronym>DNS</acronym> Security Proposed Standards</title>
12751
<abbrev>RFC3225</abbrev>
12754
<firstname>D.</firstname>
12755
<surname>Conrad</surname>
12758
<title>Indicating Resolver Support of DNSSEC</title>
12759
<pubdate>December 2001</pubdate>
12762
<abbrev>RFC3833</abbrev>
12765
<firstname>D.</firstname>
12766
<surname>Atkins</surname>
12769
<firstname>R.</firstname>
12770
<surname>Austein</surname>
12773
<title>Threat Analysis of the Domain Name System (DNS)</title>
12774
<pubdate>August 2004</pubdate>
12777
<abbrev>RFC4033</abbrev>
12780
<firstname>R.</firstname>
12781
<surname>Arends</surname>
12784
<firstname>R.</firstname>
12785
<surname>Austein</surname>
12788
<firstname>M.</firstname>
12789
<surname>Larson</surname>
12792
<firstname>D.</firstname>
12793
<surname>Massey</surname>
12796
<firstname>S.</firstname>
12797
<surname>Rose</surname>
12800
<title>DNS Security Introduction and Requirements</title>
12801
<pubdate>March 2005</pubdate>
12804
<abbrev>RFC4044</abbrev>
12807
<firstname>R.</firstname>
12808
<surname>Arends</surname>
12811
<firstname>R.</firstname>
12812
<surname>Austein</surname>
12815
<firstname>M.</firstname>
12816
<surname>Larson</surname>
12819
<firstname>D.</firstname>
12820
<surname>Massey</surname>
12823
<firstname>S.</firstname>
12824
<surname>Rose</surname>
12827
<title>Resource Records for the DNS Security Extensions</title>
12828
<pubdate>March 2005</pubdate>
12831
<abbrev>RFC4035</abbrev>
12834
<firstname>R.</firstname>
12835
<surname>Arends</surname>
12838
<firstname>R.</firstname>
12839
<surname>Austein</surname>
12842
<firstname>M.</firstname>
12843
<surname>Larson</surname>
12846
<firstname>D.</firstname>
12847
<surname>Massey</surname>
12850
<firstname>S.</firstname>
12851
<surname>Rose</surname>
12854
<title>Protocol Modifications for the DNS
12855
Security Extensions</title>
12856
<pubdate>March 2005</pubdate>
12860
<title>Other Important RFCs About <acronym>DNS</acronym>
12861
Implementation</title>
12863
<abbrev>RFC1535</abbrev>
12865
<surname>Gavron</surname>
12866
<firstname>E.</firstname>
12868
<title>A Security Problem and Proposed Correction With Widely
12869
Deployed <acronym>DNS</acronym> Software.</title>
12870
<pubdate>October 1993</pubdate>
12873
<abbrev>RFC1536</abbrev>
12876
<surname>Kumar</surname>
12877
<firstname>A.</firstname>
12880
<firstname>J.</firstname>
12881
<surname>Postel</surname>
12884
<firstname>C.</firstname>
12885
<surname>Neuman</surname>
12888
<firstname>P.</firstname>
12889
<surname>Danzig</surname>
12892
<firstname>S.</firstname>
12893
<surname>Miller</surname>
12896
<title>Common <acronym>DNS</acronym> Implementation
12897
Errors and Suggested Fixes</title>
12898
<pubdate>October 1993</pubdate>
12901
<abbrev>RFC1982</abbrev>
12904
<surname>Elz</surname>
12905
<firstname>R.</firstname>
12908
<firstname>R.</firstname>
12909
<surname>Bush</surname>
12912
<title>Serial Number Arithmetic</title>
12913
<pubdate>August 1996</pubdate>
12916
<abbrev>RFC4074</abbrev>
12919
<surname>Morishita</surname>
12920
<firstname>Y.</firstname>
12923
<firstname>T.</firstname>
12924
<surname>Jinmei</surname>
12927
<title>Common Misbehaviour Against <acronym>DNS</acronym>
12928
Queries for IPv6 Addresses</title>
12929
<pubdate>May 2005</pubdate>
12933
<title>Resource Record Types</title>
12935
<abbrev>RFC1183</abbrev>
12938
<surname>Everhart</surname>
12939
<firstname>C.F.</firstname>
12942
<firstname>L. A.</firstname>
12943
<surname>Mamakos</surname>
12946
<firstname>R.</firstname>
12947
<surname>Ullmann</surname>
12950
<firstname>P.</firstname>
12951
<surname>Mockapetris</surname>
12954
<title>New <acronym>DNS</acronym> RR Definitions</title>
12955
<pubdate>October 1990</pubdate>
12958
<abbrev>RFC1706</abbrev>
12961
<surname>Manning</surname>
12962
<firstname>B.</firstname>
12965
<firstname>R.</firstname>
12966
<surname>Colella</surname>
12969
<title><acronym>DNS</acronym> NSAP Resource Records</title>
12970
<pubdate>October 1994</pubdate>
12973
<abbrev>RFC2168</abbrev>
12976
<surname>Daniel</surname>
12977
<firstname>R.</firstname>
12980
<firstname>M.</firstname>
12981
<surname>Mealling</surname>
12984
<title>Resolution of Uniform Resource Identifiers using
12985
the Domain Name System</title>
12986
<pubdate>June 1997</pubdate>
12989
<abbrev>RFC1876</abbrev>
12992
<surname>Davis</surname>
12993
<firstname>C.</firstname>
12996
<firstname>P.</firstname>
12997
<surname>Vixie</surname>
13000
<firstname>T.</firstname>
13001
<firstname>Goodwin</firstname>
13004
<firstname>I.</firstname>
13005
<surname>Dickinson</surname>
13008
<title>A Means for Expressing Location Information in the
13010
Name System</title>
13011
<pubdate>January 1996</pubdate>
13014
<abbrev>RFC2052</abbrev>
13017
<surname>Gulbrandsen</surname>
13018
<firstname>A.</firstname>
13021
<firstname>P.</firstname>
13022
<surname>Vixie</surname>
13025
<title>A <acronym>DNS</acronym> RR for Specifying the
13028
<pubdate>October 1996</pubdate>
13031
<abbrev>RFC2163</abbrev>
13033
<surname>Allocchio</surname>
13034
<firstname>A.</firstname>
13036
<title>Using the Internet <acronym>DNS</acronym> to
13038
Conformant Global Address Mapping</title>
13039
<pubdate>January 1998</pubdate>
13042
<abbrev>RFC2230</abbrev>
13044
<surname>Atkinson</surname>
13045
<firstname>R.</firstname>
13047
<title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
13048
<pubdate>October 1997</pubdate>
13051
<abbrev>RFC2536</abbrev>
13053
<surname>Eastlake</surname>
13054
<firstname>D.</firstname>
13055
<lineage>3rd</lineage>
13057
<title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
13058
<pubdate>March 1999</pubdate>
13061
<abbrev>RFC2537</abbrev>
13063
<surname>Eastlake</surname>
13064
<firstname>D.</firstname>
13065
<lineage>3rd</lineage>
13067
<title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
13068
<pubdate>March 1999</pubdate>
13071
<abbrev>RFC2538</abbrev>
13074
<surname>Eastlake</surname>
13075
<firstname>D.</firstname>
13076
<lineage>3rd</lineage>
13079
<surname>Gudmundsson</surname>
13080
<firstname>O.</firstname>
13083
<title>Storing Certificates in the Domain Name System (DNS)</title>
13084
<pubdate>March 1999</pubdate>
13087
<abbrev>RFC2539</abbrev>
13090
<surname>Eastlake</surname>
13091
<firstname>D.</firstname>
13092
<lineage>3rd</lineage>
13095
<title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
13096
<pubdate>March 1999</pubdate>
13099
<abbrev>RFC2540</abbrev>
13102
<surname>Eastlake</surname>
13103
<firstname>D.</firstname>
13104
<lineage>3rd</lineage>
13107
<title>Detached Domain Name System (DNS) Information</title>
13108
<pubdate>March 1999</pubdate>
13111
<abbrev>RFC2782</abbrev>
13113
<surname>Gulbrandsen</surname>
13114
<firstname>A.</firstname>
13117
<surname>Vixie</surname>
13118
<firstname>P.</firstname>
13121
<surname>Esibov</surname>
13122
<firstname>L.</firstname>
13124
<title>A DNS RR for specifying the location of services (DNS SRV)</title>
13125
<pubdate>February 2000</pubdate>
13128
<abbrev>RFC2915</abbrev>
13130
<surname>Mealling</surname>
13131
<firstname>M.</firstname>
13134
<surname>Daniel</surname>
13135
<firstname>R.</firstname>
13137
<title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
13138
<pubdate>September 2000</pubdate>
13141
<abbrev>RFC3110</abbrev>
13143
<surname>Eastlake</surname>
13144
<firstname>D.</firstname>
13145
<lineage>3rd</lineage>
13147
<title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
13148
<pubdate>May 2001</pubdate>
13151
<abbrev>RFC3123</abbrev>
13153
<surname>Koch</surname>
13154
<firstname>P.</firstname>
13156
<title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
13157
<pubdate>June 2001</pubdate>
13160
<abbrev>RFC3596</abbrev>
13163
<surname>Thomson</surname>
13164
<firstname>S.</firstname>
13167
<firstname>C.</firstname>
13168
<surname>Huitema</surname>
13171
<firstname>V.</firstname>
13172
<surname>Ksinant</surname>
13175
<firstname>M.</firstname>
13176
<surname>Souissi</surname>
13179
<title><acronym>DNS</acronym> Extensions to support IP
13181
<pubdate>October 2003</pubdate>
13184
<abbrev>RFC3597</abbrev>
13186
<surname>Gustafsson</surname>
13187
<firstname>A.</firstname>
13189
<title>Handling of Unknown DNS Resource Record (RR) Types</title>
13190
<pubdate>September 2003</pubdate>
13194
<title><acronym>DNS</acronym> and the Internet</title>
13196
<abbrev>RFC1101</abbrev>
13198
<surname>Mockapetris</surname>
13199
<firstname>P. V.</firstname>
13201
<title><acronym>DNS</acronym> Encoding of Network Names
13202
and Other Types</title>
13203
<pubdate>April 1989</pubdate>
13206
<abbrev>RFC1123</abbrev>
13208
<surname>Braden</surname>
13209
<surname>R.</surname>
13211
<title>Requirements for Internet Hosts - Application and
13213
<pubdate>October 1989</pubdate>
13216
<abbrev>RFC1591</abbrev>
13218
<surname>Postel</surname>
13219
<firstname>J.</firstname>
13221
<title>Domain Name System Structure and Delegation</title>
13222
<pubdate>March 1994</pubdate>
13225
<abbrev>RFC2317</abbrev>
13228
<surname>Eidnes</surname>
13229
<firstname>H.</firstname>
13232
<firstname>G.</firstname>
13233
<surname>de Groot</surname>
13236
<firstname>P.</firstname>
13237
<surname>Vixie</surname>
13240
<title>Classless IN-ADDR.ARPA Delegation</title>
13241
<pubdate>March 1998</pubdate>
13244
<abbrev>RFC2826</abbrev>
13247
<surname>Internet Architecture Board</surname>
13250
<title>IAB Technical Comment on the Unique DNS Root</title>
13251
<pubdate>May 2000</pubdate>
13254
<abbrev>RFC2929</abbrev>
13257
<surname>Eastlake</surname>
13258
<firstname>D.</firstname>
13259
<lineage>3rd</lineage>
13262
<surname>Brunner-Williams</surname>
13263
<firstname>E.</firstname>
13266
<surname>Manning</surname>
13267
<firstname>B.</firstname>
13270
<title>Domain Name System (DNS) IANA Considerations</title>
13271
<pubdate>September 2000</pubdate>
13275
<title><acronym>DNS</acronym> Operations</title>
13277
<abbrev>RFC1033</abbrev>
13279
<surname>Lottor</surname>
13280
<firstname>M.</firstname>
13282
<title>Domain administrators operations guide.</title>
13283
<pubdate>November 1987</pubdate>
13286
<abbrev>RFC1537</abbrev>
13288
<surname>Beertema</surname>
13289
<firstname>P.</firstname>
13291
<title>Common <acronym>DNS</acronym> Data File
13292
Configuration Errors</title>
13293
<pubdate>October 1993</pubdate>
13296
<abbrev>RFC1912</abbrev>
13298
<surname>Barr</surname>
13299
<firstname>D.</firstname>
13301
<title>Common <acronym>DNS</acronym> Operational and
13302
Configuration Errors</title>
13303
<pubdate>February 1996</pubdate>
13306
<abbrev>RFC2010</abbrev>
13309
<surname>Manning</surname>
13310
<firstname>B.</firstname>
13313
<firstname>P.</firstname>
13314
<surname>Vixie</surname>
13317
<title>Operational Criteria for Root Name Servers.</title>
13318
<pubdate>October 1996</pubdate>
13321
<abbrev>RFC2219</abbrev>
13324
<surname>Hamilton</surname>
13325
<firstname>M.</firstname>
13328
<firstname>R.</firstname>
13329
<surname>Wright</surname>
13332
<title>Use of <acronym>DNS</acronym> Aliases for
13333
Network Services.</title>
13334
<pubdate>October 1997</pubdate>
13338
<title>Internationalized Domain Names</title>
13340
<abbrev>RFC2825</abbrev>
13343
<surname>IAB</surname>
13346
<surname>Daigle</surname>
13347
<firstname>R.</firstname>
13350
<title>A Tangled Web: Issues of I18N, Domain Names,
13351
and the Other Internet protocols</title>
13352
<pubdate>May 2000</pubdate>
13355
<abbrev>RFC3490</abbrev>
13358
<surname>Faltstrom</surname>
13359
<firstname>P.</firstname>
13362
<surname>Hoffman</surname>
13363
<firstname>P.</firstname>
13366
<surname>Costello</surname>
13367
<firstname>A.</firstname>
13370
<title>Internationalizing Domain Names in Applications (IDNA)</title>
13371
<pubdate>March 2003</pubdate>
13374
<abbrev>RFC3491</abbrev>
13377
<surname>Hoffman</surname>
13378
<firstname>P.</firstname>
13381
<surname>Blanchet</surname>
13382
<firstname>M.</firstname>
13385
<title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
13386
<pubdate>March 2003</pubdate>
13389
<abbrev>RFC3492</abbrev>
13392
<surname>Costello</surname>
13393
<firstname>A.</firstname>
13396
<title>Punycode: A Bootstring encoding of Unicode
13397
for Internationalized Domain Names in
13398
Applications (IDNA)</title>
13399
<pubdate>March 2003</pubdate>
13403
<title>Other <acronym>DNS</acronym>-related RFCs</title>
13406
Note: the following list of RFCs, although
13407
<acronym>DNS</acronym>-related, are not
13408
concerned with implementing software.
13412
<abbrev>RFC1464</abbrev>
13414
<surname>Rosenbaum</surname>
13415
<firstname>R.</firstname>
13417
<title>Using the Domain Name System To Store Arbitrary String
13419
<pubdate>May 1993</pubdate>
13422
<abbrev>RFC1713</abbrev>
13424
<surname>Romao</surname>
13425
<firstname>A.</firstname>
13427
<title>Tools for <acronym>DNS</acronym> Debugging</title>
13428
<pubdate>November 1994</pubdate>
13431
<abbrev>RFC1794</abbrev>
13433
<surname>Brisco</surname>
13434
<firstname>T.</firstname>
13436
<title><acronym>DNS</acronym> Support for Load
13438
<pubdate>April 1995</pubdate>
13441
<abbrev>RFC2240</abbrev>
13443
<surname>Vaughan</surname>
13444
<firstname>O.</firstname>
13446
<title>A Legal Basis for Domain Name Allocation</title>
13447
<pubdate>November 1997</pubdate>
13450
<abbrev>RFC2345</abbrev>
13453
<surname>Klensin</surname>
13454
<firstname>J.</firstname>
13457
<firstname>T.</firstname>
13458
<surname>Wolf</surname>
13461
<firstname>G.</firstname>
13462
<surname>Oglesby</surname>
13465
<title>Domain Names and Company Name Retrieval</title>
13466
<pubdate>May 1998</pubdate>
13469
<abbrev>RFC2352</abbrev>
13471
<surname>Vaughan</surname>
13472
<firstname>O.</firstname>
13474
<title>A Convention For Using Legal Names as Domain Names</title>
13475
<pubdate>May 1998</pubdate>
13478
<abbrev>RFC3071</abbrev>
13481
<surname>Klensin</surname>
13482
<firstname>J.</firstname>
13485
<title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
13486
<pubdate>February 2001</pubdate>
13489
<abbrev>RFC3258</abbrev>
13492
<surname>Hardie</surname>
13493
<firstname>T.</firstname>
13496
<title>Distributing Authoritative Name Servers via
13497
Shared Unicast Addresses</title>
13498
<pubdate>April 2002</pubdate>
13501
<abbrev>RFC3901</abbrev>
13504
<surname>Durand</surname>
13505
<firstname>A.</firstname>
13508
<firstname>J.</firstname>
13509
<surname>Ihren</surname>
13512
<title>DNS IPv6 Transport Operational Guidelines</title>
13513
<pubdate>September 2004</pubdate>
13517
<title>Obsolete and Unimplemented Experimental RFC</title>
13519
<abbrev>RFC1712</abbrev>
13522
<surname>Farrell</surname>
13523
<firstname>C.</firstname>
13526
<firstname>M.</firstname>
13527
<surname>Schulze</surname>
13530
<firstname>S.</firstname>
13531
<surname>Pleitner</surname>
13534
<firstname>D.</firstname>
13535
<surname>Baldoni</surname>
13538
<title><acronym>DNS</acronym> Encoding of Geographical
13540
<pubdate>November 1994</pubdate>
13543
<abbrev>RFC2673</abbrev>
13546
<surname>Crawford</surname>
13547
<firstname>M.</firstname>
13550
<title>Binary Labels in the Domain Name System</title>
13551
<pubdate>August 1999</pubdate>
13554
<abbrev>RFC2874</abbrev>
13557
<surname>Crawford</surname>
13558
<firstname>M.</firstname>
13561
<surname>Huitema</surname>
13562
<firstname>C.</firstname>
13565
<title>DNS Extensions to Support IPv6 Address Aggregation
13566
and Renumbering</title>
13567
<pubdate>July 2000</pubdate>
13571
<title>Obsoleted DNS Security RFCs</title>
13574
Most of these have been consolidated into RFC4033,
13575
RFC4034 and RFC4035 which collectively describe DNSSECbis.
13579
<abbrev>RFC2065</abbrev>
13582
<surname>Eastlake</surname>
13583
<lineage>3rd</lineage>
13584
<firstname>D.</firstname>
13587
<firstname>C.</firstname>
13588
<surname>Kaufman</surname>
13591
<title>Domain Name System Security Extensions</title>
13592
<pubdate>January 1997</pubdate>
13595
<abbrev>RFC2137</abbrev>
13597
<surname>Eastlake</surname>
13598
<lineage>3rd</lineage>
13599
<firstname>D.</firstname>
13601
<title>Secure Domain Name System Dynamic Update</title>
13602
<pubdate>April 1997</pubdate>
13605
<abbrev>RFC2535</abbrev>
13608
<surname>Eastlake</surname>
13609
<lineage>3rd</lineage>
13610
<firstname>D.</firstname>
13613
<title>Domain Name System Security Extensions</title>
13614
<pubdate>March 1999</pubdate>
13617
<abbrev>RFC3008</abbrev>
13620
<surname>Wellington</surname>
13621
<firstname>B.</firstname>
13624
<title>Domain Name System Security (DNSSEC)
13625
Signing Authority</title>
13626
<pubdate>November 2000</pubdate>
13629
<abbrev>RFC3090</abbrev>
13632
<surname>Lewis</surname>
13633
<firstname>E.</firstname>
13636
<title>DNS Security Extension Clarification on Zone Status</title>
13637
<pubdate>March 2001</pubdate>
13640
<abbrev>RFC3445</abbrev>
13643
<surname>Massey</surname>
13644
<firstname>D.</firstname>
13647
<surname>Rose</surname>
13648
<firstname>S.</firstname>
13651
<title>Limiting the Scope of the KEY Resource Record (RR)</title>
13652
<pubdate>December 2002</pubdate>
13655
<abbrev>RFC3655</abbrev>
13658
<surname>Wellington</surname>
13659
<firstname>B.</firstname>
13662
<surname>Gudmundsson</surname>
13663
<firstname>O.</firstname>
13666
<title>Redefinition of DNS Authenticated Data (AD) bit</title>
13667
<pubdate>November 2003</pubdate>
13670
<abbrev>RFC3658</abbrev>
13673
<surname>Gudmundsson</surname>
13674
<firstname>O.</firstname>
13677
<title>Delegation Signer (DS) Resource Record (RR)</title>
13678
<pubdate>December 2003</pubdate>
13681
<abbrev>RFC3755</abbrev>
13684
<surname>Weiler</surname>
13685
<firstname>S.</firstname>
13688
<title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
13689
<pubdate>May 2004</pubdate>
13692
<abbrev>RFC3757</abbrev>
13695
<surname>Kolkman</surname>
13696
<firstname>O.</firstname>
13699
<surname>Schlyter</surname>
13700
<firstname>J.</firstname>
13703
<surname>Lewis</surname>
13704
<firstname>E.</firstname>
13707
<title>Domain Name System KEY (DNSKEY) Resource Record
13708
(RR) Secure Entry Point (SEP) Flag</title>
13709
<pubdate>April 2004</pubdate>
13712
<abbrev>RFC3845</abbrev>
13715
<surname>Schlyter</surname>
13716
<firstname>J.</firstname>
13719
<title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
13720
<pubdate>August 2004</pubdate>
13725
<sect2 id="internet_drafts">
13726
<title>Internet Drafts</title>
13728
Internet Drafts (IDs) are rough-draft working documents of
13729
the Internet Engineering Task Force. They are, in essence, RFCs
13730
in the preliminary stages of development. Implementors are
13732
to regard IDs as archival, and they should not be quoted or cited
13733
in any formal documents unless accompanied by the disclaimer that
13734
they are "works in progress." IDs have a lifespan of six months
13735
after which they are deleted unless updated by their authors.
13739
<title>Other Documents About <acronym>BIND</acronym></title>
13745
<surname>Albitz</surname>
13746
<firstname>Paul</firstname>
13749
<firstname>Cricket</firstname>
13750
<surname>Liu</surname>
13753
<title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
13756
<holder>Sebastopol, CA: O'Reilly and Associates</holder>
13764
<reference id="Bv9ARM.ch10">
13765
<title>Manual pages</title>
13766
<xi:include href="../../bin/dig/dig.docbook"/>
13767
<xi:include href="../../bin/dig/host.docbook"/>
13768
<xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
13769
<xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
13770
<xi:include href="../../bin/check/named-checkconf.docbook"/>
13771
<xi:include href="../../bin/check/named-checkzone.docbook"/>
13772
<xi:include href="../../bin/named/named.docbook"/>
13773
<!-- named.conf.docbook and others? -->
13774
<!-- nsupdate gives db2latex indigestion, markup problems? -->
13775
<xi:include href="../../bin/rndc/rndc.docbook"/>
13776
<xi:include href="../../bin/rndc/rndc.conf.docbook"/>
13777
<xi:include href="../../bin/rndc/rndc-confgen.docbook"/>