« back to all changes in this revision
Viewing changes to doc/arm/Bv9ARM-book.xml
- browse files at revision 7
- compare with another revision
- download diff
- download tarball
- view history from revision 7
- Committer: Bazaar Package Importer
- Author(s): LaMont Jones, LaMont Jones, Internet Software Consortium, Inc, localization folks
- Date: 2008-08-02 14:20:20 UTC
- mfrom: (1.2.1 upstream) (6.1.24 intrepid)
- Revision ID: james.westby@ubuntu.com-20080802142020-l1hon9jy8lbbjxmg
[LaMont Jones]
* default to using resolvconf if it is installed
* fix sonames and dependencies. Closes: #149259, #492418
* Do not build-depend libcap2-dev on non-linux. Closes: #493392
* drop unused query-loc manpage. Closes: #492564
* lwresd: Deliver /etc/bind directory. Closes: #490027
* fix query-source comment in default install
[Internet Software Consortium, Inc]
* 9.5.0-P2. Closes: #492949
[localization folks]
* l10n: Spanish debconf translation. Closes: #492425 (Ignacio Mondino)
* l10n: Swedish debconf templates. Closes: #491369 (Martin Ågren)
* l10n: Japanese debconf translations. Closes: #492048 (Hideki Yamane
(Debian-JP))
* l10n: Finnish translation. Closes: #490630 (Esko Arajärvi)
* l10n: Italian debconf translations. Closes: #492587 (Alessandro Vietta)
* default to using resolvconf if it is installed
* fix sonames and dependencies. Closes: #149259, #492418
* Do not build-depend libcap2-dev on non-linux. Closes: #493392
* drop unused query-loc manpage. Closes: #492564
* lwresd: Deliver /etc/bind directory. Closes: #490027
* fix query-source comment in default install
[Internet Software Consortium, Inc]
* 9.5.0-P2. Closes: #492949
[localization folks]
* l10n: Spanish debconf translation. Closes: #492425 (Ignacio Mondino)
* l10n: Swedish debconf templates. Closes: #491369 (Martin Ågren)
* l10n: Japanese debconf translations. Closes: #492048 (Hideki Yamane
(Debian-JP))
* l10n: Finnish translation. Closes: #490630 (Esko Arajärvi)
* l10n: Italian debconf translations. Closes: #492587 (Alessandro Vietta)
- files added:
- KNOWN-DEFECTS
- bin/tests/system/acl
- bin/tests/system/acl/ns2
- bin/tests/system/masterformat
- bin/tests/system/masterformat/ns1
- bin/tests/system/masterformat/ns2
- bin/tests/system/rrsetorder
- bin/tests/system/rrsetorder/ns1
- bin/tests/system/rrsetorder/ns2
- bin/tests/system/rrsetorder/ns3
- bin/tests/system/tsig
- bin/tests/system/tsig/ns1
- bin/tests/system/zonechecks
- contrib/dbus
- contrib/dlz
- contrib/dlz/bin
- contrib/dlz/bin/dlzbdb
- contrib/dlz/drivers
- contrib/dlz/drivers/include
- contrib/dlz/drivers/include/dlz
- contrib/query-loc-0.4.0
- contrib/sdb/sqlite
- debian/po
- doc/doxygen
- lib/dns/rdata/ch_3
- lib/isc/alpha
- lib/isc/alpha/include
- lib/isc/alpha/include/isc
- lib/isc/ia64
- lib/isc/ia64/include
- lib/isc/ia64/include/isc
- lib/isc/mips
- lib/isc/mips/include
- lib/isc/mips/include/isc
- lib/isc/noatomic
- lib/isc/noatomic/include
- lib/isc/noatomic/include/isc
- lib/isc/powerpc
- lib/isc/powerpc/include
- lib/isc/powerpc/include/isc
- lib/isc/sparc64
- lib/isc/sparc64/include
- lib/isc/sparc64/include/isc
- lib/isc/x86_32
- lib/isc/x86_32/include
- lib/isc/x86_32/include/isc
- lib/isc/x86_64
- lib/isc/x86_64/include
- lib/isc/x86_64/include/isc
- files removed:
- bin/named/aclconf.c
- contrib/query-loc-0.3.0
- files modified:
- CHANGES
added
removed
doc/arm/Bv9ARM-book.xml
1
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
2
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
1
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3
3
[<!ENTITY mdash "—">]>
4
4
<!--
5
- Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
5
- Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6
6
- Copyright (C) 2000-2003 Internet Software Consortium.
7
7
-
8
- Permission to use, copy, modify, and distribute this software for any
8
- Permission to use, copy, modify, and/or distribute this software for any
9
9
- purpose with or without fee is hereby granted, provided that the above
10
10
- copyright notice and this permission notice appear in all copies.
11
11
-
18
18
- PERFORMANCE OF THIS SOFTWARE.
19
19
-->
20
20
21
<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.59 2005/10/10 00:22:24 marka Exp $ -->
22
23
<book>
24
<title>BIND 9 Administrator Reference Manual</title>
21
<!-- File: $Id: Bv9ARM-book.xml,v 1.340.24.11.2.1 2008/07/23 11:46:01 marka Exp $ -->
22
<book xmlns:xi="http://www.w3.org/2001/XInclude">
23
<title>BIND 9 Administrator Reference Manual</title>
25
24
26
25
<bookinfo>
27
26
<copyright>
28
27
<year>2004</year>
29
28
<year>2005</year>
29
<year>2006</year>
30
<year>2007</year>
31
<year>2008</year>
30
32
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
31
33
</copyright>
32
34
<copyright>
39
41
</bookinfo>
40
42
41
43
<chapter id="Bv9ARM.ch01">
42
<title>Introduction </title>
43
<para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
44
to specify the names of entities in the Internet in a hierarchical
45
manner, the rules used for delegating authority over names, and the
46
system implementation that actually maps names to Internet
47
addresses. <acronym>DNS</acronym> data is maintained in a group of distributed
48
hierarchical databases.</para>
49
50
<sect1>
51
<title>Scope of Document</title>
52
53
<para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
54
domain name server for a number of operating systems. This
55
document provides basic information about the installation and
56
care of the Internet Software Consortium (<acronym>ISC</acronym>)
57
<acronym>BIND</acronym> version 9 software package for system
58
administrators.</para>
59
60
<para>This version of the manual corresponds to BIND version 9.3.</para>
61
62
</sect1>
63
<sect1><title>Organization of This Document</title>
64
<para>In this document, <emphasis>Section 1</emphasis> introduces
65
the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
66
describes resource requirements for running <acronym>BIND</acronym> in various
67
environments. Information in <emphasis>Section 3</emphasis> is
68
<emphasis>task-oriented</emphasis> in its presentation and is
69
organized functionally, to aid in the process of installing the
70
<acronym>BIND</acronym> 9 software. The task-oriented section is followed by
71
<emphasis>Section 4</emphasis>, which contains more advanced
72
concepts that the system administrator may need for implementing
73
certain options. <emphasis>Section 5</emphasis>
74
describes the <acronym>BIND</acronym> 9 lightweight
75
resolver. The contents of <emphasis>Section 6</emphasis> are
76
organized as in a reference manual to aid in the ongoing
77
maintenance of the software. <emphasis>Section 7
78
</emphasis>addresses security considerations, and
79
<emphasis>Section 8</emphasis> contains troubleshooting help. The
80
main body of the document is followed by several
81
<emphasis>Appendices</emphasis> which contain useful reference
82
information, such as a <emphasis>Bibliography</emphasis> and
83
historic information related to <acronym>BIND</acronym> and the Domain Name
84
System.</para>
85
</sect1>
86
<sect1><title>Conventions Used in This Document</title>
87
88
<para>In this document, we use the following general typographic
89
conventions:</para>
90
91
<informaltable>
92
<tgroup cols = "2">
93
<colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
94
<colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
44
<title>Introduction</title>
45
<para>
46
The Internet Domain Name System (<acronym>DNS</acronym>)
47
consists of the syntax
48
to specify the names of entities in the Internet in a hierarchical
49
manner, the rules used for delegating authority over names, and the
50
system implementation that actually maps names to Internet
51
addresses. <acronym>DNS</acronym> data is maintained in a
52
group of distributed
53
hierarchical databases.
54
</para>
55
56
<sect1>
57
<title>Scope of Document</title>
58
59
<para>
60
The Berkeley Internet Name Domain
61
(<acronym>BIND</acronym>) implements a
62
domain name server for a number of operating systems. This
63
document provides basic information about the installation and
64
care of the Internet Systems Consortium (<acronym>ISC</acronym>)
65
<acronym>BIND</acronym> version 9 software package for
66
system administrators.
67
</para>
68
69
<para>
70
This version of the manual corresponds to BIND version 9.5.
71
</para>
72
73
</sect1>
74
<sect1>
75
<title>Organization of This Document</title>
76
<para>
77
In this document, <emphasis>Section 1</emphasis> introduces
78
the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
79
describes resource requirements for running <acronym>BIND</acronym> in various
80
environments. Information in <emphasis>Section 3</emphasis> is
81
<emphasis>task-oriented</emphasis> in its presentation and is
82
organized functionally, to aid in the process of installing the
83
<acronym>BIND</acronym> 9 software. The task-oriented
84
section is followed by
85
<emphasis>Section 4</emphasis>, which contains more advanced
86
concepts that the system administrator may need for implementing
87
certain options. <emphasis>Section 5</emphasis>
88
describes the <acronym>BIND</acronym> 9 lightweight
89
resolver. The contents of <emphasis>Section 6</emphasis> are
90
organized as in a reference manual to aid in the ongoing
91
maintenance of the software. <emphasis>Section 7</emphasis> addresses
92
security considerations, and
93
<emphasis>Section 8</emphasis> contains troubleshooting help. The
94
main body of the document is followed by several
95
<emphasis>appendices</emphasis> which contain useful reference
96
information, such as a <emphasis>bibliography</emphasis> and
97
historic information related to <acronym>BIND</acronym>
98
and the Domain Name
99
System.
100
</para>
101
</sect1>
102
<sect1>
103
<title>Conventions Used in This Document</title>
104
105
<para>
106
In this document, we use the following general typographic
107
conventions:
108
</para>
109
110
<informaltable>
111
<tgroup cols="2">
112
<colspec colname="1" colnum="1" colwidth="3.000in"/>
113
<colspec colname="2" colnum="2" colwidth="2.625in"/>
95
114
<tbody>
96
115
<row>
97
<entry colname = "1">
98
<para><emphasis>To
99
describe:</emphasis></para></entry>
100
<entry colname = "2">
101
<para><emphasis>We use the style:</emphasis></para></entry>
102
</row>
103
<row>
104
<entry colname = "1">
105
<para>a pathname, filename, URL, hostname,
106
mailing list name, or new term or concept</para></entry>
107
<entry colname = "2"><para><filename>Fixed width</filename></para></entry>
108
</row>
109
<row>
110
<entry colname = "1"><para>literal user
111
input</para></entry>
112
<entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
113
</row>
114
<row>
115
<entry colname = "1"><para>program output</para></entry>
116
<entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
116
<entry colname="1">
117
<para>
118
<emphasis>To describe:</emphasis>
119
</para>
120
</entry>
121
<entry colname="2">
122
<para>
123
<emphasis>We use the style:</emphasis>
124
</para>
125
</entry>
126
</row>
127
<row>
128
<entry colname="1">
129
<para>
130
a pathname, filename, URL, hostname,
131
mailing list name, or new term or concept
132
</para>
133
</entry>
134
<entry colname="2">
135
<para>
136
<filename>Fixed width</filename>
137
</para>
138
</entry>
139
</row>
140
<row>
141
<entry colname="1">
142
<para>
143
literal user
144
input
145
</para>
146
</entry>
147
<entry colname="2">
148
<para>
149
<userinput>Fixed Width Bold</userinput>
150
</para>
151
</entry>
152
</row>
153
<row>
154
<entry colname="1">
155
<para>
156
program output
157
</para>
158
</entry>
159
<entry colname="2">
160
<para>
161
<computeroutput>Fixed Width</computeroutput>
162
</para>
163
</entry>
117
164
</row>
118
165
</tbody>
119
166
</tgroup>
120
</informaltable>
121
122
<para>The following conventions are used in descriptions of the
123
<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
124
<tgroup cols = "2" colsep = "0" rowsep = "0"
125
tgroupstyle = "2Level-table">
126
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
127
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
128
<tbody>
129
<row rowsep = "0">
130
<entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
131
describe:</emphasis></para></entry>
132
<entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
133
</row>
134
<row rowsep = "0">
135
<entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
136
<entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
137
</row>
138
<row rowsep = "0">
139
<entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
140
<entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
141
</row>
142
<row rowsep = "0">
143
<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
144
<entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
145
</row>
146
</tbody>
147
</tgroup></informaltable></para></sect1>
148
<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
149
<para>The purpose of this document is to explain the installation
150
and upkeep of the <acronym>BIND</acronym> software package, and we
151
begin by reviewing the fundamentals of the Domain Name System
152
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
153
</para>
154
155
<sect2>
156
<title>DNS Fundamentals</title>
157
158
<para>The Domain Name System (DNS) is the hierarchical, distributed
159
database. It stores information for mapping Internet host names to IP
160
addresses and vice versa, mail routing information, and other data
161
used by Internet applications.</para>
162
163
<para>Clients look up information in the DNS by calling a
164
<emphasis>resolver</emphasis> library, which sends queries to one or
165
more <emphasis>name servers</emphasis> and interprets the responses.
166
The <acronym>BIND</acronym> 9 software distribution contains a
167
name server, <command>named</command>, and two resolver
168
libraries, <command>liblwres</command> and <command>libbind</command>.
169
</para>
170
171
</sect2><sect2>
172
<title>Domains and Domain Names</title>
173
174
<para>The data stored in the DNS is identified by <emphasis>domain
175
names</emphasis> that are organized as a tree according to
176
organizational or administrative boundaries. Each node of the tree,
177
called a <emphasis>domain</emphasis>, is given a label. The domain name of the
178
node is the concatenation of all the labels on the path from the
179
node to the <emphasis>root</emphasis> node. This is represented
180
in written form as a string of labels listed from right to left and
181
separated by dots. A label need only be unique within its parent
182
domain.</para>
183
184
<para>For example, a domain name for a host at the
185
company <emphasis>Example, Inc.</emphasis> could be
186
<literal>mail.example.com</literal>,
187
where <literal>com</literal> is the
188
top level domain to which
189
<literal>ourhost.example.com</literal> belongs,
190
<literal>example</literal> is
191
a subdomain of <literal>com</literal>, and
192
<literal>ourhost</literal> is the
193
name of the host.</para>
194
195
<para>For administrative purposes, the name space is partitioned into
196
areas called <emphasis>zones</emphasis>, each starting at a node and
197
extending down to the leaf nodes or to nodes where other zones start.
198
The data for each zone is stored in a <emphasis>name
199
server</emphasis>, which answers queries about the zone using the
200
<emphasis>DNS protocol</emphasis>.
201
</para>
202
203
<para>The data associated with each domain name is stored in the
204
form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
205
Some of the supported resource record types are described in
206
<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
207
208
<para>For more detailed information about the design of the DNS and
209
the DNS protocol, please refer to the standards documents listed in
210
<xref linkend="rfcs"/>.</para>
211
</sect2>
212
213
<sect2><title>Zones</title>
214
<para>To properly operate a name server, it is important to understand
215
the difference between a <emphasis>zone</emphasis>
216
and a <emphasis>domain</emphasis>.</para>
217
218
<para>As we stated previously, a zone is a point of delegation in
219
the <acronym>DNS</acronym> tree. A zone consists of
220
those contiguous parts of the domain
221
tree for which a name server has complete information and over which
222
it has authority. It contains all domain names from a certain point
223
downward in the domain tree except those which are delegated to
224
other zones. A delegation point is marked by one or more
225
<emphasis>NS records</emphasis> in the
226
parent zone, which should be matched by equivalent NS records at
227
the root of the delegated zone.</para>
228
229
<para>For instance, consider the <literal>example.com</literal>
230
domain which includes names
231
such as <literal>host.aaa.example.com</literal> and
232
<literal>host.bbb.example.com</literal> even though
233
the <literal>example.com</literal> zone includes
234
only delegations for the <literal>aaa.example.com</literal> and
235
<literal>bbb.example.com</literal> zones. A zone can map
236
exactly to a single domain, but could also include only part of a
237
domain, the rest of which could be delegated to other
238
name servers. Every name in the <acronym>DNS</acronym> tree is a
239
<emphasis>domain</emphasis>, even if it is
240
<emphasis>terminal</emphasis>, that is, has no
241
<emphasis>subdomains</emphasis>. Every subdomain is a domain and
242
every domain except the root is also a subdomain. The terminology is
243
not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
244
gain a complete understanding of this difficult and subtle
245
topic.</para>
246
247
<para>Though <acronym>BIND</acronym> is called a "domain name server",
248
it deals primarily in terms of zones. The master and slave
249
declarations in the <filename>named.conf</filename> file specify
250
zones, not domains. When you ask some other site if it is willing to
251
be a slave server for your <emphasis>domain</emphasis>, you are
252
actually asking for slave service for some collection of zones.</para>
253
</sect2>
254
255
<sect2><title>Authoritative Name Servers</title>
256
257
<para>Each zone is served by at least
258
one <emphasis>authoritative name server</emphasis>,
259
which contains the complete data for the zone.
260
To make the DNS tolerant of server and network failures,
261
most zones have two or more authoritative servers.
262
</para>
263
264
<para>Responses from authoritative servers have the "authoritative
265
answer" (AA) bit set in the response packets. This makes them
266
easy to identify when debugging DNS configurations using tools like
267
<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
268
269
<sect3><title>The Primary Master</title>
270
271
<para>
272
The authoritative server where the master copy of the zone data is maintained is
273
called the <emphasis>primary master</emphasis> server, or simply the
274
<emphasis>primary</emphasis>. It loads the zone contents from some
275
local file edited by humans or perhaps generated mechanically from
276
some other local file which is edited by humans. This file is called
277
the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
278
</sect3>
279
280
<sect3><title>Slave Servers</title>
281
<para>The other authoritative servers, the <emphasis>slave</emphasis>
282
servers (also known as <emphasis>secondary</emphasis> servers) load
283
the zone contents from another server using a replication process
284
known as a <emphasis>zone transfer</emphasis>. Typically the data are
285
transferred directly from the primary master, but it is also possible
286
to transfer it from another slave. In other words, a slave server
287
may itself act as a master to a subordinate slave server.</para>
288
</sect3>
289
290
<sect3><title>Stealth Servers</title>
291
292
<para>Usually all of the zone's authoritative servers are listed in
293
NS records in the parent zone. These NS records constitute
294
a <emphasis>delegation</emphasis> of the zone from the parent.
295
The authoritative servers are also listed in the zone file itself,
296
at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
297
of the zone. You can list servers in the zone's top-level NS
298
records that are not in the parent's NS delegation, but you cannot
299
list servers in the parent's delegation that are not present at
300
the zone's top level.</para>
301
302
<para>A <emphasis>stealth server</emphasis> is a server that is
303
authoritative for a zone but is not listed in that zone's NS
304
records. Stealth servers can be used for keeping a local copy of a
305
zone to speed up access to the zone's records or to make sure that the
306
zone is available even if all the "official" servers for the zone are
307
inaccessible.</para>
308
309
<para>A configuration where the primary master server itself is a
310
stealth server is often referred to as a "hidden primary"
311
configuration. One use for this configuration is when the primary master
312
is behind a firewall and therefore unable to communicate directly
313
with the outside world.</para>
314
315
</sect3>
316
317
</sect2>
318
<sect2>
319
320
<title>Caching Name Servers</title>
321
322
<para>The resolver libraries provided by most operating systems are
323
<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
324
performing the full DNS resolution process by themselves by talking
325
directly to the authoritative servers. Instead, they rely on a local
326
name server to perform the resolution on their behalf. Such a server
327
is called a <emphasis>recursive</emphasis> name server; it performs
328
<emphasis>recursive lookups</emphasis> for local clients.</para>
329
330
<para>To improve performance, recursive servers cache the results of
331
the lookups they perform. Since the processes of recursion and
332
caching are intimately connected, the terms
333
<emphasis>recursive server</emphasis> and
334
<emphasis>caching server</emphasis> are often used synonymously.</para>
335
336
<para>The length of time for which a record may be retained in
337
in the cache of a caching name server is controlled by the
338
Time To Live (TTL) field associated with each resource record.
339
</para>
340
341
<sect3><title>Forwarding</title>
342
343
<para>Even a caching name server does not necessarily perform
344
the complete recursive lookup itself. Instead, it can
345
<emphasis>forward</emphasis> some or all of the queries
346
that it cannot satisfy from its cache to another caching name server,
347
commonly referred to as a <emphasis>forwarder</emphasis>.
348
</para>
349
350
<para>There may be one or more forwarders,
351
and they are queried in turn until the list is exhausted or an answer
352
is found. Forwarders are typically used when you do not
353
wish all the servers at a given site to interact directly with the rest of
354
the Internet servers. A typical scenario would involve a number
355
of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
356
to pass packets through the firewall would forward to the server
357
that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
358
on the internal server's behalf. An added benefit of using the forwarding
359
feature is that the central machine develops a much more complete
360
cache of information that all the clients can take advantage
361
of.</para>
362
</sect3>
363
364
</sect2>
365
366
<sect2><title>Name Servers in Multiple Roles</title>
367
368
<para>The <acronym>BIND</acronym> name server can simultaneously act as
369
a master for some zones, a slave for other zones, and as a caching
370
(recursive) server for a set of local clients.</para>
371
372
<para>However, since the functions of authoritative name service
373
and caching/recursive name service are logically separate, it is
374
often advantageous to run them on separate server machines.
375
376
A server that only provides authoritative name service
377
(an <emphasis>authoritative-only</emphasis> server) can run with
378
recursion disabled, improving reliability and security.
379
380
A server that is not authoritative for any zones and only provides
381
recursive service to local
382
clients (a <emphasis>caching-only</emphasis> server)
383
does not need to be reachable from the Internet at large and can
384
be placed inside a firewall.</para>
385
386
</sect2>
387
</sect1>
388
389
</chapter>
390
391
<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
392
393
<sect1>
394
<title>Hardware requirements</title>
395
396
<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
397
For many installations, servers that have been pensioned off from
398
active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
399
<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
400
CPU intensive however, so organizations that make heavy use of these
401
features may wish to consider larger systems for these applications.
402
<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
403
multiprocessor systems for installations that need it.</para></sect1>
404
<sect1><title>CPU Requirements</title>
405
<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
406
for serving of static zones without caching, to enterprise-class
407
machines if you intend to process many dynamic updates and DNSSEC
408
signed zones, serving many thousands of queries per second.</para></sect1>
409
410
<sect1><title>Memory Requirements</title>
411
<para>The memory of the server has to be large enough to fit the
412
cache and zones loaded off disk. The <command>max-cache-size</command>
413
option can be used to limit the amount of memory used by the cache,
414
at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
415
traffic. It is still good practice to have enough memory to load
416
all zone and cache data into memory — unfortunately, the best way
417
to determine this for a given installation is to watch the name server
418
in operation. After a few weeks the server process should reach
419
a relatively stable size where entries are expiring from the cache as
420
fast as they are being inserted.</para></sect1>
421
422
<sect1><title>Name Server Intensive Environment Issues</title>
423
<para>For name server intensive environments, there are two alternative
424
configurations that may be used. The first is where clients and
425
any second-level internal name servers query a main name server, which
426
has enough memory to build a large cache. This approach minimizes
427
the bandwidth used by external name lookups. The second alternative
428
is to set up second-level internal name servers to make queries independently.
429
In this configuration, none of the individual machines needs to
430
have as much memory or CPU power as in the first alternative, but
431
this has the disadvantage of making many more external queries,
432
as none of the name servers share their cached data.</para></sect1>
433
434
<sect1><title>Supported Operating Systems</title>
435
<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
436
of Unix-like operating system and on Windows NT / 2000. For an up-to-date
437
list of supported systems, see the README file in the top level directory
438
of the BIND 9 source distribution.</para>
439
</sect1>
440
</chapter>
441
442
<chapter id="Bv9ARM.ch03">
443
<title>Name Server Configuration</title>
444
<para>In this section we provide some suggested configurations along
445
with guidelines for their use. We also address the topic of reasonable
446
option setting.</para>
447
448
<sect1 id="sample_configuration">
449
<title>Sample Configurations</title>
450
<sect2>
451
<title>A Caching-only Name Server</title>
452
<para>The following sample configuration is appropriate for a caching-only
453
name server for use by clients internal to a corporation. All queries
454
from outside clients are refused using the <command>allow-query</command>
455
option. Alternatively, the same effect could be achieved using suitable
456
firewall rules.</para>
167
</informaltable>
168
169
<para>
170
The following conventions are used in descriptions of the
171
<acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
172
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
173
<colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
174
<colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
175
<tbody>
176
<row rowsep="0">
177
<entry colname="1" colsep="1" rowsep="1">
178
<para>
179
<emphasis>To describe:</emphasis>
180
</para>
181
</entry>
182
<entry colname="2" rowsep="1">
183
<para>
184
<emphasis>We use the style:</emphasis>
185
</para>
186
</entry>
187
</row>
188
<row rowsep="0">
189
<entry colname="1" colsep="1" rowsep="1">
190
<para>
191
keywords
192
</para>
193
</entry>
194
<entry colname="2" rowsep="1">
195
<para>
196
<literal>Fixed Width</literal>
197
</para>
198
</entry>
199
</row>
200
<row rowsep="0">
201
<entry colname="1" colsep="1" rowsep="1">
202
<para>
203
variables
204
</para>
205
</entry>
206
<entry colname="2" rowsep="1">
207
<para>
208
<varname>Fixed Width</varname>
209
</para>
210
</entry>
211
</row>
212
<row rowsep="0">
213
<entry colname="1" colsep="1">
214
<para>
215
Optional input
216
</para>
217
</entry>
218
<entry colname="2">
219
<para>
220
<optional>Text is enclosed in square brackets</optional>
221
</para>
222
</entry>
223
</row>
224
</tbody>
225
</tgroup>
226
</informaltable>
227
</para>
228
</sect1>
229
<sect1>
230
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
231
<para>
232
The purpose of this document is to explain the installation
233
and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
234
Name Domain) software package, and we
235
begin by reviewing the fundamentals of the Domain Name System
236
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
237
</para>
238
239
<sect2>
240
<title>DNS Fundamentals</title>
241
242
<para>
243
The Domain Name System (DNS) is a hierarchical, distributed
244
database. It stores information for mapping Internet host names to
245
IP
246
addresses and vice versa, mail routing information, and other data
247
used by Internet applications.
248
</para>
249
250
<para>
251
Clients look up information in the DNS by calling a
252
<emphasis>resolver</emphasis> library, which sends queries to one or
253
more <emphasis>name servers</emphasis> and interprets the responses.
254
The <acronym>BIND</acronym> 9 software distribution
255
contains a
256
name server, <command>named</command>, and two resolver
257
libraries, <command>liblwres</command> and <command>libbind</command>.
258
</para>
259
260
</sect2><sect2>
261
<title>Domains and Domain Names</title>
262
263
<para>
264
The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
265
organizational or administrative boundaries. Each node of the tree,
266
called a <emphasis>domain</emphasis>, is given a label. The domain
267
name of the
268
node is the concatenation of all the labels on the path from the
269
node to the <emphasis>root</emphasis> node. This is represented
270
in written form as a string of labels listed from right to left and
271
separated by dots. A label need only be unique within its parent
272
domain.
273
</para>
274
275
<para>
276
For example, a domain name for a host at the
277
company <emphasis>Example, Inc.</emphasis> could be
278
<literal>ourhost.example.com</literal>,
279
where <literal>com</literal> is the
280
top level domain to which
281
<literal>ourhost.example.com</literal> belongs,
282
<literal>example</literal> is
283
a subdomain of <literal>com</literal>, and
284
<literal>ourhost</literal> is the
285
name of the host.
286
</para>
287
288
<para>
289
For administrative purposes, the name space is partitioned into
290
areas called <emphasis>zones</emphasis>, each starting at a node and
291
extending down to the leaf nodes or to nodes where other zones
292
start.
293
The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
294
<emphasis>DNS protocol</emphasis>.
295
</para>
296
297
<para>
298
The data associated with each domain name is stored in the
299
form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
300
Some of the supported resource record types are described in
301
<xref linkend="types_of_resource_records_and_when_to_use_them"/>.
302
</para>
303
304
<para>
305
For more detailed information about the design of the DNS and
306
the DNS protocol, please refer to the standards documents listed in
307
<xref linkend="rfcs"/>.
308
</para>
309
</sect2>
310
311
<sect2>
312
<title>Zones</title>
313
<para>
314
To properly operate a name server, it is important to understand
315
the difference between a <emphasis>zone</emphasis>
316
and a <emphasis>domain</emphasis>.
317
</para>
318
319
<para>
320
As stated previously, a zone is a point of delegation in
321
the <acronym>DNS</acronym> tree. A zone consists of
322
those contiguous parts of the domain
323
tree for which a name server has complete information and over which
324
it has authority. It contains all domain names from a certain point
325
downward in the domain tree except those which are delegated to
326
other zones. A delegation point is marked by one or more
327
<emphasis>NS records</emphasis> in the
328
parent zone, which should be matched by equivalent NS records at
329
the root of the delegated zone.
330
</para>
331
332
<para>
333
For instance, consider the <literal>example.com</literal>
334
domain which includes names
335
such as <literal>host.aaa.example.com</literal> and
336
<literal>host.bbb.example.com</literal> even though
337
the <literal>example.com</literal> zone includes
338
only delegations for the <literal>aaa.example.com</literal> and
339
<literal>bbb.example.com</literal> zones. A zone can
340
map
341
exactly to a single domain, but could also include only part of a
342
domain, the rest of which could be delegated to other
343
name servers. Every name in the <acronym>DNS</acronym>
344
tree is a
345
<emphasis>domain</emphasis>, even if it is
346
<emphasis>terminal</emphasis>, that is, has no
347
<emphasis>subdomains</emphasis>. Every subdomain is a domain and
348
every domain except the root is also a subdomain. The terminology is
349
not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
350
to
351
gain a complete understanding of this difficult and subtle
352
topic.
353
</para>
354
355
<para>
356
Though <acronym>BIND</acronym> is called a "domain name
357
server",
358
it deals primarily in terms of zones. The master and slave
359
declarations in the <filename>named.conf</filename> file
360
specify
361
zones, not domains. When you ask some other site if it is willing to
362
be a slave server for your <emphasis>domain</emphasis>, you are
363
actually asking for slave service for some collection of zones.
364
</para>
365
</sect2>
366
367
<sect2>
368
<title>Authoritative Name Servers</title>
369
370
<para>
371
Each zone is served by at least
372
one <emphasis>authoritative name server</emphasis>,
373
which contains the complete data for the zone.
374
To make the DNS tolerant of server and network failures,
375
most zones have two or more authoritative servers, on
376
different networks.
377
</para>
378
379
<para>
380
Responses from authoritative servers have the "authoritative
381
answer" (AA) bit set in the response packets. This makes them
382
easy to identify when debugging DNS configurations using tools like
383
<command>dig</command> (<xref linkend="diagnostic_tools"/>).
384
</para>
385
386
<sect3>
387
<title>The Primary Master</title>
388
389
<para>
390
The authoritative server where the master copy of the zone
391
data is maintained is called the
392
<emphasis>primary master</emphasis> server, or simply the
393
<emphasis>primary</emphasis>. Typically it loads the zone
394
contents from some local file edited by humans or perhaps
395
generated mechanically from some other local file which is
396
edited by humans. This file is called the
397
<emphasis>zone file</emphasis> or
398
<emphasis>master file</emphasis>.
399
</para>
400
401
<para>
402
In some cases, however, the master file may not be edited
403
by humans at all, but may instead be the result of
404
<emphasis>dynamic update</emphasis> operations.
405
</para>
406
</sect3>
407
408
<sect3>
409
<title>Slave Servers</title>
410
<para>
411
The other authoritative servers, the <emphasis>slave</emphasis>
412
servers (also known as <emphasis>secondary</emphasis> servers)
413
load
414
the zone contents from another server using a replication process
415
known as a <emphasis>zone transfer</emphasis>. Typically the data
416
are
417
transferred directly from the primary master, but it is also
418
possible
419
to transfer it from another slave. In other words, a slave server
420
may itself act as a master to a subordinate slave server.
421
</para>
422
</sect3>
423
424
<sect3>
425
<title>Stealth Servers</title>
426
427
<para>
428
Usually all of the zone's authoritative servers are listed in
429
NS records in the parent zone. These NS records constitute
430
a <emphasis>delegation</emphasis> of the zone from the parent.
431
The authoritative servers are also listed in the zone file itself,
432
at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
433
of the zone. You can list servers in the zone's top-level NS
434
records that are not in the parent's NS delegation, but you cannot
435
list servers in the parent's delegation that are not present at
436
the zone's top level.
437
</para>
438
439
<para>
440
A <emphasis>stealth server</emphasis> is a server that is
441
authoritative for a zone but is not listed in that zone's NS
442
records. Stealth servers can be used for keeping a local copy of
443
a
444
zone to speed up access to the zone's records or to make sure that
445
the
446
zone is available even if all the "official" servers for the zone
447
are
448
inaccessible.
449
</para>
450
451
<para>
452
A configuration where the primary master server itself is a
453
stealth server is often referred to as a "hidden primary"
454
configuration. One use for this configuration is when the primary
455
master
456
is behind a firewall and therefore unable to communicate directly
457
with the outside world.
458
</para>
459
460
</sect3>
461
462
</sect2>
463
<sect2>
464
465
<title>Caching Name Servers</title>
466
467
<!--
468
- Terminology here is inconsistent. Probably ought to
469
- convert to using "recursive name server" everywhere
470
- with just a note about "caching" terminology.
471
-->
472
473
<para>
474
The resolver libraries provided by most operating systems are
475
<emphasis>stub resolvers</emphasis>, meaning that they are not
476
capable of
477
performing the full DNS resolution process by themselves by talking
478
directly to the authoritative servers. Instead, they rely on a
479
local
480
name server to perform the resolution on their behalf. Such a
481
server
482
is called a <emphasis>recursive</emphasis> name server; it performs
483
<emphasis>recursive lookups</emphasis> for local clients.
484
</para>
485
486
<para>
487
To improve performance, recursive servers cache the results of
488
the lookups they perform. Since the processes of recursion and
489
caching are intimately connected, the terms
490
<emphasis>recursive server</emphasis> and
491
<emphasis>caching server</emphasis> are often used synonymously.
492
</para>
493
494
<para>
495
The length of time for which a record may be retained in
496
the cache of a caching name server is controlled by the
497
Time To Live (TTL) field associated with each resource record.
498
</para>
499
500
<sect3>
501
<title>Forwarding</title>
502
503
<para>
504
Even a caching name server does not necessarily perform
505
the complete recursive lookup itself. Instead, it can
506
<emphasis>forward</emphasis> some or all of the queries
507
that it cannot satisfy from its cache to another caching name
508
server,
509
commonly referred to as a <emphasis>forwarder</emphasis>.
510
</para>
511
512
<para>
513
There may be one or more forwarders,
514
and they are queried in turn until the list is exhausted or an
515
answer
516
is found. Forwarders are typically used when you do not
517
wish all the servers at a given site to interact directly with the
518
rest of
519
the Internet servers. A typical scenario would involve a number
520
of internal <acronym>DNS</acronym> servers and an
521
Internet firewall. Servers unable
522
to pass packets through the firewall would forward to the server
523
that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
524
on the internal server's behalf.
525
</para>
526
</sect3>
527
528
</sect2>
529
530
<sect2>
531
<title>Name Servers in Multiple Roles</title>
532
533
<para>
534
The <acronym>BIND</acronym> name server can
535
simultaneously act as
536
a master for some zones, a slave for other zones, and as a caching
537
(recursive) server for a set of local clients.
538
</para>
539
540
<para>
541
However, since the functions of authoritative name service
542
and caching/recursive name service are logically separate, it is
543
often advantageous to run them on separate server machines.
544
545
A server that only provides authoritative name service
546
(an <emphasis>authoritative-only</emphasis> server) can run with
547
recursion disabled, improving reliability and security.
548
549
A server that is not authoritative for any zones and only provides
550
recursive service to local
551
clients (a <emphasis>caching-only</emphasis> server)
552
does not need to be reachable from the Internet at large and can
553
be placed inside a firewall.
554
</para>
555
556
</sect2>
557
</sect1>
558
559
</chapter>
560
561
<chapter id="Bv9ARM.ch02">
562
<title><acronym>BIND</acronym> Resource Requirements</title>
563
564
<sect1>
565
<title>Hardware requirements</title>
566
567
<para>
568
<acronym>DNS</acronym> hardware requirements have
569
traditionally been quite modest.
570
For many installations, servers that have been pensioned off from
571
active duty have performed admirably as <acronym>DNS</acronym> servers.
572
</para>
573
<para>
574
The DNSSEC features of <acronym>BIND</acronym> 9
575
may prove to be quite
576
CPU intensive however, so organizations that make heavy use of these
577
features may wish to consider larger systems for these applications.
578
<acronym>BIND</acronym> 9 is fully multithreaded, allowing
579
full utilization of
580
multiprocessor systems for installations that need it.
581
</para>
582
</sect1>
583
<sect1>
584
<title>CPU Requirements</title>
585
<para>
586
CPU requirements for <acronym>BIND</acronym> 9 range from
587
i486-class machines
588
for serving of static zones without caching, to enterprise-class
589
machines if you intend to process many dynamic updates and DNSSEC
590
signed zones, serving many thousands of queries per second.
591
</para>
592
</sect1>
593
594
<sect1>
595
<title>Memory Requirements</title>
596
<para>
597
The memory of the server has to be large enough to fit the
598
cache and zones loaded off disk. The <command>max-cache-size</command>
599
option can be used to limit the amount of memory used by the cache,
600
at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
601
traffic.
602
Additionally, if additional section caching
603
(<xref linkend="acache"/>) is enabled,
604
the <command>max-acache-size</command> option can be used to
605
limit the amount
606
of memory used by the mechanism.
607
It is still good practice to have enough memory to load
608
all zone and cache data into memory — unfortunately, the best
609
way
610
to determine this for a given installation is to watch the name server
611
in operation. After a few weeks the server process should reach
612
a relatively stable size where entries are expiring from the cache as
613
fast as they are being inserted.
614
</para>
615
<!--
616
- Add something here about leaving overhead for attacks?
617
- How much overhead? Percentage?
618
-->
619
</sect1>
620
621
<sect1>
622
<title>Name Server Intensive Environment Issues</title>
623
<para>
624
For name server intensive environments, there are two alternative
625
configurations that may be used. The first is where clients and
626
any second-level internal name servers query a main name server, which
627
has enough memory to build a large cache. This approach minimizes
628
the bandwidth used by external name lookups. The second alternative
629
is to set up second-level internal name servers to make queries
630
independently.
631
In this configuration, none of the individual machines needs to
632
have as much memory or CPU power as in the first alternative, but
633
this has the disadvantage of making many more external queries,
634
as none of the name servers share their cached data.
635
</para>
636
</sect1>
637
638
<sect1>
639
<title>Supported Operating Systems</title>
640
<para>
641
ISC <acronym>BIND</acronym> 9 compiles and runs on a large
642
number
643
of Unix-like operating system and on NT-derived versions of
644
Microsoft Windows such as Windows 2000 and Windows XP. For an
645
up-to-date
646
list of supported systems, see the README file in the top level
647
directory
648
of the BIND 9 source distribution.
649
</para>
650
</sect1>
651
</chapter>
652
653
<chapter id="Bv9ARM.ch03">
654
<title>Name Server Configuration</title>
655
<para>
656
In this section we provide some suggested configurations along
657
with guidelines for their use. We suggest reasonable values for
658
certain option settings.
659
</para>
660
661
<sect1 id="sample_configuration">
662
<title>Sample Configurations</title>
663
<sect2>
664
<title>A Caching-only Name Server</title>
665
<para>
666
The following sample configuration is appropriate for a caching-only
667
name server for use by clients internal to a corporation. All
668
queries
669
from outside clients are refused using the <command>allow-query</command>
670
option. Alternatively, the same effect could be achieved using
671
suitable
672
firewall rules.
673
</para>
457
674
458
675
<programlisting>
459
676
// Two corporate subnets we wish to allow queries from.
469
686
notify no;
470
687
};
471
688
</programlisting>
472
</sect2>
473
474
<sect2>
475
<title>An Authoritative-only Name Server</title>
476
<para>This sample configuration is for an authoritative-only server
477
that is the master server for "<filename>example.com</filename>"
478
and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
689
690
</sect2>
691
692
<sect2>
693
<title>An Authoritative-only Name Server</title>
694
<para>
695
This sample configuration is for an authoritative-only server
696
that is the master server for "<filename>example.com</filename>"
697
and a slave for the subdomain "<filename>eng.example.com</filename>".
698
</para>
479
699
480
700
<programlisting>
481
701
options {
482
702
directory "/etc/namedb"; // Working directory
703
allow-query-cache { none; }; // Do not allow access to cache
483
704
allow-query { any; }; // This is the default
484
705
recursion no; // Do not provide recursive service
485
706
};
508
729
masters { 192.168.4.12; };
509
730
};
510
731
</programlisting>
511
</sect2>
512
</sect1>
513
514
<sect1>
515
<title>Load Balancing</title>
516
517
<para>A primitive form of load balancing can be achieved in
518
the <acronym>DNS</acronym> by using multiple A records for one name.</para>
519
520
<para>For example, if you have three WWW servers with network addresses
521
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
522
following means that clients will connect to each machine one third
523
of the time:</para>
524
525
<informaltable colsep = "0" rowsep = "0">
526
<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
527
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
528
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
529
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
530
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
531
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
532
<tbody>
533
<row rowsep = "0">
534
<entry colname = "1"><para>Name</para></entry>
535
<entry colname = "2"><para>TTL</para></entry>
536
<entry colname = "3"><para>CLASS</para></entry>
537
<entry colname = "4"><para>TYPE</para></entry>
538
<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
539
</row>
540
<row rowsep = "0">
541
<entry colname = "1"><para><literal>www</literal></para></entry>
542
<entry colname = "2"><para><literal>600</literal></para></entry>
543
<entry colname = "3"><para><literal>IN</literal></para></entry>
544
<entry colname = "4"><para><literal>A</literal></para></entry>
545
<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
546
</row>
547
<row rowsep = "0">
548
<entry colname = "1"><para></para></entry>
549
<entry colname = "2"><para><literal>600</literal></para></entry>
550
<entry colname = "3"><para><literal>IN</literal></para></entry>
551
<entry colname = "4"><para><literal>A</literal></para></entry>
552
<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
553
</row>
554
<row rowsep = "0">
555
<entry colname = "1"><para></para></entry>
556
<entry colname = "2"><para><literal>600</literal></para></entry>
557
<entry colname = "3"><para><literal>IN</literal></para></entry>
558
<entry colname = "4"><para><literal>A</literal></para></entry>
559
<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
560
</row>
561
</tbody>
562
</tgroup>
563
</informaltable>
564
<para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
565
them and respond to the query with the records in a different
566
order. In the example above, clients will randomly receive
567
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
568
will use the first record returned and discard the rest.</para>
569
<para>For more detail on ordering responses, check the
570
<command>rrset-order</command> substatement in the
571
<command>options</command> statement, see
572
<xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
573
This substatement is not supported in
574
<acronym>BIND</acronym> 9, and only the ordering scheme described above is
575
available.</para>
576
577
</sect1>
578
579
<sect1>
580
<title>Name Server Operations</title>
581
582
<sect2>
583
<title>Tools for Use With the Name Server Daemon</title>
584
<para>There are several indispensable diagnostic, administrative
585
and monitoring tools available to the system administrator for controlling
586
and debugging the name server daemon. We describe several in this
587
section </para>
588
<sect3 id="diagnostic_tools">
589
<title>Diagnostic Tools</title>
590
<para>The <command>dig</command>, <command>host</command>, and
591
<command>nslookup</command> programs are all command line tools
592
for manually querying name servers. They differ in style and
593
output format.
594
</para>
595
596
<variablelist>
597
<varlistentry>
598
<term id="dig"><command>dig</command></term>
599
<listitem>
600
<para>The domain information groper (<command>dig</command>)
601
is the most versatile and complete of these lookup tools.
602
It has two modes: simple interactive
603
mode for a single query, and batch mode which executes a query for
604
each in a list of several query lines. All query options are accessible
605
from the command line.</para>
606
<cmdsynopsis label="Usage">
607
<command>dig</command>
608
<arg>@<replaceable>server</replaceable></arg>
609
<arg choice="plain"><replaceable>domain</replaceable></arg>
610
<arg><replaceable>query-type</replaceable></arg>
611
<arg><replaceable>query-class</replaceable></arg>
612
<arg>+<replaceable>query-option</replaceable></arg>
613
<arg>-<replaceable>dig-option</replaceable></arg>
614
<arg>%<replaceable>comment</replaceable></arg>
615
</cmdsynopsis>
616
<para>The usual simple use of dig will take the form</para>
617
<simpara><command>dig @server domain query-type query-class</command></simpara>
618
<para>For more information and a list of available commands and
619
options, see the <command>dig</command> man page.</para>
620
</listitem>
621
</varlistentry>
622
623
<varlistentry>
624
<term><command>host</command></term>
625
<listitem>
626
<para>The <command>host</command> utility emphasizes simplicity
627
and ease of use. By default, it converts
628
between host names and Internet addresses, but its functionality
629
can be extended with the use of options.</para>
630
<cmdsynopsis label="Usage">
631
<command>host</command>
632
<arg>-aCdlrTwv</arg>
633
<arg>-c <replaceable>class</replaceable></arg>
634
<arg>-N <replaceable>ndots</replaceable></arg>
635
<arg>-t <replaceable>type</replaceable></arg>
636
<arg>-W <replaceable>timeout</replaceable></arg>
637
<arg>-R <replaceable>retries</replaceable></arg>
638
<arg choice="plain"><replaceable>hostname</replaceable></arg>
639
<arg><replaceable>server</replaceable></arg>
640
</cmdsynopsis>
641
<para>For more information and a list of available commands and
642
options, see the <command>host</command> man page.</para>
643
</listitem>
644
</varlistentry>
645
646
<varlistentry>
647
<term><command>nslookup</command></term>
648
<listitem>
649
<para><command>nslookup</command> has two modes: interactive
650
and non-interactive. Interactive mode allows the user to query name servers
651
for information about various hosts and domains or to print a list
652
of hosts in a domain. Non-interactive mode is used to print just
653
the name and requested information for a host or domain.</para>
654
<cmdsynopsis label="Usage">
655
<command>nslookup</command>
656
<arg rep="repeat">-option</arg>
657
<group>
658
<arg><replaceable>host-to-find</replaceable></arg>
659
<arg>- <arg>server</arg></arg>
660
</group>
661
</cmdsynopsis>
662
<para>Interactive mode is entered when no arguments are given (the
663
default name server will be used) or when the first argument is a
664
hyphen (`-') and the second argument is the host name or Internet address
665
of a name server.</para>
666
<para>Non-interactive mode is used when the name or Internet address
667
of the host to be looked up is given as the first argument. The
668
optional second argument specifies the host name or address of a name server.</para>
669
<para>Due to its arcane user interface and frequently inconsistent
670
behavior, we do not recommend the use of <command>nslookup</command>.
671
Use <command>dig</command> instead.</para>
672
</listitem>
673
674
</varlistentry>
675
</variablelist>
676
</sect3>
677
678
<sect3 id="admin_tools">
679
<title>Administrative Tools</title>
680
<para>Administrative tools play an integral part in the management
681
of a server.</para>
682
<variablelist>
683
<varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
684
<term><command>named-checkconf</command></term>
685
<listitem>
686
<para>The <command>named-checkconf</command> program
687
checks the syntax of a <filename>named.conf</filename> file.</para>
688
<cmdsynopsis label="Usage">
689
<command>named-checkconf</command>
690
<arg>-jvz</arg>
691
<arg>-t <replaceable>directory</replaceable></arg>
692
<arg><replaceable>filename</replaceable></arg>
693
</cmdsynopsis>
694
</listitem>
695
</varlistentry>
696
<varlistentry id="named-checkzone" xreflabel="Zone Checking application">
697
<term><command>named-checkzone</command></term>
698
<listitem>
699
<para>The <command>named-checkzone</command> program checks a master file for
700
syntax and consistency.</para>
701
<cmdsynopsis label="Usage">
702
<command>named-checkzone</command>
703
<arg>-djqvD</arg>
704
<arg>-c <replaceable>class</replaceable></arg>
705
<arg>-o <replaceable>output</replaceable></arg>
706
<arg>-t <replaceable>directory</replaceable></arg>
707
<arg>-w <replaceable>directory</replaceable></arg>
708
<arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
709
<arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
710
<arg choice="plain"><replaceable>zone</replaceable></arg>
711
<arg><replaceable>filename</replaceable></arg>
712
</cmdsynopsis>
713
</listitem>
714
</varlistentry>
715
<varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
716
<term><command>rndc</command></term>
717
<listitem>
718
<para>The remote name daemon control
719
(<command>rndc</command>) program allows the system
720
administrator to control the operation of a name server.
721
If you run <command>rndc</command> without any options
722
it will display a usage message as follows:</para>
723
<cmdsynopsis label="Usage">
724
<command>rndc</command>
725
<arg>-c <replaceable>config</replaceable></arg>
726
<arg>-s <replaceable>server</replaceable></arg>
727
<arg>-p <replaceable>port</replaceable></arg>
728
<arg>-y <replaceable>key</replaceable></arg>
729
<arg choice="plain"><replaceable>command</replaceable></arg>
730
<arg rep="repeat"><replaceable>command</replaceable></arg>
731
</cmdsynopsis>
732
<para><command>command</command> is one of the following:</para>
733
734
<variablelist>
735
736
<varlistentry><term><userinput>reload</userinput></term>
737
<listitem><para>Reload configuration file and zones.</para></listitem>
738
</varlistentry>
739
740
<varlistentry><term><userinput>reload <replaceable>zone</replaceable>
741
<optional><replaceable>class</replaceable>
742
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
743
<listitem><para>Reload the given zone.</para></listitem>
744
</varlistentry>
745
746
<varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
747
<optional><replaceable>class</replaceable>
748
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
749
<listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
750
</varlistentry>
751
752
<varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
753
<optional><replaceable>class</replaceable>
754
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
755
<listitem><para>Retransfer the given zone from the master.</para></listitem>
756
</varlistentry>
757
758
<varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
759
<optional><replaceable>class</replaceable>
760
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
761
<listitem><para>Suspend updates to a dynamic zone. If no zone is specified
762
then all zones are suspended. This allows manual
763
edits to be made to a zone normally updated by dynamic update. It
764
also causes changes in the journal file to be synced into the master
765
and the journal file to be removed. All dynamic update attempts will
766
be refused while the zone is frozen.</para></listitem>
767
</varlistentry>
768
769
<varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable>
770
<optional><replaceable>class</replaceable>
771
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
772
<listitem><para>Enable updates to a frozen dynamic zone. If no zone is
773
specified then all frozen zones are enabled. This causes
774
the server to reload the zone from disk, and re-enables dynamic updates
775
after the load has completed. After a zone is thawed, dynamic updates
776
will no longer be refused.</para></listitem>
777
</varlistentry>
778
779
<varlistentry><term><userinput>notify <replaceable>zone</replaceable>
780
<optional><replaceable>class</replaceable>
781
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
782
<listitem><para>Resend NOTIFY messages for the zone</para></listitem></varlistentry>
783
784
<varlistentry><term><userinput>reconfig</userinput></term>
785
<listitem><para>Reload the configuration file and load new zones,
786
but do not reload existing zone files even if they have changed.
787
This is faster than a full <command>reload</command> when there
788
is a large number of zones because it avoids the need to examine the
789
modification times of the zones files.
790
</para></listitem>
791
</varlistentry>
792
793
<varlistentry><term><userinput>stats</userinput></term>
794
<listitem><para>Write server statistics to the statistics file.</para></listitem>
795
</varlistentry>
796
797
<varlistentry><term><userinput>querylog</userinput></term>
798
<listitem><para>Toggle query logging. Query logging can also be enabled
799
by explicitly directing the <command>queries</command>
800
<command>category</command> to a <command>channel</command> in the
801
<command>logging</command> section of
802
<filename>named.conf</filename>.</para></listitem></varlistentry>
803
804
<varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
805
<listitem><para>Dump the server's caches (default) and / or zones to the
806
dump file for the specified views. If no view is specified all
807
views are dumped.</para></listitem></varlistentry>
808
809
<varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
810
<listitem><para>Stop the server, making sure any recent changes
811
made through dynamic update or IXFR are first saved to the master files
812
of the updated zones. If -p is specified named's process id is returned.</para></listitem></varlistentry>
813
814
<varlistentry><term><userinput>halt <optional>-p</optional></userinput></term>
815
<listitem><para>Stop the server immediately. Recent changes
816
made through dynamic update or IXFR are not saved to the master files,
817
but will be rolled forward from the journal files when the server
818
is restarted. If -p is specified named's process id is returned.</para></listitem></varlistentry>
819
820
<varlistentry><term><userinput>trace</userinput></term>
821
<listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
822
823
<varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
824
<listitem><para>Sets the server's debugging level to an explicit
825
value.</para></listitem></varlistentry>
826
827
<varlistentry><term><userinput>notrace</userinput></term>
828
<listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
829
830
<varlistentry><term><userinput>flush</userinput></term>
831
<listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
832
833
<varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
834
<listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry>
835
836
<varlistentry><term><userinput>status</userinput></term>
837
<listitem><para>Display status of the server.
838
Note the number of zones includes the internal <command>bind/CH</command> zone
839
and the default <command>./IN</command> hint zone if there is not a
840
explicit root zone configured.</para></listitem></varlistentry>
841
842
<varlistentry><term><userinput>recursing</userinput></term>
843
<listitem><para>Dump the list of queries named is currently recursing
844
on.
845
</para></listitem></varlistentry>
846
847
</variablelist>
848
849
<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
850
supports all the commands of the BIND 8 <command>ndc</command>
851
utility except <command>ndc start</command> and
852
<command>ndc restart</command>, which were also
853
not supported in <command>ndc</command>'s channel mode.</para>
854
855
<para>A configuration file is required, since all
856
communication with the server is authenticated with
857
digital signatures that rely on a shared secret, and
858
there is no way to provide that secret other than with a
859
configuration file. The default location for the
860
<command>rndc</command> configuration file is
861
<filename>/etc/rndc.conf</filename>, but an alternate
862
location can be specified with the <option>-c</option>
863
option. If the configuration file is not found,
864
<command>rndc</command> will also look in
865
<filename>/etc/rndc.key</filename> (or whatever
866
<varname>sysconfdir</varname> was defined when
867
the <acronym>BIND</acronym> build was configured).
868
The <filename>rndc.key</filename> file is generated by
869
running <command>rndc-confgen -a</command> as described in
870
<xref linkend="controls_statement_definition_and_usage"/>.</para>
871
872
<para>The format of the configuration file is similar to
873
that of <filename>named.conf</filename>, but limited to
874
only four statements, the <command>options</command>,
875
<command>key</command>, <command>server</command> and
876
<command>include</command>
877
statements. These statements are what associate the
878
secret keys to the servers with which they are meant to
879
be shared. The order of statements is not
880
significant.</para>
881
882
<para>The <command>options</command> statement has three clauses:
883
<command>default-server</command>, <command>default-key</command>,
884
and <command>default-port</command>.
885
<command>default-server</command> takes a
886
host name or address argument and represents the server that will
887
be contacted if no <option>-s</option>
888
option is provided on the command line.
889
<command>default-key</command> takes
890
the name of a key as its argument, as defined by a <command>key</command> statement.
891
<command>default-port</command> specifies the port to which
892
<command>rndc</command> should connect if no
893
port is given on the command line or in a
894
<command>server</command> statement.</para>
895
896
<para>The <command>key</command> statement defines an key to be used
897
by <command>rndc</command> when authenticating with
898
<command>named</command>. Its syntax is identical to the
899
<command>key</command> statement in named.conf.
900
The keyword <userinput>key</userinput> is
901
followed by a key name, which must be a valid
902
domain name, though it need not actually be hierarchical; thus,
903
a string like "<userinput>rndc_key</userinput>" is a valid name.
904
The <command>key</command> statement has two clauses:
905
<command>algorithm</command> and <command>secret</command>.
906
While the configuration parser will accept any string as the argument
907
to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
908
has any meaning. The secret is a base-64 encoded string.</para>
909
910
<para>The <command>server</command> statement associates a key
911
defined using the <command>key</command> statement with a server.
912
The keyword <userinput>server</userinput> is followed by a
913
host name or address. The <command>server</command> statement
914
has two clauses: <command>key</command> and <command>port</command>.
915
The <command>key</command> clause specifies the name of the key
916
to be used when communicating with this server, and the
917
<command>port</command> clause can be used to
918
specify the port <command>rndc</command> should connect
919
to on the server.</para>
920
921
<para>A sample minimal configuration file is as follows:</para>
732
733
</sect2>
734
</sect1>
735
736
<sect1>
737
<title>Load Balancing</title>
738
<!--
739
- Add explanation of why load balancing is fragile at best
740
- and completely pointless in the general case.
741
-->
742
743
<para>
744
A primitive form of load balancing can be achieved in
745
the <acronym>DNS</acronym> by using multiple records
746
(such as multiple A records) for one name.
747
</para>
748
749
<para>
750
For example, if you have three WWW servers with network addresses
751
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
752
following means that clients will connect to each machine one third
753
of the time:
754
</para>
755
756
<informaltable colsep="0" rowsep="0">
757
<tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
758
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
759
<colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
760
<colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
761
<colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
762
<colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
763
<tbody>
764
<row rowsep="0">
765
<entry colname="1">
766
<para>
767
Name
768
</para>
769
</entry>
770
<entry colname="2">
771
<para>
772
TTL
773
</para>
774
</entry>
775
<entry colname="3">
776
<para>
777
CLASS
778
</para>
779
</entry>
780
<entry colname="4">
781
<para>
782
TYPE
783
</para>
784
</entry>
785
<entry colname="5">
786
<para>
787
Resource Record (RR) Data
788
</para>
789
</entry>
790
</row>
791
<row rowsep="0">
792
<entry colname="1">
793
<para>
794
<literal>www</literal>
795
</para>
796
</entry>
797
<entry colname="2">
798
<para>
799
<literal>600</literal>
800
</para>
801
</entry>
802
<entry colname="3">
803
<para>
804
<literal>IN</literal>
805
</para>
806
</entry>
807
<entry colname="4">
808
<para>
809
<literal>A</literal>
810
</para>
811
</entry>
812
<entry colname="5">
813
<para>
814
<literal>10.0.0.1</literal>
815
</para>
816
</entry>
817
</row>
818
<row rowsep="0">
819
<entry colname="1">
820
<para/>
821
</entry>
822
<entry colname="2">
823
<para>
824
<literal>600</literal>
825
</para>
826
</entry>
827
<entry colname="3">
828
<para>
829
<literal>IN</literal>
830
</para>
831
</entry>
832
<entry colname="4">
833
<para>
834
<literal>A</literal>
835
</para>
836
</entry>
837
<entry colname="5">
838
<para>
839
<literal>10.0.0.2</literal>
840
</para>
841
</entry>
842
</row>
843
<row rowsep="0">
844
<entry colname="1">
845
<para/>
846
</entry>
847
<entry colname="2">
848
<para>
849
<literal>600</literal>
850
</para>
851
</entry>
852
<entry colname="3">
853
<para>
854
<literal>IN</literal>
855
</para>
856
</entry>
857
<entry colname="4">
858
<para>
859
<literal>A</literal>
860
</para>
861
</entry>
862
<entry colname="5">
863
<para>
864
<literal>10.0.0.3</literal>
865
</para>
866
</entry>
867
</row>
868
</tbody>
869
</tgroup>
870
</informaltable>
871
<para>
872
When a resolver queries for these records, <acronym>BIND</acronym> will rotate
873
them and respond to the query with the records in a different
874
order. In the example above, clients will randomly receive
875
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
876
will use the first record returned and discard the rest.
877
</para>
878
<para>
879
For more detail on ordering responses, check the
880
<command>rrset-order</command> substatement in the
881
<command>options</command> statement, see
882
<xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
883
</para>
884
885
</sect1>
886
887
<sect1>
888
<title>Name Server Operations</title>
889
890
<sect2>
891
<title>Tools for Use With the Name Server Daemon</title>
892
<para>
893
This section describes several indispensable diagnostic,
894
administrative and monitoring tools available to the system
895
administrator for controlling and debugging the name server
896
daemon.
897
</para>
898
<sect3 id="diagnostic_tools">
899
<title>Diagnostic Tools</title>
900
<para>
901
The <command>dig</command>, <command>host</command>, and
902
<command>nslookup</command> programs are all command
903
line tools
904
for manually querying name servers. They differ in style and
905
output format.
906
</para>
907
908
<variablelist>
909
<varlistentry>
910
<term id="dig"><command>dig</command></term>
911
<listitem>
912
<para>
913
The domain information groper (<command>dig</command>)
914
is the most versatile and complete of these lookup tools.
915
It has two modes: simple interactive
916
mode for a single query, and batch mode which executes a
917
query for
918
each in a list of several query lines. All query options are
919
accessible
920
from the command line.
921
</para>
922
<cmdsynopsis label="Usage">
923
<command>dig</command>
924
<arg>@<replaceable>server</replaceable></arg>
925
<arg choice="plain"><replaceable>domain</replaceable></arg>
926
<arg><replaceable>query-type</replaceable></arg>
927
<arg><replaceable>query-class</replaceable></arg>
928
<arg>+<replaceable>query-option</replaceable></arg>
929
<arg>-<replaceable>dig-option</replaceable></arg>
930
<arg>%<replaceable>comment</replaceable></arg>
931
</cmdsynopsis>
932
<para>
933
The usual simple use of dig will take the form
934
</para>
935
<simpara>
936
<command>dig @server domain query-type query-class</command>
937
</simpara>
938
<para>
939
For more information and a list of available commands and
940
options, see the <command>dig</command> man
941
page.
942
</para>
943
</listitem>
944
</varlistentry>
945
946
<varlistentry>
947
<term><command>host</command></term>
948
<listitem>
949
<para>
950
The <command>host</command> utility emphasizes
951
simplicity
952
and ease of use. By default, it converts
953
between host names and Internet addresses, but its
954
functionality
955
can be extended with the use of options.
956
</para>
957
<cmdsynopsis label="Usage">
958
<command>host</command>
959
<arg>-aCdlnrsTwv</arg>
960
<arg>-c <replaceable>class</replaceable></arg>
961
<arg>-N <replaceable>ndots</replaceable></arg>
962
<arg>-t <replaceable>type</replaceable></arg>
963
<arg>-W <replaceable>timeout</replaceable></arg>
964
<arg>-R <replaceable>retries</replaceable></arg>
965
<arg>-m <replaceable>flag</replaceable></arg>
966
<arg>-4</arg>
967
<arg>-6</arg>
968
<arg choice="plain"><replaceable>hostname</replaceable></arg>
969
<arg><replaceable>server</replaceable></arg>
970
</cmdsynopsis>
971
<para>
972
For more information and a list of available commands and
973
options, see the <command>host</command> man
974
page.
975
</para>
976
</listitem>
977
</varlistentry>
978
979
<varlistentry>
980
<term><command>nslookup</command></term>
981
<listitem>
982
<para><command>nslookup</command>
983
has two modes: interactive and
984
non-interactive. Interactive mode allows the user to
985
query name servers for information about various
986
hosts and domains or to print a list of hosts in a
987
domain. Non-interactive mode is used to print just
988
the name and requested information for a host or
989
domain.
990
</para>
991
<cmdsynopsis label="Usage">
992
<command>nslookup</command>
993
<arg rep="repeat">-option</arg>
994
<group>
995
<arg><replaceable>host-to-find</replaceable></arg>
996
<arg>- <arg>server</arg></arg>
997
</group>
998
</cmdsynopsis>
999
<para>
1000
Interactive mode is entered when no arguments are given (the
1001
default name server will be used) or when the first argument
1002
is a
1003
hyphen (`-') and the second argument is the host name or
1004
Internet address
1005
of a name server.
1006
</para>
1007
<para>
1008
Non-interactive mode is used when the name or Internet
1009
address
1010
of the host to be looked up is given as the first argument.
1011
The
1012
optional second argument specifies the host name or address
1013
of a name server.
1014
</para>
1015
<para>
1016
Due to its arcane user interface and frequently inconsistent
1017
behavior, we do not recommend the use of <command>nslookup</command>.
1018
Use <command>dig</command> instead.
1019
</para>
1020
</listitem>
1021
1022
</varlistentry>
1023
</variablelist>
1024
</sect3>
1025
1026
<sect3 id="admin_tools">
1027
<title>Administrative Tools</title>
1028
<para>
1029
Administrative tools play an integral part in the management
1030
of a server.
1031
</para>
1032
<variablelist>
1033
<varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1034
1035
<term><command>named-checkconf</command></term>
1036
<listitem>
1037
<para>
1038
The <command>named-checkconf</command> program
1039
checks the syntax of a <filename>named.conf</filename> file.
1040
</para>
1041
<cmdsynopsis label="Usage">
1042
<command>named-checkconf</command>
1043
<arg>-jvz</arg>
1044
<arg>-t <replaceable>directory</replaceable></arg>
1045
<arg><replaceable>filename</replaceable></arg>
1046
</cmdsynopsis>
1047
</listitem>
1048
</varlistentry>
1049
<varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1050
1051
<term><command>named-checkzone</command></term>
1052
<listitem>
1053
<para>
1054
The <command>named-checkzone</command> program
1055
checks a master file for
1056
syntax and consistency.
1057
</para>
1058
<cmdsynopsis label="Usage">
1059
<command>named-checkzone</command>
1060
<arg>-djqvD</arg>
1061
<arg>-c <replaceable>class</replaceable></arg>
1062
<arg>-o <replaceable>output</replaceable></arg>
1063
<arg>-t <replaceable>directory</replaceable></arg>
1064
<arg>-w <replaceable>directory</replaceable></arg>
1065
<arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1066
<arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1067
<arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1068
<arg choice="plain"><replaceable>zone</replaceable></arg>
1069
<arg><replaceable>filename</replaceable></arg>
1070
</cmdsynopsis>
1071
</listitem>
1072
</varlistentry>
1073
<varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
1074
<term><command>named-compilezone</command></term>
1075
<listitem>
1076
<para>
1077
Similar to <command>named-checkzone,</command> but
1078
it always dumps the zone content to a specified file
1079
(typically in a different format).
1080
</para>
1081
</listitem>
1082
</varlistentry>
1083
<varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1084
1085
<term><command>rndc</command></term>
1086
<listitem>
1087
<para>
1088
The remote name daemon control
1089
(<command>rndc</command>) program allows the
1090
system
1091
administrator to control the operation of a name server.
1092
Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1093
supports all the commands of the BIND 8 <command>ndc</command>
1094
utility except <command>ndc start</command> and
1095
<command>ndc restart</command>, which were also
1096
not supported in <command>ndc</command>'s
1097
channel mode.
1098
If you run <command>rndc</command> without any
1099
options
1100
it will display a usage message as follows:
1101
</para>
1102
<cmdsynopsis label="Usage">
1103
<command>rndc</command>
1104
<arg>-c <replaceable>config</replaceable></arg>
1105
<arg>-s <replaceable>server</replaceable></arg>
1106
<arg>-p <replaceable>port</replaceable></arg>
1107
<arg>-y <replaceable>key</replaceable></arg>
1108
<arg choice="plain"><replaceable>command</replaceable></arg>
1109
<arg rep="repeat"><replaceable>command</replaceable></arg>
1110
</cmdsynopsis>
1111
<para>The <command>command</command>
1112
is one of the following:
1113
</para>
1114
1115
<variablelist>
1116
1117
<varlistentry>
1118
<term><userinput>reload</userinput></term>
1119
<listitem>
1120
<para>
1121
Reload configuration file and zones.
1122
</para>
1123
</listitem>
1124
</varlistentry>
1125
1126
<varlistentry>
1127
<term><userinput>reload <replaceable>zone</replaceable>
1128
<optional><replaceable>class</replaceable>
1129
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1130
<listitem>
1131
<para>
1132
Reload the given zone.
1133
</para>
1134
</listitem>
1135
</varlistentry>
1136
1137
<varlistentry>
1138
<term><userinput>refresh <replaceable>zone</replaceable>
1139
<optional><replaceable>class</replaceable>
1140
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1141
<listitem>
1142
<para>
1143
Schedule zone maintenance for the given zone.
1144
</para>
1145
</listitem>
1146
</varlistentry>
1147
1148
<varlistentry>
1149
<term><userinput>retransfer <replaceable>zone</replaceable>
1150
1151
<optional><replaceable>class</replaceable>
1152
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1153
<listitem>
1154
<para>
1155
Retransfer the given zone from the master.
1156
</para>
1157
</listitem>
1158
</varlistentry>
1159
1160
<varlistentry>
1161
1162
<term><userinput>freeze
1163
<optional><replaceable>zone</replaceable>
1164
<optional><replaceable>class</replaceable>
1165
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1166
<listitem>
1167
<para>
1168
Suspend updates to a dynamic zone. If no zone is
1169
specified,
1170
then all zones are suspended. This allows manual
1171
edits to be made to a zone normally updated by dynamic
1172
update. It
1173
also causes changes in the journal file to be synced
1174
into the master
1175
and the journal file to be removed. All dynamic
1176
update attempts will
1177
be refused while the zone is frozen.
1178
</para>
1179
</listitem>
1180
</varlistentry>
1181
1182
<varlistentry>
1183
<term><userinput>thaw
1184
<optional><replaceable>zone</replaceable>
1185
<optional><replaceable>class</replaceable>
1186
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1187
<listitem>
1188
<para>
1189
Enable updates to a frozen dynamic zone. If no zone
1190
is
1191
specified, then all frozen zones are enabled. This
1192
causes
1193
the server to reload the zone from disk, and
1194
re-enables dynamic updates
1195
after the load has completed. After a zone is thawed,
1196
dynamic updates
1197
will no longer be refused.
1198
</para>
1199
</listitem>
1200
</varlistentry>
1201
1202
<varlistentry>
1203
<term><userinput>notify <replaceable>zone</replaceable>
1204
<optional><replaceable>class</replaceable>
1205
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
1206
<listitem>
1207
<para>
1208
Resend NOTIFY messages for the zone.
1209
</para>
1210
</listitem>
1211
</varlistentry>
1212
1213
<varlistentry>
1214
<term><userinput>reconfig</userinput></term>
1215
<listitem>
1216
<para>
1217
Reload the configuration file and load new zones,
1218
but do not reload existing zone files even if they
1219
have changed.
1220
This is faster than a full <command>reload</command> when there
1221
is a large number of zones because it avoids the need
1222
to examine the
1223
modification times of the zones files.
1224
</para>
1225
</listitem>
1226
</varlistentry>
1227
1228
<varlistentry>
1229
<term><userinput>stats</userinput></term>
1230
<listitem>
1231
<para>
1232
Write server statistics to the statistics file.
1233
</para>
1234
</listitem>
1235
</varlistentry>
1236
1237
<varlistentry>
1238
<term><userinput>querylog</userinput></term>
1239
<listitem>
1240
<para>
1241
Toggle query logging. Query logging can also be enabled
1242
by explicitly directing the <command>queries</command>
1243
<command>category</command> to a
1244
<command>channel</command> in the
1245
<command>logging</command> section of
1246
<filename>named.conf</filename> or by specifying
1247
<command>querylog yes;</command> in the
1248
<command>options</command> section of
1249
<filename>named.conf</filename>.
1250
</para>
1251
</listitem>
1252
</varlistentry>
1253
1254
<varlistentry>
1255
<term><userinput>dumpdb
1256
<optional>-all|-cache|-zone</optional>
1257
<optional><replaceable>view ...</replaceable></optional></userinput></term>
1258
<listitem>
1259
<para>
1260
Dump the server's caches (default) and/or zones to
1261
the
1262
dump file for the specified views. If no view is
1263
specified, all
1264
views are dumped.
1265
</para>
1266
</listitem>
1267
</varlistentry>
1268
1269
<varlistentry>
1270
<term><userinput>stop <optional>-p</optional></userinput></term>
1271
<listitem>
1272
<para>
1273
Stop the server, making sure any recent changes
1274
made through dynamic update or IXFR are first saved to
1275
the master files of the updated zones.
1276
If -p is specified named's process id is returned.
1277
This allows an external process to determine when named
1278
had completed stopping.
1279
</para>
1280
</listitem>
1281
</varlistentry>
1282
1283
<varlistentry>
1284
<term><userinput>halt <optional>-p</optional></userinput></term>
1285
<listitem>
1286
<para>
1287
Stop the server immediately. Recent changes
1288
made through dynamic update or IXFR are not saved to
1289
the master files, but will be rolled forward from the
1290
journal files when the server is restarted.
1291
If -p is specified named's process id is returned.
1292
This allows an external process to determine when named
1293
had completed halting.
1294
</para>
1295
</listitem>
1296
</varlistentry>
1297
1298
<varlistentry>
1299
<term><userinput>trace</userinput></term>
1300
<listitem>
1301
<para>
1302
Increment the servers debugging level by one.
1303
</para>
1304
</listitem>
1305
</varlistentry>
1306
1307
<varlistentry>
1308
<term><userinput>trace <replaceable>level</replaceable></userinput></term>
1309
<listitem>
1310
<para>
1311
Sets the server's debugging level to an explicit
1312
value.
1313
</para>
1314
</listitem>
1315
</varlistentry>
1316
1317
<varlistentry>
1318
<term><userinput>notrace</userinput></term>
1319
<listitem>
1320
<para>
1321
Sets the server's debugging level to 0.
1322
</para>
1323
</listitem>
1324
</varlistentry>
1325
1326
<varlistentry>
1327
<term><userinput>flush</userinput></term>
1328
<listitem>
1329
<para>
1330
Flushes the server's cache.
1331
</para>
1332
</listitem>
1333
</varlistentry>
1334
1335
<varlistentry>
1336
<term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1337
<listitem>
1338
<para>
1339
Flushes the given name from the server's cache.
1340
</para>
1341
</listitem>
1342
</varlistentry>
1343
1344
<varlistentry>
1345
<term><userinput>status</userinput></term>
1346
<listitem>
1347
<para>
1348
Display status of the server.
1349
Note that the number of zones includes the internal <command>bind/CH</command> zone
1350
and the default <command>./IN</command>
1351
hint zone if there is not an
1352
explicit root zone configured.
1353
</para>
1354
</listitem>
1355
</varlistentry>
1356
1357
<varlistentry>
1358
<term><userinput>recursing</userinput></term>
1359
<listitem>
1360
<para>
1361
Dump the list of queries named is currently recursing
1362
on.
1363
</para>
1364
</listitem>
1365
</varlistentry>
1366
1367
</variablelist>
1368
1369
<para>
1370
A configuration file is required, since all
1371
communication with the server is authenticated with
1372
digital signatures that rely on a shared secret, and
1373
there is no way to provide that secret other than with a
1374
configuration file. The default location for the
1375
<command>rndc</command> configuration file is
1376
<filename>/etc/rndc.conf</filename>, but an
1377
alternate
1378
location can be specified with the <option>-c</option>
1379
option. If the configuration file is not found,
1380
<command>rndc</command> will also look in
1381
<filename>/etc/rndc.key</filename> (or whatever
1382
<varname>sysconfdir</varname> was defined when
1383
the <acronym>BIND</acronym> build was
1384
configured).
1385
The <filename>rndc.key</filename> file is
1386
generated by
1387
running <command>rndc-confgen -a</command> as
1388
described in
1389
<xref linkend="controls_statement_definition_and_usage"/>.
1390
</para>
1391
1392
<para>
1393
The format of the configuration file is similar to
1394
that of <filename>named.conf</filename>, but
1395
limited to
1396
only four statements, the <command>options</command>,
1397
<command>key</command>, <command>server</command> and
1398
<command>include</command>
1399
statements. These statements are what associate the
1400
secret keys to the servers with which they are meant to
1401
be shared. The order of statements is not
1402
significant.
1403
</para>
1404
1405
<para>
1406
The <command>options</command> statement has
1407
three clauses:
1408
<command>default-server</command>, <command>default-key</command>,
1409
and <command>default-port</command>.
1410
<command>default-server</command> takes a
1411
host name or address argument and represents the server
1412
that will
1413
be contacted if no <option>-s</option>
1414
option is provided on the command line.
1415
<command>default-key</command> takes
1416
the name of a key as its argument, as defined by a <command>key</command> statement.
1417
<command>default-port</command> specifies the
1418
port to which
1419
<command>rndc</command> should connect if no
1420
port is given on the command line or in a
1421
<command>server</command> statement.
1422
</para>
1423
1424
<para>
1425
The <command>key</command> statement defines a
1426
key to be used
1427
by <command>rndc</command> when authenticating
1428
with
1429
<command>named</command>. Its syntax is
1430
identical to the
1431
<command>key</command> statement in named.conf.
1432
The keyword <userinput>key</userinput> is
1433
followed by a key name, which must be a valid
1434
domain name, though it need not actually be hierarchical;
1435
thus,
1436
a string like "<userinput>rndc_key</userinput>" is a valid
1437
name.
1438
The <command>key</command> statement has two
1439
clauses:
1440
<command>algorithm</command> and <command>secret</command>.
1441
While the configuration parser will accept any string as the
1442
argument
1443
to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1444
has any meaning. The secret is a base-64 encoded string
1445
as specified in RFC 3548.
1446
</para>
1447
1448
<para>
1449
The <command>server</command> statement
1450
associates a key
1451
defined using the <command>key</command>
1452
statement with a server.
1453
The keyword <userinput>server</userinput> is followed by a
1454
host name or address. The <command>server</command> statement
1455
has two clauses: <command>key</command> and <command>port</command>.
1456
The <command>key</command> clause specifies the
1457
name of the key
1458
to be used when communicating with this server, and the
1459
<command>port</command> clause can be used to
1460
specify the port <command>rndc</command> should
1461
connect
1462
to on the server.
1463
</para>
1464
1465
<para>
1466
A sample minimal configuration file is as follows:
1467
</para>
1468
922
1469
<programlisting>
923
1470
key rndc_key {
924
1471
algorithm "hmac-md5";
930
1477
};
931
1478
</programlisting>
932
1479
933
<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
934
would allow the command:</para>
935
936
<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
937
938
<para>to connect to 127.0.0.1 port 953 and cause the name server
939
to reload, if a name server on the local machine were running with
940
following controls statements:</para>
1480
<para>
1481
This file, if installed as <filename>/etc/rndc.conf</filename>,
1482
would allow the command:
1483
</para>
1484
1485
<para>
1486
<prompt>$ </prompt><userinput>rndc reload</userinput>
1487
</para>
1488
1489
<para>
1490
to connect to 127.0.0.1 port 953 and cause the name server
1491
to reload, if a name server on the local machine were
1492
running with
1493
following controls statements:
1494
</para>
1495
941
1496
<programlisting>
942
1497
controls {
943
1498
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
944
1499
};
945
1500
</programlisting>
946
<para>and it had an identical key statement for
947
<literal>rndc_key</literal>.</para>
948
949
<para>Running the <command>rndc-confgen</command> program will
950
conveniently create a <filename>rndc.conf</filename>
951
file for you, and also display the
952
corresponding <command>controls</command> statement that you need to
953
add to <filename>named.conf</filename>. Alternatively,
954
you can run <command>rndc-confgen -a</command> to set up
955
a <filename>rndc.key</filename> file and not modify
956
<filename>named.conf</filename> at all.
957
</para>
958
959
</listitem>
960
</varlistentry>
961
</variablelist>
962
963
</sect3>
964
</sect2>
965
<sect2>
966
967
<title>Signals</title>
968
<para>Certain UNIX signals cause the name server to take specific
969
actions, as described in the following table. These signals can
970
be sent using the <command>kill</command> command.</para>
971
<informaltable frame = "all" ><tgroup cols = "2">
972
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
973
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
974
<tbody>
975
<row rowsep = "0">
976
<entry colname = "1"><para><command>SIGHUP</command></para></entry>
977
<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
978
reload the database. </para></entry>
979
</row>
980
<row rowsep = "0">
981
<entry colname = "1"><para><command>SIGTERM</command></para></entry>
982
<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
983
</row>
984
<row rowsep = "0">
985
<entry colname = "1">
986
<para><command>SIGINT</command></para>
987
</entry>
988
<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
989
</row>
990
</tbody>
991
</tgroup>
992
</informaltable>
993
</sect2>
994
</sect1>
1501
1502
<para>
1503
and it had an identical key statement for
1504
<literal>rndc_key</literal>.
1505
</para>
1506
1507
<para>
1508
Running the <command>rndc-confgen</command>
1509
program will
1510
conveniently create a <filename>rndc.conf</filename>
1511
file for you, and also display the
1512
corresponding <command>controls</command>
1513
statement that you need to
1514
add to <filename>named.conf</filename>.
1515
Alternatively,
1516
you can run <command>rndc-confgen -a</command>
1517
to set up
1518
a <filename>rndc.key</filename> file and not
1519
modify
1520
<filename>named.conf</filename> at all.
1521
</para>
1522
1523
</listitem>
1524
</varlistentry>
1525
</variablelist>
1526
1527
</sect3>
1528
</sect2>
1529
<sect2>
1530
1531
<title>Signals</title>
1532
<para>
1533
Certain UNIX signals cause the name server to take specific
1534
actions, as described in the following table. These signals can
1535
be sent using the <command>kill</command> command.
1536
</para>
1537
<informaltable frame="all">
1538
<tgroup cols="2">
1539
<colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1540
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1541
<tbody>
1542
<row rowsep="0">
1543
<entry colname="1">
1544
<para><command>SIGHUP</command></para>
1545
</entry>
1546
<entry colname="2">
1547
<para>
1548
Causes the server to read <filename>named.conf</filename> and
1549
reload the database.
1550
</para>
1551
</entry>
1552
</row>
1553
<row rowsep="0">
1554
<entry colname="1">
1555
<para><command>SIGTERM</command></para>
1556
</entry>
1557
<entry colname="2">
1558
<para>
1559
Causes the server to clean up and exit.
1560
</para>
1561
</entry>
1562
</row>
1563
<row rowsep="0">
1564
<entry colname="1">
1565
<para><command>SIGINT</command></para>
1566
</entry>
1567
<entry colname="2">
1568
<para>
1569
Causes the server to clean up and exit.
1570
</para>
1571
</entry>
1572
</row>
1573
</tbody>
1574
</tgroup>
1575
</informaltable>
1576
</sect2>
1577
</sect1>
995
1578
</chapter>
996
1579
997
<chapter id="Bv9ARM.ch04">
998
<title>Advanced DNS Features</title>
999
1000
<sect1 id="notify">
1001
1002
<title>Notify</title>
1003
<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1004
servers to notify their slave servers of changes to a zone's data. In
1005
response to a <command>NOTIFY</command> from a master server, the
1006
slave will check to see that its version of the zone is the
1007
current version and, if not, initiate a zone transfer.</para>
1008
1009
<para><acronym>DNS</acronym>
1010
For more information about
1011
<command>NOTIFY</command>, see the description of the
1012
<command>notify</command> option in <xref linkend="boolean_options"/> and
1013
the description of the zone option <command>also-notify</command> in
1014
<xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1015
protocol is specified in RFC 1996.
1016
</para>
1017
1018
</sect1>
1019
1020
<sect1 id="dynamic_update">
1021
<title>Dynamic Update</title>
1022
1023
<para>Dynamic Update is a method for adding, replacing or deleting
1024
records in a master server by sending it a special form of DNS
1025
messages. The format and meaning of these messages is specified
1026
in RFC 2136.</para>
1027
1028
<para>Dynamic update is enabled on a zone-by-zone basis, by
1029
including an <command>allow-update</command> or
1030
<command>update-policy</command> clause in the
1031
<command>zone</command> statement.</para>
1032
1033
<para>Updating of secure zones (zones using DNSSEC) follows
1034
RFC 3007: RRSIG and NSEC records affected by updates are automatically
1035
regenerated by the server using an online zone key.
1036
Update authorization is based
1037
on transaction signatures and an explicit server policy.</para>
1038
1039
<sect2 id="journal">
1040
<title>The journal file</title>
1041
1042
<para>All changes made to a zone using dynamic update are stored in the
1043
zone's journal file. This file is automatically created by the
1044
server when the first dynamic update takes place. The name of
1045
the journal file is formed by appending the
1046
extension <filename>.jnl</filename> to the
1047
name of the corresponding zone file. The journal file is in a
1048
binary format and should not be edited manually.</para>
1049
1050
<para>The server will also occasionally write ("dump")
1051
the complete contents of the updated zone to its zone file.
1052
This is not done immediately after
1053
each dynamic update, because that would be too slow when a large
1054
zone is updated frequently. Instead, the dump is delayed by
1055
up to 15 minutes, allowing additional updates to take place.</para>
1056
1057
<para>When a server is restarted after a shutdown or crash, it will replay
1058
the journal file to incorporate into the zone any updates that took
1059
place after the last zone dump.</para>
1060
1061
<para>Changes that result from incoming incremental zone transfers are also
1062
journalled in a similar way.</para>
1063
1064
<para>The zone files of dynamic zones cannot normally be edited by
1065
hand because they are not guaranteed to contain the most recent
1066
dynamic changes - those are only in the journal file.
1067
The only way to ensure that the zone file of a dynamic zone
1068
is up to date is to run <command>rndc stop</command>.</para>
1069
1070
<para>If you have to make changes to a dynamic zone
1071
manually, the following procedure will work: Disable dynamic updates
1072
to the zone using
1073
<command>rndc freeze <replaceable>zone</replaceable></command>.
1074
This will also remove the zone's <filename>.jnl</filename> file
1075
and update the master file. Edit the zone file. Run
1076
<command>rndc unfreeze <replaceable>zone</replaceable></command>
1077
to reload the changed zone and re-enable dynamic updates.</para>
1078
1079
</sect2>
1080
1081
</sect1>
1082
1083
<sect1 id="incremental_zone_transfers">
1084
<title>Incremental Zone Transfers (IXFR)</title>
1085
1086
<para>The incremental zone transfer (IXFR) protocol is a way for
1087
slave servers to transfer only changed data, instead of having to
1088
transfer the entire zone. The IXFR protocol is specified in RFC
1089
1995. See <xref linkend="proposed_standards"/>.</para>
1090
1091
<para>When acting as a master, <acronym>BIND</acronym> 9
1092
supports IXFR for those zones
1093
where the necessary change history information is available. These
1094
include master zones maintained by dynamic update and slave zones
1095
whose data was obtained by IXFR. For manually maintained master
1096
zones, and for slave zones obtained by performing a full zone
1097
transfer (AXFR), IXFR is supported only if the option
1098
<command>ixfr-from-differences</command> is set
1099
to <userinput>yes</userinput>.
1100
</para>
1101
1102
<para>When acting as a slave, <acronym>BIND</acronym> 9 will
1103
attempt to use IXFR unless
1104
it is explicitly disabled. For more information about disabling
1105
IXFR, see the description of the <command>request-ixfr</command> clause
1106
of the <command>server</command> statement.</para>
1107
</sect1>
1108
1109
<sect1><title>Split DNS</title>
1110
<para>Setting up different views, or visibility, of the DNS space to
1111
internal and external resolvers is usually referred to as a <emphasis>Split
1112
DNS</emphasis> setup. There are several reasons an organization
1113
would want to set up its DNS this way.</para>
1114
<para>One common reason for setting up a DNS system this way is
1115
to hide "internal" DNS information from "external" clients on the
1116
Internet. There is some debate as to whether or not this is actually useful.
1117
Internal DNS information leaks out in many ways (via email headers,
1118
for example) and most savvy "attackers" can find the information
1119
they need using other means.</para>
1120
<para>Another common reason for setting up a Split DNS system is
1121
to allow internal networks that are behind filters or in RFC 1918
1122
space (reserved IP space, as documented in RFC 1918) to resolve DNS
1123
on the Internet. Split DNS can also be used to allow mail from outside
1124
back in to the internal network.</para>
1125
<para>Here is an example of a split DNS setup:</para>
1126
<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
1127
(<literal>example.com</literal>)
1128
has several corporate sites that have an internal network with reserved
1129
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1130
or "outside" section of a network, that is available to the public.</para>
1131
<para><emphasis>Example, Inc.</emphasis> wants its internal clients
1132
to be able to resolve external hostnames and to exchange mail with
1133
people on the outside. The company also wants its internal resolvers
1134
to have access to certain internal-only zones that are not available
1135
at all outside of the internal network.</para>
1136
<para>In order to accomplish this, the company will set up two sets
1137
of name servers. One set will be on the inside network (in the reserved
1138
IP space) and the other set will be on bastion hosts, which are "proxy"
1139
hosts that can talk to both sides of its network, in the DMZ.</para>
1140
<para>The internal servers will be configured to forward all queries,
1141
except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1142
and <filename>site2.example.com</filename>, to the servers in the
1143
DMZ. These internal servers will have complete sets of information
1144
for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
1145
and <filename>site2.internal</filename>.</para>
1146
<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1147
the internal name servers must be configured to disallow all queries
1148
to these domains from any external hosts, including the bastion
1149
hosts.</para>
1150
<para>The external servers, which are on the bastion hosts, will
1151
be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1152
This could include things such as the host records for public servers
1153
(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1154
and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
1155
<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1156
should have special MX records that contain wildcard (`*') records
1157
pointing to the bastion hosts. This is needed because external mail
1158
servers do not have any other way of looking up how to deliver mail
1159
to those internal hosts. With the wildcard records, the mail will
1160
be delivered to the bastion host, which can then forward it on to
1161
internal hosts.</para>
1162
<para>Here's an example of a wildcard MX record:</para>
1163
<programlisting>* IN MX 10 external1.example.com.</programlisting>
1164
<para>Now that they accept mail on behalf of anything in the internal
1165
network, the bastion hosts will need to know how to deliver mail
1166
to internal hosts. In order for this to work properly, the resolvers on
1167
the bastion hosts will need to be configured to point to the internal
1168
name servers for DNS resolution.</para>
1169
<para>Queries for internal hostnames will be answered by the internal
1170
servers, and queries for external hostnames will be forwarded back
1171
out to the DNS servers on the bastion hosts.</para>
1172
<para>In order for all this to work properly, internal clients will
1173
need to be configured to query <emphasis>only</emphasis> the internal
1174
name servers for DNS queries. This could also be enforced via selective
1175
filtering on the network.</para>
1176
<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1177
internal clients will now be able to:</para>
1178
<itemizedlist><listitem>
1179
<simpara>Look up any hostnames in the <literal>site1</literal> and
1180
<literal>site2.example.com</literal> zones.</simpara></listitem>
1181
<listitem>
1182
<simpara>Look up any hostnames in the <literal>site1.internal</literal> and
1183
<literal>site2.internal</literal> domains.</simpara></listitem>
1184
<listitem>
1185
<simpara>Look up any hostnames on the Internet.</simpara></listitem>
1186
<listitem>
1187
<simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
1188
<para>Hosts on the Internet will be able to:</para>
1189
<itemizedlist><listitem>
1190
<simpara>Look up any hostnames in the <literal>site1</literal> and
1191
<literal>site2.example.com</literal> zones.</simpara></listitem>
1192
<listitem>
1193
<simpara>Exchange mail with anyone in the <literal>site1</literal> and
1194
<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
1195
1196
<para>Here is an example configuration for the setup we just
1197
described above. Note that this is only configuration information;
1198
for information on how to configure your zone files, see <xref
1199
linkend="sample_configuration"/></para>
1200
1201
<para>Internal DNS server config:</para>
1580
<chapter id="Bv9ARM.ch04">
1581
<title>Advanced DNS Features</title>
1582
1583
<sect1 id="notify">
1584
1585
<title>Notify</title>
1586
<para>
1587
<acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1588
servers to notify their slave servers of changes to a zone's data. In
1589
response to a <command>NOTIFY</command> from a master server, the
1590
slave will check to see that its version of the zone is the
1591
current version and, if not, initiate a zone transfer.
1592
</para>
1593
1594
<para>
1595
For more information about <acronym>DNS</acronym>
1596
<command>NOTIFY</command>, see the description of the
1597
<command>notify</command> option in <xref linkend="boolean_options"/> and
1598
the description of the zone option <command>also-notify</command> in
1599
<xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1600
protocol is specified in RFC 1996.
1601
</para>
1602
1603
<note>
1604
As a slave zone can also be a master to other slaves, named,
1605
by default, sends <command>NOTIFY</command> messages for every zone
1606
it loads. Specifying <command>notify master-only;</command> will
1607
cause named to only send <command>NOTIFY</command> for master
1608
zones that it loads.
1609
</note>
1610
1611
</sect1>
1612
1613
<sect1 id="dynamic_update">
1614
<title>Dynamic Update</title>
1615
1616
<para>
1617
Dynamic Update is a method for adding, replacing or deleting
1618
records in a master server by sending it a special form of DNS
1619
messages. The format and meaning of these messages is specified
1620
in RFC 2136.
1621
</para>
1622
1623
<para>
1624
Dynamic update is enabled by including an
1625
<command>allow-update</command> or <command>update-policy</command>
1626
clause in the <command>zone</command> statement. The
1627
<command>tkey-gssapi-credential</command> and
1628
<command>tkey-domain</command> clauses in the
1629
<command>options</command> statement enable the
1630
server to negotiate keys that can be matched against those
1631
in <command>update-policy</command> or
1632
<command>allow-update</command>.
1633
</para>
1634
1635
<para>
1636
Updating of secure zones (zones using DNSSEC) follows
1637
RFC 3007: RRSIG and NSEC records affected by updates are automatically
1638
regenerated by the server using an online zone key.
1639
Update authorization is based
1640
on transaction signatures and an explicit server policy.
1641
</para>
1642
1643
<sect2 id="journal">
1644
<title>The journal file</title>
1645
1646
<para>
1647
All changes made to a zone using dynamic update are stored
1648
in the zone's journal file. This file is automatically created
1649
by the server when the first dynamic update takes place.
1650
The name of the journal file is formed by appending the extension
1651
<filename>.jnl</filename> to the name of the
1652
corresponding zone
1653
file unless specifically overridden. The journal file is in a
1654
binary format and should not be edited manually.
1655
</para>
1656
1657
<para>
1658
The server will also occasionally write ("dump")
1659
the complete contents of the updated zone to its zone file.
1660
This is not done immediately after
1661
each dynamic update, because that would be too slow when a large
1662
zone is updated frequently. Instead, the dump is delayed by
1663
up to 15 minutes, allowing additional updates to take place.
1664
</para>
1665
1666
<para>
1667
When a server is restarted after a shutdown or crash, it will replay
1668
the journal file to incorporate into the zone any updates that
1669
took
1670
place after the last zone dump.
1671
</para>
1672
1673
<para>
1674
Changes that result from incoming incremental zone transfers are
1675
also
1676
journalled in a similar way.
1677
</para>
1678
1679
<para>
1680
The zone files of dynamic zones cannot normally be edited by
1681
hand because they are not guaranteed to contain the most recent
1682
dynamic changes — those are only in the journal file.
1683
The only way to ensure that the zone file of a dynamic zone
1684
is up to date is to run <command>rndc stop</command>.
1685
</para>
1686
1687
<para>
1688
If you have to make changes to a dynamic zone
1689
manually, the following procedure will work: Disable dynamic updates
1690
to the zone using
1691
<command>rndc freeze <replaceable>zone</replaceable></command>.
1692
This will also remove the zone's <filename>.jnl</filename> file
1693
and update the master file. Edit the zone file. Run
1694
<command>rndc thaw <replaceable>zone</replaceable></command>
1695
to reload the changed zone and re-enable dynamic updates.
1696
</para>
1697
1698
</sect2>
1699
1700
</sect1>
1701
1702
<sect1 id="incremental_zone_transfers">
1703
<title>Incremental Zone Transfers (IXFR)</title>
1704
1705
<para>
1706
The incremental zone transfer (IXFR) protocol is a way for
1707
slave servers to transfer only changed data, instead of having to
1708
transfer the entire zone. The IXFR protocol is specified in RFC
1709
1995. See <xref linkend="proposed_standards"/>.
1710
</para>
1711
1712
<para>
1713
When acting as a master, <acronym>BIND</acronym> 9
1714
supports IXFR for those zones
1715
where the necessary change history information is available. These
1716
include master zones maintained by dynamic update and slave zones
1717
whose data was obtained by IXFR. For manually maintained master
1718
zones, and for slave zones obtained by performing a full zone
1719
transfer (AXFR), IXFR is supported only if the option
1720
<command>ixfr-from-differences</command> is set
1721
to <userinput>yes</userinput>.
1722
</para>
1723
1724
<para>
1725
When acting as a slave, <acronym>BIND</acronym> 9 will
1726
attempt to use IXFR unless
1727
it is explicitly disabled. For more information about disabling
1728
IXFR, see the description of the <command>request-ixfr</command> clause
1729
of the <command>server</command> statement.
1730
</para>
1731
</sect1>
1732
1733
<sect1>
1734
<title>Split DNS</title>
1735
<para>
1736
Setting up different views, or visibility, of the DNS space to
1737
internal and external resolvers is usually referred to as a
1738
<emphasis>Split DNS</emphasis> setup. There are several
1739
reasons an organization would want to set up its DNS this way.
1740
</para>
1741
<para>
1742
One common reason for setting up a DNS system this way is
1743
to hide "internal" DNS information from "external" clients on the
1744
Internet. There is some debate as to whether or not this is actually
1745
useful.
1746
Internal DNS information leaks out in many ways (via email headers,
1747
for example) and most savvy "attackers" can find the information
1748
they need using other means.
1749
However, since listing addresses of internal servers that
1750
external clients cannot possibly reach can result in
1751
connection delays and other annoyances, an organization may
1752
choose to use a Split DNS to present a consistent view of itself
1753
to the outside world.
1754
</para>
1755
<para>
1756
Another common reason for setting up a Split DNS system is
1757
to allow internal networks that are behind filters or in RFC 1918
1758
space (reserved IP space, as documented in RFC 1918) to resolve DNS
1759
on the Internet. Split DNS can also be used to allow mail from outside
1760
back in to the internal network.
1761
</para>
1762
<sect2>
1763
<title>Example split DNS setup</title>
1764
<para>
1765
Let's say a company named <emphasis>Example, Inc.</emphasis>
1766
(<literal>example.com</literal>)
1767
has several corporate sites that have an internal network with
1768
reserved
1769
Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1770
or "outside" section of a network, that is available to the public.
1771
</para>
1772
<para>
1773
<emphasis>Example, Inc.</emphasis> wants its internal clients
1774
to be able to resolve external hostnames and to exchange mail with
1775
people on the outside. The company also wants its internal resolvers
1776
to have access to certain internal-only zones that are not available
1777
at all outside of the internal network.
1778
</para>
1779
<para>
1780
In order to accomplish this, the company will set up two sets
1781
of name servers. One set will be on the inside network (in the
1782
reserved
1783
IP space) and the other set will be on bastion hosts, which are
1784
"proxy"
1785
hosts that can talk to both sides of its network, in the DMZ.
1786
</para>
1787
<para>
1788
The internal servers will be configured to forward all queries,
1789
except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1790
and <filename>site2.example.com</filename>, to the servers
1791
in the
1792
DMZ. These internal servers will have complete sets of information
1793
for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1794
and <filename>site2.internal</filename>.
1795
</para>
1796
<para>
1797
To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1798
the internal name servers must be configured to disallow all queries
1799
to these domains from any external hosts, including the bastion
1800
hosts.
1801
</para>
1802
<para>
1803
The external servers, which are on the bastion hosts, will
1804
be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1805
This could include things such as the host records for public servers
1806
(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1807
and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1808
</para>
1809
<para>
1810
In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1811
should have special MX records that contain wildcard (`*') records
1812
pointing to the bastion hosts. This is needed because external mail
1813
servers do not have any other way of looking up how to deliver mail
1814
to those internal hosts. With the wildcard records, the mail will
1815
be delivered to the bastion host, which can then forward it on to
1816
internal hosts.
1817
</para>
1818
<para>
1819
Here's an example of a wildcard MX record:
1820
</para>
1821
<programlisting>* IN MX 10 external1.example.com.</programlisting>
1822
<para>
1823
Now that they accept mail on behalf of anything in the internal
1824
network, the bastion hosts will need to know how to deliver mail
1825
to internal hosts. In order for this to work properly, the resolvers
1826
on
1827
the bastion hosts will need to be configured to point to the internal
1828
name servers for DNS resolution.
1829
</para>
1830
<para>
1831
Queries for internal hostnames will be answered by the internal
1832
servers, and queries for external hostnames will be forwarded back
1833
out to the DNS servers on the bastion hosts.
1834
</para>
1835
<para>
1836
In order for all this to work properly, internal clients will
1837
need to be configured to query <emphasis>only</emphasis> the internal
1838
name servers for DNS queries. This could also be enforced via
1839
selective
1840
filtering on the network.
1841
</para>
1842
<para>
1843
If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1844
internal clients will now be able to:
1845
</para>
1846
<itemizedlist>
1847
<listitem>
1848
<simpara>
1849
Look up any hostnames in the <literal>site1</literal>
1850
and
1851
<literal>site2.example.com</literal> zones.
1852
</simpara>
1853
</listitem>
1854
<listitem>
1855
<simpara>
1856
Look up any hostnames in the <literal>site1.internal</literal> and
1857
<literal>site2.internal</literal> domains.
1858
</simpara>
1859
</listitem>
1860
<listitem>
1861
<simpara>Look up any hostnames on the Internet.</simpara>
1862
</listitem>
1863
<listitem>
1864
<simpara>Exchange mail with both internal and external people.</simpara>
1865
</listitem>
1866
</itemizedlist>
1867
<para>
1868
Hosts on the Internet will be able to:
1869
</para>
1870
<itemizedlist>
1871
<listitem>
1872
<simpara>
1873
Look up any hostnames in the <literal>site1</literal>
1874
and
1875
<literal>site2.example.com</literal> zones.
1876
</simpara>
1877
</listitem>
1878
<listitem>
1879
<simpara>
1880
Exchange mail with anyone in the <literal>site1</literal> and
1881
<literal>site2.example.com</literal> zones.
1882
</simpara>
1883
</listitem>
1884
</itemizedlist>
1885
1886
<para>
1887
Here is an example configuration for the setup we just
1888
described above. Note that this is only configuration information;
1889
for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1890
</para>
1891
1892
<para>
1893
Internal DNS server config:
1894
</para>
1895
1202
1896
<programlisting>
1203
1897
1204
1898
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1210
1904
...
1211
1905
forward only;
1212
1906
forwarders { // forward to external servers
1213
<varname>bastion-ips-go-here</varname>;
1907
<varname>bastion-ips-go-here</varname>;
1214
1908
};
1215
1909
allow-transfer { none; }; // sample allow-transfer (no one)
1216
1910
allow-query { internals; externals; }; // restrict query access
1254
1948
allow-transfer { internals; }
1255
1949
};
1256
1950
</programlisting>
1257
<para>External (bastion host) DNS server config:</para>
1951
1952
<para>
1953
External (bastion host) DNS server config:
1954
</para>
1955
1258
1956
<programlisting>
1259
1957
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1260
1958
1264
1962
...
1265
1963
...
1266
1964
allow-transfer { none; }; // sample allow-transfer (no one)
1267
allow-query { internals; externals; }; // restrict query access
1965
allow-query { any; }; // default query access
1966
allow-query-cache { internals; externals; }; // restrict cache access
1268
1967
allow-recursion { internals; externals; }; // restrict recursion
1269
1968
...
1270
1969
...
1273
1972
zone "site1.example.com" { // sample slave zone
1274
1973
type master;
1275
1974
file "m/site1.foo.com";
1276
allow-query { any; };
1277
1975
allow-transfer { internals; externals; };
1278
1976
};
1279
1977
1281
1979
type slave;
1282
1980
file "s/site2.foo.com";
1283
1981
masters { another_bastion_host_maybe; };
1284
allow-query { any; };
1285
1982
allow-transfer { internals; externals; }
1286
1983
};
1287
1984
</programlisting>
1288
<para>In the <filename>resolv.conf</filename> (or equivalent) on
1289
the bastion host(s):</para>
1985
1986
<para>
1987
In the <filename>resolv.conf</filename> (or equivalent) on
1988
the bastion host(s):
1989
</para>
1990
1290
1991
<programlisting>
1291
1992
search ...
1292
1993
nameserver 172.16.72.2
1293
1994
nameserver 172.16.72.3
1294
1995
nameserver 172.16.72.4
1295
1996
</programlisting>
1296
</sect1>
1297
<sect1 id="tsig"><title>TSIG</title>
1298
<para>This is a short guide to setting up Transaction SIGnatures
1299
(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
1300
to the configuration file as well as what changes are required for
1301
different features, including the process of creating transaction
1302
keys and using transaction signatures with <acronym>BIND</acronym>.</para>
1303
<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
1304
This includes zone transfer, notify, and recursive query messages.
1305
Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
1306
for TSIG.</para>
1307
1308
<para>TSIG might be most useful for dynamic update. A primary
1309
server for a dynamic zone should use access control to control
1310
updates, but IP-based access control is insufficient.
1311
The cryptographic access control provided by TSIG
1312
is far superior. The <command>nsupdate</command>
1313
program supports TSIG via the <option>-k</option> and
1314
<option>-y</option> command line options.</para>
1315
1316
<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
1317
<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
1318
An arbitrary key name is chosen: "host1-host2.". The key name must
1319
be the same on both hosts.</para>
1320
<sect3><title>Automatic Generation</title>
1321
<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
1322
key as described above. Longer keys are better, but shorter keys
1323
are easier to read. Note that the maximum key length is 512 bits;
1324
keys longer than that will be digested with MD5 to produce a 128
1325
bit key.</para>
1326
<para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
1327
<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
1328
Nothing directly uses this file, but the base-64 encoded string
1329
following "<literal>Key:</literal>"
1330
can be extracted from the file and used as a shared secret:</para>
1331
<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
1332
<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
1333
be used as the shared secret.</para></sect3>
1334
<sect3><title>Manual Generation</title>
1335
<para>The shared secret is simply a random sequence of bits, encoded
1336
in base-64. Most ASCII strings are valid base-64 strings (assuming
1337
the length is a multiple of 4 and only valid characters are used),
1338
so the shared secret can be manually generated.</para>
1339
<para>Also, a known string can be run through <command>mmencode</command> or
1340
a similar program to generate base-64 encoded data.</para></sect3></sect2>
1341
<sect2><title>Copying the Shared Secret to Both Machines</title>
1342
<para>This is beyond the scope of DNS. A secure transport mechanism
1343
should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
1344
<sect2><title>Informing the Servers of the Key's Existence</title>
1345
<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
1346
both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
1997
1998
</sect2>
1999
</sect1>
2000
<sect1 id="tsig">
2001
<title>TSIG</title>
2002
<para>
2003
This is a short guide to setting up Transaction SIGnatures
2004
(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
2005
to the configuration file as well as what changes are required for
2006
different features, including the process of creating transaction
2007
keys and using transaction signatures with <acronym>BIND</acronym>.
2008
</para>
2009
<para>
2010
<acronym>BIND</acronym> primarily supports TSIG for server
2011
to server communication.
2012
This includes zone transfer, notify, and recursive query messages.
2013
Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2014
for TSIG.
2015
</para>
2016
2017
<para>
2018
TSIG can also be useful for dynamic update. A primary
2019
server for a dynamic zone should control access to the dynamic
2020
update service, but IP-based access control is insufficient.
2021
The cryptographic access control provided by TSIG
2022
is far superior. The <command>nsupdate</command>
2023
program supports TSIG via the <option>-k</option> and
2024
<option>-y</option> command line options or inline by use
2025
of the <command>key</command>.
2026
</para>
2027
2028
<sect2>
2029
<title>Generate Shared Keys for Each Pair of Hosts</title>
2030
<para>
2031
A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2032
An arbitrary key name is chosen: "host1-host2.". The key name must
2033
be the same on both hosts.
2034
</para>
2035
<sect3>
2036
<title>Automatic Generation</title>
2037
<para>
2038
The following command will generate a 128-bit (16 byte) HMAC-MD5
2039
key as described above. Longer keys are better, but shorter keys
2040
are easier to read. Note that the maximum key length is 512 bits;
2041
keys longer than that will be digested with MD5 to produce a
2042
128-bit key.
2043
</para>
2044
<para>
2045
<userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2046
</para>
2047
<para>
2048
The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2049
Nothing directly uses this file, but the base-64 encoded string
2050
following "<literal>Key:</literal>"
2051
can be extracted from the file and used as a shared secret:
2052
</para>
2053
<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2054
<para>
2055
The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2056
be used as the shared secret.
2057
</para>
2058
</sect3>
2059
<sect3>
2060
<title>Manual Generation</title>
2061
<para>
2062
The shared secret is simply a random sequence of bits, encoded
2063
in base-64. Most ASCII strings are valid base-64 strings (assuming
2064
the length is a multiple of 4 and only valid characters are used),
2065
so the shared secret can be manually generated.
2066
</para>
2067
<para>
2068
Also, a known string can be run through <command>mmencode</command> or
2069
a similar program to generate base-64 encoded data.
2070
</para>
2071
</sect3>
2072
</sect2>
2073
<sect2>
2074
<title>Copying the Shared Secret to Both Machines</title>
2075
<para>
2076
This is beyond the scope of DNS. A secure transport mechanism
2077
should be used. This could be secure FTP, ssh, telephone, etc.
2078
</para>
2079
</sect2>
2080
<sect2>
2081
<title>Informing the Servers of the Key's Existence</title>
2082
<para>
2083
Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2084
are
2085
both servers. The following is added to each server's <filename>named.conf</filename> file:
2086
</para>
2087
1347
2088
<programlisting>
1348
2089
key host1-host2. {
1349
2090
algorithm hmac-md5;
1350
2091
secret "La/E5CjG9O+os1jq0a2jdA==";
1351
2092
};
1352
2093
</programlisting>
1353
<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
1354
The secret is the one generated above. Since this is a secret, it
1355
is recommended that either <filename>named.conf</filename> be non-world
1356
readable, or the key directive be added to a non-world readable
1357
file that is included by <filename>named.conf</filename>.</para>
1358
<para>At this point, the key is recognized. This means that if the
1359
server receives a message signed by this key, it can verify the
1360
signature. If the signature is successfully verified, the
1361
response is signed by the same key.</para></sect2>
1362
1363
<sect2><title>Instructing the Server to Use the Key</title>
1364
<para>Since keys are shared between two hosts only, the server must
1365
be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
1366
for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
1367
10.1.2.3:</para>
2094
2095
<para>
2096
The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
2097
The secret is the one generated above. Since this is a secret, it
2098
is recommended that either <filename>named.conf</filename> be non-world
2099
readable, or the key directive be added to a non-world readable
2100
file that is included by
2101
<filename>named.conf</filename>.
2102
</para>
2103
<para>
2104
At this point, the key is recognized. This means that if the
2105
server receives a message signed by this key, it can verify the
2106
signature. If the signature is successfully verified, the
2107
response is signed by the same key.
2108
</para>
2109
</sect2>
2110
2111
<sect2>
2112
<title>Instructing the Server to Use the Key</title>
2113
<para>
2114
Since keys are shared between two hosts only, the server must
2115
be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2116
for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2117
10.1.2.3:
2118
</para>
2119
1368
2120
<programlisting>
1369
2121
server 10.1.2.3 {
1370
2122
keys { host1-host2. ;};
1371
2123
};
1372
2124
</programlisting>
1373
<para>Multiple keys may be present, but only the first is used.
1374
This directive does not contain any secrets, so it may be in a world-readable
1375
file.</para>
1376
<para>If <emphasis>host1</emphasis> sends a message that is a request
1377
to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
1378
expect any responses to signed messages to be signed with the same
1379
key.</para>
1380
<para>A similar statement must be present in <emphasis>host2</emphasis>'s
1381
configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
1382
sign request messages to <emphasis>host1</emphasis>.</para></sect2>
1383
<sect2><title>TSIG Key Based Access Control</title>
1384
<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
1385
definitions and
1386
<command>allow-{ query | transfer | update }</command> directives.
1387
This has been extended to allow TSIG keys also. The above key would
1388
be denoted <command>key host1-host2.</command></para>
1389
<para>An example of an allow-update directive would be:</para>
2125
2126
<para>
2127
Multiple keys may be present, but only the first is used.
2128
This directive does not contain any secrets, so it may be in a
2129
world-readable
2130
file.
2131
</para>
2132
<para>
2133
If <emphasis>host1</emphasis> sends a message that is a request
2134
to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2135
expect any responses to signed messages to be signed with the same
2136
key.
2137
</para>
2138
<para>
2139
A similar statement must be present in <emphasis>host2</emphasis>'s
2140
configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2141
sign request messages to <emphasis>host1</emphasis>.
2142
</para>
2143
</sect2>
2144
<sect2>
2145
<title>TSIG Key Based Access Control</title>
2146
<para>
2147
<acronym>BIND</acronym> allows IP addresses and ranges
2148
to be specified in ACL
2149
definitions and
2150
<command>allow-{ query | transfer | update }</command>
2151
directives.
2152
This has been extended to allow TSIG keys also. The above key would
2153
be denoted <command>key host1-host2.</command>
2154
</para>
2155
<para>
2156
An example of an allow-update directive would be:
2157
</para>
2158
1390
2159
<programlisting>
1391
2160
allow-update { key host1-host2. ;};
1392
2161
</programlisting>
1393
2162
1394
<para>This allows dynamic updates to succeed only if the request
1395
was signed by a key named
1396
"<command>host1-host2.</command>".</para> <para>You may want to read about the more
1397
powerful <command>update-policy</command> statement in <xref
1398
linkend="dynamic_update_policies"/>.</para>
1399
1400
</sect2>
1401
<sect2>
1402
<title>Errors</title>
1403
1404
<para>The processing of TSIG signed messages can result in
1405
several errors. If a signed message is sent to a non-TSIG aware
1406
server, a FORMERR will be returned, since the server will not
1407
understand the record. This is a result of misconfiguration,
1408
since the server must be explicitly configured to send a TSIG
1409
signed message to a specific server.</para>
1410
1411
<para>If a TSIG aware server receives a message signed by an
1412
unknown key, the response will be unsigned with the TSIG
1413
extended error code set to BADKEY. If a TSIG aware server
1414
receives a message with a signature that does not validate, the
1415
response will be unsigned with the TSIG extended error code set
1416
to BADSIG. If a TSIG aware server receives a message with a time
1417
outside of the allowed range, the response will be signed with
1418
the TSIG extended error code set to BADTIME, and the time values
1419
will be adjusted so that the response can be successfully
1420
verified. In any of these cases, the message's rcode is set to
1421
NOTAUTH.</para>
1422
1423
</sect2>
1424
</sect1>
1425
<sect1>
1426
<title>TKEY</title>
1427
1428
<para><command>TKEY</command> is a mechanism for automatically
1429
generating a shared secret between two hosts. There are several
1430
"modes" of <command>TKEY</command> that specify how the key is
1431
generated or assigned. <acronym>BIND</acronym> 9
1432
implements only one of these modes,
1433
the Diffie-Hellman key exchange. Both hosts are required to have
1434
a Diffie-Hellman KEY record (although this record is not required
1435
to be present in a zone). The <command>TKEY</command> process
1436
must use signed messages, signed either by TSIG or SIG(0). The
1437
result of <command>TKEY</command> is a shared secret that can be
1438
used to sign messages with TSIG. <command>TKEY</command> can also
1439
be used to delete shared secrets that it had previously
1440
generated.</para>
1441
1442
<para>The <command>TKEY</command> process is initiated by a client
1443
or server by sending a signed <command>TKEY</command> query
1444
(including any appropriate KEYs) to a TKEY-aware server. The
1445
server response, if it indicates success, will contain a
1446
<command>TKEY</command> record and any appropriate keys. After
1447
this exchange, both participants have enough information to
1448
determine the shared secret; the exact process depends on the
1449
<command>TKEY</command> mode. When using the Diffie-Hellman
1450
<command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
1451
and the shared secret is derived by both participants.</para>
1452
1453
</sect1>
1454
<sect1>
1455
<title>SIG(0)</title>
1456
1457
<para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
1458
transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)
1459
uses public/private keys to authenticate messages. Access control
1460
is performed in the same manner as TSIG keys; privileges can be
1461
granted or denied based on the key name.</para>
1462
1463
<para>When a SIG(0) signed message is received, it will only be
1464
verified if the key is known and trusted by the server; the server
1465
will not attempt to locate and/or validate the key.</para>
1466
1467
<para>SIG(0) signing of multiple-message TCP streams is not
1468
supported.</para>
1469
1470
<para>The only tool shipped with <acronym>BIND</acronym> 9 that
1471
generates SIG(0) signed messages is <command>nsupdate</command>.</para>
1472
1473
</sect1>
1474
<sect1 id="DNSSEC">
1475
<title>DNSSEC</title>
1476
1477
<para>Cryptographic authentication of DNS information is possible
1478
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
1479
defined in RFC <TBA>. This section describes the creation and use
1480
of DNSSEC signed zones.</para>
1481
1482
<para>In order to set up a DNSSEC secure zone, there are a series
1483
of steps which must be followed. <acronym>BIND</acronym> 9 ships
1484
with several tools
1485
that are used in this process, which are explained in more detail
1486
below. In all cases, the <option>-h</option> option prints a
1487
full list of parameters. Note that the DNSSEC tools require the
1488
keyset files to be in the working directory or the
1489
directory specified by the <option>-h</option> option, and
1490
that the tools shipped with BIND 9.2.x and earlier are not compatible
1491
with the current ones.</para>
1492
1493
<para>There must also be communication with the administrators of
1494
the parent and/or child zone to transmit keys. A zone's security
1495
status must be indicated by the parent zone for a DNSSEC capable
1496
resolver to trust its data. This is done through the presense
1497
or absence of a <literal>DS</literal> record at the delegation
1498
point.</para>
1499
1500
<para>For other servers to trust data in this zone, they must
1501
either be statically configured with this zone's zone key or the
1502
zone key of another zone above this one in the DNS tree.</para>
1503
1504
<sect2>
1505
<title>Generating Keys</title>
1506
1507
<para>The <command>dnssec-keygen</command> program is used to
1508
generate keys.</para>
1509
1510
<para>A secure zone must contain one or more zone keys. The
1511
zone keys will sign all other records in the zone, as well as
1512
the zone keys of any secure delegated zones. Zone keys must
1513
have the same name as the zone, a name type of
1514
<command>ZONE</command>, and must be usable for authentication.
1515
It is recommended that zone keys use a cryptographic algorithm
1516
designated as "mandatory to implement" by the IETF; currently
1517
the only one is RSASHA1.</para>
1518
1519
<para>The following command will generate a 768 bit RSASHA1 key for
1520
the <filename>child.example</filename> zone:</para>
1521
1522
<para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
1523
1524
<para>Two output files will be produced:
1525
<filename>Kchild.example.+005+12345.key</filename> and
1526
<filename>Kchild.example.+005+12345.private</filename> (where
1527
12345 is an example of a key tag). The key file names contain
1528
the key name (<filename>child.example.</filename>), algorithm (3
1529
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
1530
The private key (in the <filename>.private</filename> file) is
1531
used to generate signatures, and the public key (in the
1532
<filename>.key</filename> file) is used for signature
1533
verification.</para>
1534
1535
<para>To generate another key with the same properties (but with
1536
a different key tag), repeat the above command.</para>
1537
1538
<para>The public keys should be inserted into the zone file by
1539
including the <filename>.key</filename> files using
1540
<command>$INCLUDE</command> statements.
1541
</para>
1542
1543
</sect2>
1544
<sect2>
1545
<title>Signing the Zone</title>
1546
1547
<para>The <command>dnssec-signzone</command> program is used to
1548
sign a zone.</para>
1549
1550
<para>Any <filename>keyset</filename> files corresponding
1551
to secure subzones should be present. The zone signer will
1552
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
1553
records for the zone, as well as <literal>DS</literal> for
1554
the child zones if <literal>'-d'</literal> is specified.
1555
If <literal>'-d'</literal> is not specified then DS RRsets for
1556
the secure child zones need to be added manually.</para>
1557
1558
<para>The following command signs the zone, assuming it is in a
1559
file called <filename>zone.child.example</filename>. By
1560
default, all zone keys which have an available private key are
1561
used to generate signatures.</para>
1562
1563
<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
1564
1565
<para>One output file is produced:
1566
<filename>zone.child.example.signed</filename>. This file
1567
should be referenced by <filename>named.conf</filename> as the
1568
input file for the zone.</para>
1569
1570
<para><command>dnssec-signzone</command> will also produce a
1571
keyset and dsset files and optionally a dlvset file. These
1572
are used to provide the parent zone administators with the
1573
<literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
1574
records) that are the secure entry point to the zone.</para>
1575
1576
</sect2>
1577
1578
<sect2><title>Configuring Servers</title>
1579
1580
<para>Unlike <acronym>BIND</acronym> 8,
1581
<acronym>BIND</acronym> 9 does not verify signatures on load,
1582
so zone keys for authoritative zones do not need to be specified
1583
in the configuration file.</para>
1584
1585
<para>The public key for any security root must be present in
1586
the configuration file's <command>trusted-keys</command>
1587
statement, as described later in this document. </para>
1588
1589
</sect2>
1590
1591
</sect1>
1592
<sect1>
1593
<title>IPv6 Support in <acronym>BIND</acronym> 9</title>
1594
1595
<para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
1596
name to address and address to name lookups. It will also use
1597
IPv6 addresses to make queries when running on an IPv6 capable
1598
system.</para>
1599
1600
<para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
1601
records. The use of A6 records is deprecated by RFC 3363, and the
1602
support for forward lookups in <acronym>BIND</acronym> 9 is
1603
removed accordingly.
1604
However, authoritative <acronym>BIND</acronym> 9 name servers still
1605
load zone files containing A6 records correctly, answer queries
1606
for A6 records, and accept zone transfer for a zone containing A6
1607
records.</para>
1608
1609
<para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
1610
the traditional "nibble" format used in the
1611
<emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
1612
<emphasis>ip6.int</emphasis> domain.
1613
<acronym>BIND</acronym> 9 formerly
1614
supported the "binary label" (also known as "bitstring") format.
1615
The support of binary labels, however, is now completely removed
1616
according to the changes in RFC 3363.
1617
Any applications in <acronym>BIND</acronym> 9 do not understand
1618
the format any more, and will return an error if given.
1619
In particular, an authoritative <acronym>BIND</acronym> 9 name
1620
server rejects to load a zone file containing binary labels.</para>
1621
1622
<para>For an overview of the format and structure of IPv6 addresses,
1623
see <xref linkend="ipv6addresses"/>.</para>
1624
1625
<sect2>
1626
<title>Address Lookups Using AAAA Records</title>
1627
1628
<para>The AAAA record is a parallel to the IPv4 A record. It
1629
specifies the entire address in a single record. For
1630
example,</para>
2163
<para>
2164
This allows dynamic updates to succeed only if the request
2165
was signed by a key named "<command>host1-host2.</command>".
2166
</para>
2167
2168
<para>
2169
You may want to read about the more powerful
2170
<command>update-policy</command> statement in
2171
<xref linkend="dynamic_update_policies"/>.
2172
</para>
2173
2174
</sect2>
2175
<sect2>
2176
<title>Errors</title>
2177
2178
<para>
2179
The processing of TSIG signed messages can result in
2180
several errors. If a signed message is sent to a non-TSIG aware
2181
server, a FORMERR (format error) will be returned, since the server will not
2182
understand the record. This is a result of misconfiguration,
2183
since the server must be explicitly configured to send a TSIG
2184
signed message to a specific server.
2185
</para>
2186
2187
<para>
2188
If a TSIG aware server receives a message signed by an
2189
unknown key, the response will be unsigned with the TSIG
2190
extended error code set to BADKEY. If a TSIG aware server
2191
receives a message with a signature that does not validate, the
2192
response will be unsigned with the TSIG extended error code set
2193
to BADSIG. If a TSIG aware server receives a message with a time
2194
outside of the allowed range, the response will be signed with
2195
the TSIG extended error code set to BADTIME, and the time values
2196
will be adjusted so that the response can be successfully
2197
verified. In any of these cases, the message's rcode (response code) is set to
2198
NOTAUTH (not authenticated).
2199
</para>
2200
2201
</sect2>
2202
</sect1>
2203
<sect1>
2204
<title>TKEY</title>
2205
2206
<para><command>TKEY</command>
2207
is a mechanism for automatically generating a shared secret
2208
between two hosts. There are several "modes" of
2209
<command>TKEY</command> that specify how the key is generated
2210
or assigned. <acronym>BIND</acronym> 9 implements only one of
2211
these modes, the Diffie-Hellman key exchange. Both hosts are
2212
required to have a Diffie-Hellman KEY record (although this
2213
record is not required to be present in a zone). The
2214
<command>TKEY</command> process must use signed messages,
2215
signed either by TSIG or SIG(0). The result of
2216
<command>TKEY</command> is a shared secret that can be used to
2217
sign messages with TSIG. <command>TKEY</command> can also be
2218
used to delete shared secrets that it had previously
2219
generated.
2220
</para>
2221
2222
<para>
2223
The <command>TKEY</command> process is initiated by a
2224
client
2225
or server by sending a signed <command>TKEY</command>
2226
query
2227
(including any appropriate KEYs) to a TKEY-aware server. The
2228
server response, if it indicates success, will contain a
2229
<command>TKEY</command> record and any appropriate keys.
2230
After
2231
this exchange, both participants have enough information to
2232
determine the shared secret; the exact process depends on the
2233
<command>TKEY</command> mode. When using the
2234
Diffie-Hellman
2235
<command>TKEY</command> mode, Diffie-Hellman keys are
2236
exchanged,
2237
and the shared secret is derived by both participants.
2238
</para>
2239
2240
</sect1>
2241
<sect1>
2242
<title>SIG(0)</title>
2243
2244
<para>
2245
<acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2246
transaction signatures as specified in RFC 2535 and RFC2931.
2247
SIG(0)
2248
uses public/private keys to authenticate messages. Access control
2249
is performed in the same manner as TSIG keys; privileges can be
2250
granted or denied based on the key name.
2251
</para>
2252
2253
<para>
2254
When a SIG(0) signed message is received, it will only be
2255
verified if the key is known and trusted by the server; the server
2256
will not attempt to locate and/or validate the key.
2257
</para>
2258
2259
<para>
2260
SIG(0) signing of multiple-message TCP streams is not
2261
supported.
2262
</para>
2263
2264
<para>
2265
The only tool shipped with <acronym>BIND</acronym> 9 that
2266
generates SIG(0) signed messages is <command>nsupdate</command>.
2267
</para>
2268
2269
</sect1>
2270
<sect1 id="DNSSEC">
2271
<title>DNSSEC</title>
2272
2273
<para>
2274
Cryptographic authentication of DNS information is possible
2275
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2276
defined in RFC 4033, RFC 4034, and RFC 4035.
2277
This section describes the creation and use of DNSSEC signed zones.
2278
</para>
2279
2280
<para>
2281
In order to set up a DNSSEC secure zone, there are a series
2282
of steps which must be followed. <acronym>BIND</acronym>
2283
9 ships
2284
with several tools
2285
that are used in this process, which are explained in more detail
2286
below. In all cases, the <option>-h</option> option prints a
2287
full list of parameters. Note that the DNSSEC tools require the
2288
keyset files to be in the working directory or the
2289
directory specified by the <option>-d</option> option, and
2290
that the tools shipped with BIND 9.2.x and earlier are not compatible
2291
with the current ones.
2292
</para>
2293
2294
<para>
2295
There must also be communication with the administrators of
2296
the parent and/or child zone to transmit keys. A zone's security
2297
status must be indicated by the parent zone for a DNSSEC capable
2298
resolver to trust its data. This is done through the presence
2299
or absence of a <literal>DS</literal> record at the
2300
delegation
2301
point.
2302
</para>
2303
2304
<para>
2305
For other servers to trust data in this zone, they must
2306
either be statically configured with this zone's zone key or the
2307
zone key of another zone above this one in the DNS tree.
2308
</para>
2309
2310
<sect2>
2311
<title>Generating Keys</title>
2312
2313
<para>
2314
The <command>dnssec-keygen</command> program is used to
2315
generate keys.
2316
</para>
2317
2318
<para>
2319
A secure zone must contain one or more zone keys. The
2320
zone keys will sign all other records in the zone, as well as
2321
the zone keys of any secure delegated zones. Zone keys must
2322
have the same name as the zone, a name type of
2323
<command>ZONE</command>, and must be usable for
2324
authentication.
2325
It is recommended that zone keys use a cryptographic algorithm
2326
designated as "mandatory to implement" by the IETF; currently
2327
the only one is RSASHA1.
2328
</para>
2329
2330
<para>
2331
The following command will generate a 768-bit RSASHA1 key for
2332
the <filename>child.example</filename> zone:
2333
</para>
2334
2335
<para>
2336
<userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2337
</para>
2338
2339
<para>
2340
Two output files will be produced:
2341
<filename>Kchild.example.+005+12345.key</filename> and
2342
<filename>Kchild.example.+005+12345.private</filename>
2343
(where
2344
12345 is an example of a key tag). The key filenames contain
2345
the key name (<filename>child.example.</filename>),
2346
algorithm (3
2347
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2348
this case).
2349
The private key (in the <filename>.private</filename>
2350
file) is
2351
used to generate signatures, and the public key (in the
2352
<filename>.key</filename> file) is used for signature
2353
verification.
2354
</para>
2355
2356
<para>
2357
To generate another key with the same properties (but with
2358
a different key tag), repeat the above command.
2359
</para>
2360
2361
<para>
2362
The public keys should be inserted into the zone file by
2363
including the <filename>.key</filename> files using
2364
<command>$INCLUDE</command> statements.
2365
</para>
2366
2367
</sect2>
2368
<sect2>
2369
<title>Signing the Zone</title>
2370
2371
<para>
2372
The <command>dnssec-signzone</command> program is used
2373
to
2374
sign a zone.
2375
</para>
2376
2377
<para>
2378
Any <filename>keyset</filename> files corresponding
2379
to secure subzones should be present. The zone signer will
2380
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
2381
records for the zone, as well as <literal>DS</literal>
2382
for
2383
the child zones if <literal>'-d'</literal> is specified.
2384
If <literal>'-d'</literal> is not specified, then
2385
DS RRsets for
2386
the secure child zones need to be added manually.
2387
</para>
2388
2389
<para>
2390
The following command signs the zone, assuming it is in a
2391
file called <filename>zone.child.example</filename>. By
2392
default, all zone keys which have an available private key are
2393
used to generate signatures.
2394
</para>
2395
2396
<para>
2397
<userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2398
</para>
2399
2400
<para>
2401
One output file is produced:
2402
<filename>zone.child.example.signed</filename>. This
2403
file
2404
should be referenced by <filename>named.conf</filename>
2405
as the
2406
input file for the zone.
2407
</para>
2408
2409
<para><command>dnssec-signzone</command>
2410
will also produce a keyset and dsset files and optionally a
2411
dlvset file. These are used to provide the parent zone
2412
administrators with the <literal>DNSKEYs</literal> (or their
2413
corresponding <literal>DS</literal> records) that are the
2414
secure entry point to the zone.
2415
</para>
2416
2417
</sect2>
2418
2419
<sect2>
2420
<title>Configuring Servers</title>
2421
2422
<para>
2423
To enable <command>named</command> to respond appropriately
2424
to DNS requests from DNSSEC aware clients,
2425
<command>dnssec-enable</command> must be set to yes.
2426
</para>
2427
2428
<para>
2429
To enable <command>named</command> to validate answers from
2430
other servers both <command>dnssec-enable</command> and
2431
<command>dnssec-validation</command> must be set and some
2432
<command>trusted-keys</command> must be configured
2433
into <filename>named.conf</filename>.
2434
</para>
2435
2436
<para>
2437
<command>trusted-keys</command> are copies of DNSKEY RRs
2438
for zones that are used to form the first link in the
2439
cryptographic chain of trust. All keys listed in
2440
<command>trusted-keys</command> (and corresponding zones)
2441
are deemed to exist and only the listed keys will be used
2442
to validated the DNSKEY RRset that they are from.
2443
</para>
2444
2445
<para>
2446
<command>trusted-keys</command> are described in more detail
2447
later in this document.
2448
</para>
2449
2450
<para>
2451
Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2452
9 does not verify signatures on load, so zone keys for
2453
authoritative zones do not need to be specified in the
2454
configuration file.
2455
</para>
2456
2457
<para>
2458
After DNSSEC gets established, a typical DNSSEC configuration
2459
will look something like the following. It has a one or
2460
more public keys for the root. This allows answers from
2461
outside the organization to be validated. It will also
2462
have several keys for parts of the namespace the organization
2463
controls. These are here to ensure that named is immune
2464
to compromises in the DNSSEC components of the security
2465
of parent zones.
2466
</para>
2467
2468
<programlisting>
2469
trusted-keys {
2470
2471
/* Root Key */
2472
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2473
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2474
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2475
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2476
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2477
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2478
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2479
2480
/* Key for our organization's forward zone */
2481
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2482
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2483
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2484
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2485
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2486
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2487
SCThlHf3xiYleDbt/o1OTQ09A0=";
2488
2489
/* Key for our reverse zone. */
2490
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2491
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2492
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2493
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2494
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2495
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2496
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2497
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2498
};
2499
2500
options {
2501
...
2502
dnssec-enable yes;
2503
dnssec-validation yes;
2504
};
2505
</programlisting>
2506
2507
<note>
2508
None of the keys listed in this example are valid. In particular,
2509
the root key is not valid.
2510
</note>
2511
2512
</sect2>
2513
2514
</sect1>
2515
<sect1>
2516
<title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2517
2518
<para>
2519
<acronym>BIND</acronym> 9 fully supports all currently
2520
defined forms of IPv6
2521
name to address and address to name lookups. It will also use
2522
IPv6 addresses to make queries when running on an IPv6 capable
2523
system.
2524
</para>
2525
2526
<para>
2527
For forward lookups, <acronym>BIND</acronym> 9 supports
2528
only AAAA records. RFC 3363 deprecated the use of A6 records,
2529
and client-side support for A6 records was accordingly removed
2530
from <acronym>BIND</acronym> 9.
2531
However, authoritative <acronym>BIND</acronym> 9 name servers still
2532
load zone files containing A6 records correctly, answer queries
2533
for A6 records, and accept zone transfer for a zone containing A6
2534
records.
2535
</para>
2536
2537
<para>
2538
For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2539
the traditional "nibble" format used in the
2540
<emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2541
<emphasis>ip6.int</emphasis> domain.
2542
Older versions of <acronym>BIND</acronym> 9
2543
supported the "binary label" (also known as "bitstring") format,
2544
but support of binary labels has been completely removed per
2545
RFC 3363.
2546
Many applications in <acronym>BIND</acronym> 9 do not understand
2547
the binary label format at all any more, and will return an
2548
error if given.
2549
In particular, an authoritative <acronym>BIND</acronym> 9
2550
name server will not load a zone file containing binary labels.
2551
</para>
2552
2553
<para>
2554
For an overview of the format and structure of IPv6 addresses,
2555
see <xref linkend="ipv6addresses"/>.
2556
</para>
2557
2558
<sect2>
2559
<title>Address Lookups Using AAAA Records</title>
2560
2561
<para>
2562
The IPv6 AAAA record is a parallel to the IPv4 A record,
2563
and, unlike the deprecated A6 record, specifies the entire
2564
IPv6 address in a single record. For example,
2565
</para>
1631
2566
1632
2567
<programlisting>
1633
2568
$ORIGIN example.com.
1634
2569
host 3600 IN AAAA 2001:db8::1
1635
2570
</programlisting>
1636
2571
1637
<para>It is recommended that IPv4-in-IPv6 mapped addresses not
1638
be used. If a host has an IPv4 address, use an A record, not
1639
a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
1640
address.</para>
1641
</sect2>
1642
<sect2>
1643
<title>Address to Name Lookups Using Nibble Format</title>
2572
<para>
2573
Use of IPv4-in-IPv6 mapped addresses is not recommended.
2574
If a host has an IPv4 address, use an A record, not
2575
a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2576
the address.
2577
</para>
2578
</sect2>
2579
<sect2>
2580
<title>Address to Name Lookups Using Nibble Format</title>
1644
2581
1645
<para>When looking up an address in nibble format, the address
1646
components are simply reversed, just as in IPv4, and
1647
<literal>ip6.arpa.</literal> is appended to the resulting name.
1648
For example, the following would provide reverse name lookup for
1649
a host with address
1650
<literal>2001:db8::1</literal>.</para>
2582
<para>
2583
When looking up an address in nibble format, the address
2584
components are simply reversed, just as in IPv4, and
2585
<literal>ip6.arpa.</literal> is appended to the
2586
resulting name.
2587
For example, the following would provide reverse name lookup for
2588
a host with address
2589
<literal>2001:db8::1</literal>.
2590
</para>
1651
2591
1652
2592
<programlisting>
1653
2593
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1654
2594
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
1655
2595
</programlisting>
1656
</sect2>
1657
</sect1>
1658
</chapter>
1659
1660
<chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
1661
<sect1><title>The Lightweight Resolver Library</title>
1662
<para>Traditionally applications have been linked with a stub resolver
1663
library that sends recursive DNS queries to a local caching name
1664
server.</para>
1665
<para>IPv6 once introduced new complexity into the resolution process,
1666
such as following A6 chains and DNAME records, and simultaneous
1667
lookup of IPv4 and IPv6 addresses. Though most of the complexity was
1668
then removed, these are hard or impossible
1669
to implement in a traditional stub resolver.</para>
1670
<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
1671
using a combination of a lightweight resolver library and a resolver
1672
daemon process running on the local host. These communicate using
1673
a simple UDP-based protocol, the "lightweight resolver protocol"
1674
that is distinct from and simpler than the full DNS protocol.</para></sect1>
1675
<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
1676
1677
<para>To use the lightweight resolver interface, the system must
1678
run the resolver daemon <command>lwresd</command> or a local
1679
name server configured with a <command>lwres</command> statement.</para>
1680
1681
<para>By default, applications using the lightweight resolver library will make
1682
UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The
1683
address can be overridden by <command>lwserver</command> lines in
1684
<filename>/etc/resolv.conf</filename>.</para>
1685
1686
<para>The daemon currently only looks in the DNS, but in the future
1687
it may use other sources such as <filename>/etc/hosts</filename>,
1688
NIS, etc.</para>
1689
1690
<para>The <command>lwresd</command> daemon is essentially a
1691
caching-only name server that responds to requests using the lightweight
1692
resolver protocol rather than the DNS protocol. Because it needs
1693
to run on each host, it is designed to require no or minimal configuration.
1694
Unless configured otherwise, it uses the name servers listed on
1695
<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
1696
as forwarders, but is also capable of doing the resolution autonomously if
1697
none are specified.</para>
1698
<para>The <command>lwresd</command> daemon may also be configured with a
1699
<filename>named.conf</filename> style configuration file, in
1700
<filename>/etc/lwresd.conf</filename> by default. A name server may also
1701
be configured to act as a lightweight resolver daemon using the
1702
<command>lwres</command> statement in <filename>named.conf</filename>.</para>
1703
1704
</sect1></chapter>
1705
1706
<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
1707
1708
<para><acronym>BIND</acronym> 9 configuration is broadly similar
1709
to <acronym>BIND</acronym> 8; however, there are a few new areas
1710
of configuration, such as views. <acronym>BIND</acronym>
1711
8 configuration files should work with few alterations in <acronym>BIND</acronym>
1712
9, although more complex configurations should be reviewed to check
1713
if they can be more efficiently implemented using the new features
1714
found in <acronym>BIND</acronym> 9.</para>
1715
1716
<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
1717
using the shell script
1718
<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
1719
<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
1720
<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
1721
file documentation:</para>
1722
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
1723
colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
1724
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
1725
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
1726
<tbody>
1727
<row rowsep = "0">
1728
<entry colname = "1"><para><varname>acl_name</varname></para></entry>
1729
<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
1730
defined by the <command>acl</command> statement.</para></entry>
1731
</row>
1732
<row rowsep = "0">
1733
<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
1734
<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>,
1735
<varname>ip_prefix</varname>, <varname>key_id</varname>,
1736
or <varname>acl_name</varname> elements, see
1737
<xref linkend="address_match_lists"/>.</para></entry>
1738
</row>
1739
<row rowsep = "0">
1740
<entry colname = "1"><para><varname>domain_name</varname></para></entry>
1741
<entry colname = "2"><para>A quoted string which will be used as
1742
a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
1743
</row>
1744
<row rowsep = "0">
1745
<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
1746
<entry colname = "2"><para>One to four integers valued 0 through
1747
255 separated by dots (`.'), such as <command>123</command>,
1748
<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
1749
</row>
1750
<row rowsep = "0">
1751
<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
1752
<entry colname = "2"><para>An IPv4 address with exactly four elements
1753
in <varname>dotted_decimal</varname> notation.</para></entry>
1754
</row>
1755
<row rowsep = "0">
1756
<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
1757
<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
1758
IPv6 scoped addresses that have ambiguity on their scope zones must be
1759
disambiguated by an appropriate zone ID with the percent character
1760
(`%') as delimiter.
1761
It is strongly recommended to use string zone names rather than
1762
numeric identifiers, in order to be robust against system
1763
configuration changes.
1764
However, since there is no standard mapping for such names and
1765
identifier values, currently only interface names as link identifiers
1766
are supported, assuming one-to-one mapping between interfaces and links.
1767
For example, a link-local address <command>fe80::1</command> on the
1768
link attached to the interface <command>ne0</command>
1769
can be specified as <command>fe80::1%ne0</command>.
1770
Note that on most systems link-local addresses always have the
1771
ambiguity, and need to be disambiguated.</para></entry>
1772
</row>
1773
<row rowsep = "0">
1774
<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
1775
<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
1776
</row>
1777
<row rowsep = "0">
1778
<entry colname = "1"><para><varname>ip_port</varname></para></entry>
1779
<entry colname = "2"><para>An IP port <varname>number</varname>.
1780
<varname>number</varname> is limited to 0 through 65535, with values
1781
below 1024 typically restricted to use by processes running as root.
1782
In some cases an asterisk (`*') character can be used as a placeholder to
1783
select a random high-numbered port.</para></entry>
1784
</row>
1785
<row rowsep = "0">
1786
<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
1787
<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
1788
followed by a slash (`/') and then the number of bits in the netmask.
1789
Trailing zeros in a <varname>ip_addr</varname> may omitted.
1790
For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
1791
netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
1792
network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
1793
</row>
1794
<row rowsep = "0">
1795
<entry colname = "1"><para><varname>key_id</varname></para></entry>
1796
<entry colname = "2"><para>A <varname>domain_name</varname> representing
1797
the name of a shared key, to be used for transaction security.</para></entry>
1798
</row>
1799
<row rowsep = "0">
1800
<entry colname = "1"><para><varname>key_list</varname></para></entry>
1801
<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
1802
separated by semicolons and ending with a semicolon.</para></entry>
1803
</row>
1804
<row rowsep = "0">
1805
<entry colname = "1"><para><varname>number</varname></para></entry>
1806
<entry colname = "2"><para>A non-negative 32 bit integer
1807
(i.e., a number between 0 and 4294967295, inclusive).
1808
Its acceptable value might further
1809
be limited by the context in which it is used.</para></entry>
1810
</row>
1811
<row rowsep = "0">
1812
<entry colname = "1"><para><varname>path_name</varname></para></entry>
1813
<entry colname = "2"><para>A quoted string which will be used as
1814
a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
1815
</row>
1816
<row rowsep = "0">
1817
<entry colname = "1"><para><varname>size_spec</varname></para></entry>
1818
<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
1819
or the word <userinput>default</userinput>.</para><para>
1820
An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
1821
use, or the maximum available amount. A <varname>default size_spec</varname> uses
1822
the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
1823
optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
1824
kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
1825
megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
1826
which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
1827
<para>The value must be representable as a 64-bit unsigned integer
1828
(0 to 18446744073709551615, inclusive).
1829
Using <varname>unlimited</varname> is the best way
1830
to safely set a really large number.</para></entry>
1831
</row>
1832
<row rowsep = "0">
1833
<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
1834
<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
1835
The words <userinput>true</userinput> and <userinput>false</userinput> are
1836
also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
1837
</row>
1838
<row rowsep = "0">
1839
<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
1840
<entry colname = "2"><para>One of <userinput>yes</userinput>,
1841
<userinput>no</userinput>, <userinput>notify</userinput>,
1842
<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
1843
<userinput>passive</userinput>.
1844
When used in a zone, <userinput>notify-passive</userinput>,
1845
<userinput>refresh</userinput>, and <userinput>passive</userinput>
1846
are restricted to slave and stub zones.</para></entry>
1847
</row>
1848
</tbody>
1849
</tgroup></informaltable>
1850
<sect2 id="address_match_lists"><title>Address Match Lists</title>
1851
<sect3><title>Syntax</title>
1852
<programlisting><varname>address_match_list</varname> = address_match_list_element ;
2596
2597
</sect2>
2598
</sect1>
2599
</chapter>
2600
2601
<chapter id="Bv9ARM.ch05">
2602
<title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2603
<sect1>
2604
<title>The Lightweight Resolver Library</title>
2605
<para>
2606
Traditionally applications have been linked with a stub resolver
2607
library that sends recursive DNS queries to a local caching name
2608
server.
2609
</para>
2610
<para>
2611
IPv6 once introduced new complexity into the resolution process,
2612
such as following A6 chains and DNAME records, and simultaneous
2613
lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2614
then removed, these are hard or impossible
2615
to implement in a traditional stub resolver.
2616
</para>
2617
<para>
2618
<acronym>BIND</acronym> 9 therefore can also provide resolution
2619
services to local clients
2620
using a combination of a lightweight resolver library and a resolver
2621
daemon process running on the local host. These communicate using
2622
a simple UDP-based protocol, the "lightweight resolver protocol"
2623
that is distinct from and simpler than the full DNS protocol.
2624
</para>
2625
</sect1>
2626
<sect1 id="lwresd">
2627
<title>Running a Resolver Daemon</title>
2628
2629
<para>
2630
To use the lightweight resolver interface, the system must
2631
run the resolver daemon <command>lwresd</command> or a
2632
local
2633
name server configured with a <command>lwres</command>
2634
statement.
2635
</para>
2636
2637
<para>
2638
By default, applications using the lightweight resolver library will
2639
make
2640
UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2641
The
2642
address can be overridden by <command>lwserver</command>
2643
lines in
2644
<filename>/etc/resolv.conf</filename>.
2645
</para>
2646
2647
<para>
2648
The daemon currently only looks in the DNS, but in the future
2649
it may use other sources such as <filename>/etc/hosts</filename>,
2650
NIS, etc.
2651
</para>
2652
2653
<para>
2654
The <command>lwresd</command> daemon is essentially a
2655
caching-only name server that responds to requests using the
2656
lightweight
2657
resolver protocol rather than the DNS protocol. Because it needs
2658
to run on each host, it is designed to require no or minimal
2659
configuration.
2660
Unless configured otherwise, it uses the name servers listed on
2661
<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2662
as forwarders, but is also capable of doing the resolution
2663
autonomously if
2664
none are specified.
2665
</para>
2666
<para>
2667
The <command>lwresd</command> daemon may also be
2668
configured with a
2669
<filename>named.conf</filename> style configuration file,
2670
in
2671
<filename>/etc/lwresd.conf</filename> by default. A name
2672
server may also
2673
be configured to act as a lightweight resolver daemon using the
2674
<command>lwres</command> statement in <filename>named.conf</filename>.
2675
</para>
2676
2677
</sect1>
2678
</chapter>
2679
2680
<chapter id="Bv9ARM.ch06">
2681
<title><acronym>BIND</acronym> 9 Configuration Reference</title>
2682
2683
<para>
2684
<acronym>BIND</acronym> 9 configuration is broadly similar
2685
to <acronym>BIND</acronym> 8; however, there are a few new
2686
areas
2687
of configuration, such as views. <acronym>BIND</acronym>
2688
8 configuration files should work with few alterations in <acronym>BIND</acronym>
2689
9, although more complex configurations should be reviewed to check
2690
if they can be more efficiently implemented using the new features
2691
found in <acronym>BIND</acronym> 9.
2692
</para>
2693
2694
<para>
2695
<acronym>BIND</acronym> 4 configuration files can be
2696
converted to the new format
2697
using the shell script
2698
<filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2699
</para>
2700
<sect1 id="configuration_file_elements">
2701
<title>Configuration File Elements</title>
2702
<para>
2703
Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2704
file documentation:
2705
</para>
2706
<informaltable colsep="0" rowsep="0">
2707
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2708
<colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2709
<colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2710
<tbody>
2711
<row rowsep="0">
2712
<entry colname="1">
2713
<para>
2714
<varname>acl_name</varname>
2715
</para>
2716
</entry>
2717
<entry colname="2">
2718
<para>
2719
The name of an <varname>address_match_list</varname> as
2720
defined by the <command>acl</command> statement.
2721
</para>
2722
</entry>
2723
</row>
2724
<row rowsep="0">
2725
<entry colname="1">
2726
<para>
2727
<varname>address_match_list</varname>
2728
</para>
2729
</entry>
2730
<entry colname="2">
2731
<para>
2732
A list of one or more
2733
<varname>ip_addr</varname>,
2734
<varname>ip_prefix</varname>, <varname>key_id</varname>,
2735
or <varname>acl_name</varname> elements, see
2736
<xref linkend="address_match_lists"/>.
2737
</para>
2738
</entry>
2739
</row>
2740
<row rowsep="0">
2741
<entry colname="1">
2742
<para>
2743
<varname>masters_list</varname>
2744
</para>
2745
</entry>
2746
<entry colname="2">
2747
<para>
2748
A named list of one or more <varname>ip_addr</varname>
2749
with optional <varname>key_id</varname> and/or
2750
<varname>ip_port</varname>.
2751
A <varname>masters_list</varname> may include other
2752
<varname>masters_lists</varname>.
2753
</para>
2754
</entry>
2755
</row>
2756
<row rowsep="0">
2757
<entry colname="1">
2758
<para>
2759
<varname>domain_name</varname>
2760
</para>
2761
</entry>
2762
<entry colname="2">
2763
<para>
2764
A quoted string which will be used as
2765
a DNS name, for example "<literal>my.test.domain</literal>".
2766
</para>
2767
</entry>
2768
</row>
2769
<row rowsep="0">
2770
<entry colname="1">
2771
<para>
2772
<varname>dotted_decimal</varname>
2773
</para>
2774
</entry>
2775
<entry colname="2">
2776
<para>
2777
One to four integers valued 0 through
2778
255 separated by dots (`.'), such as <command>123</command>,
2779
<command>45.67</command> or <command>89.123.45.67</command>.
2780
</para>
2781
</entry>
2782
</row>
2783
<row rowsep="0">
2784
<entry colname="1">
2785
<para>
2786
<varname>ip4_addr</varname>
2787
</para>
2788
</entry>
2789
<entry colname="2">
2790
<para>
2791
An IPv4 address with exactly four elements
2792
in <varname>dotted_decimal</varname> notation.
2793
</para>
2794
</entry>
2795
</row>
2796
<row rowsep="0">
2797
<entry colname="1">
2798
<para>
2799
<varname>ip6_addr</varname>
2800
</para>
2801
</entry>
2802
<entry colname="2">
2803
<para>
2804
An IPv6 address, such as <command>2001:db8::1234</command>.
2805
IPv6 scoped addresses that have ambiguity on their
2806
scope zones must be disambiguated by an appropriate
2807
zone ID with the percent character (`%') as
2808
delimiter. It is strongly recommended to use
2809
string zone names rather than numeric identifiers,
2810
in order to be robust against system configuration
2811
changes. However, since there is no standard
2812
mapping for such names and identifier values,
2813
currently only interface names as link identifiers
2814
are supported, assuming one-to-one mapping between
2815
interfaces and links. For example, a link-local
2816
address <command>fe80::1</command> on the link
2817
attached to the interface <command>ne0</command>
2818
can be specified as <command>fe80::1%ne0</command>.
2819
Note that on most systems link-local addresses
2820
always have the ambiguity, and need to be
2821
disambiguated.
2822
</para>
2823
</entry>
2824
</row>
2825
<row rowsep="0">
2826
<entry colname="1">
2827
<para>
2828
<varname>ip_addr</varname>
2829
</para>
2830
</entry>
2831
<entry colname="2">
2832
<para>
2833
An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2834
</para>
2835
</entry>
2836
</row>
2837
<row rowsep="0">
2838
<entry colname="1">
2839
<para>
2840
<varname>ip_port</varname>
2841
</para>
2842
</entry>
2843
<entry colname="2">
2844
<para>
2845
An IP port <varname>number</varname>.
2846
The <varname>number</varname> is limited to 0
2847
through 65535, with values
2848
below 1024 typically restricted to use by processes running
2849
as root.
2850
In some cases, an asterisk (`*') character can be used as a
2851
placeholder to
2852
select a random high-numbered port.
2853
</para>
2854
</entry>
2855
</row>
2856
<row rowsep="0">
2857
<entry colname="1">
2858
<para>
2859
<varname>ip_prefix</varname>
2860
</para>
2861
</entry>
2862
<entry colname="2">
2863
<para>
2864
An IP network specified as an <varname>ip_addr</varname>,
2865
followed by a slash (`/') and then the number of bits in the
2866
netmask.
2867
Trailing zeros in a <varname>ip_addr</varname>
2868
may omitted.
2869
For example, <command>127/8</command> is the
2870
network <command>127.0.0.0</command> with
2871
netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2872
network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2873
</para>
2874
<para>
2875
When specifying a prefix involving a IPv6 scoped address
2876
the scope may be omitted. In that case the prefix will
2877
match packets from any scope.
2878
</para>
2879
</entry>
2880
</row>
2881
<row rowsep="0">
2882
<entry colname="1">
2883
<para>
2884
<varname>key_id</varname>
2885
</para>
2886
</entry>
2887
<entry colname="2">
2888
<para>
2889
A <varname>domain_name</varname> representing
2890
the name of a shared key, to be used for transaction
2891
security.
2892
</para>
2893
</entry>
2894
</row>
2895
<row rowsep="0">
2896
<entry colname="1">
2897
<para>
2898
<varname>key_list</varname>
2899
</para>
2900
</entry>
2901
<entry colname="2">
2902
<para>
2903
A list of one or more
2904
<varname>key_id</varname>s,
2905
separated by semicolons and ending with a semicolon.
2906
</para>
2907
</entry>
2908
</row>
2909
<row rowsep="0">
2910
<entry colname="1">
2911
<para>
2912
<varname>number</varname>
2913
</para>
2914
</entry>
2915
<entry colname="2">
2916
<para>
2917
A non-negative 32-bit integer
2918
(i.e., a number between 0 and 4294967295, inclusive).
2919
Its acceptable value might further
2920
be limited by the context in which it is used.
2921
</para>
2922
</entry>
2923
</row>
2924
<row rowsep="0">
2925
<entry colname="1">
2926
<para>
2927
<varname>path_name</varname>
2928
</para>
2929
</entry>
2930
<entry colname="2">
2931
<para>
2932
A quoted string which will be used as
2933
a pathname, such as <filename>zones/master/my.test.domain</filename>.
2934
</para>
2935
</entry>
2936
</row>
2937
<row rowsep="0">
2938
<entry colname="1">
2939
<para>
2940
<varname>size_spec</varname>
2941
</para>
2942
</entry>
2943
<entry colname="2">
2944
<para>
2945
A number, the word <userinput>unlimited</userinput>,
2946
or the word <userinput>default</userinput>.
2947
</para>
2948
<para>
2949
An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2950
use, or the maximum available amount. A <varname>default size_spec</varname> uses
2951
the limit that was in force when the server was started.
2952
</para>
2953
<para>
2954
A <varname>number</varname> can optionally be
2955
followed by a scaling factor:
2956
<userinput>K</userinput> or <userinput>k</userinput>
2957
for kilobytes,
2958
<userinput>M</userinput> or <userinput>m</userinput>
2959
for megabytes, and
2960
<userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
2961
which scale by 1024, 1024*1024, and 1024*1024*1024
2962
respectively.
2963
</para>
2964
<para>
2965
The value must be representable as a 64-bit unsigned integer
2966
(0 to 18446744073709551615, inclusive).
2967
Using <varname>unlimited</varname> is the best
2968
way
2969
to safely set a really large number.
2970
</para>
2971
</entry>
2972
</row>
2973
<row rowsep="0">
2974
<entry colname="1">
2975
<para>
2976
<varname>yes_or_no</varname>
2977
</para>
2978
</entry>
2979
<entry colname="2">
2980
<para>
2981
Either <userinput>yes</userinput> or <userinput>no</userinput>.
2982
The words <userinput>true</userinput> and <userinput>false</userinput> are
2983
also accepted, as are the numbers <userinput>1</userinput>
2984
and <userinput>0</userinput>.
2985
</para>
2986
</entry>
2987
</row>
2988
<row rowsep="0">
2989
<entry colname="1">
2990
<para>
2991
<varname>dialup_option</varname>
2992
</para>
2993
</entry>
2994
<entry colname="2">
2995
<para>
2996
One of <userinput>yes</userinput>,
2997
<userinput>no</userinput>, <userinput>notify</userinput>,
2998
<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
2999
<userinput>passive</userinput>.
3000
When used in a zone, <userinput>notify-passive</userinput>,
3001
<userinput>refresh</userinput>, and <userinput>passive</userinput>
3002
are restricted to slave and stub zones.
3003
</para>
3004
</entry>
3005
</row>
3006
</tbody>
3007
</tgroup>
3008
</informaltable>
3009
<sect2 id="address_match_lists">
3010
<title>Address Match Lists</title>
3011
<sect3>
3012
<title>Syntax</title>
3013
3014
<programlisting><varname>address_match_list</varname> = address_match_list_element ;
1853
3015
<optional> address_match_list_element; ... </optional>
1854
3016
<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
1855
3017
key key_id | acl_name | { address_match_list } )
1856
3018
</programlisting>
1857
</sect3>
1858
<sect3><title>Definition and Usage</title>
1859
<para>Address match lists are primarily used to determine access
1860
control for various server operations. They are also used in
1861
the <command>listen-on</command> and <command>sortlist</command>
1862
statements. The elements
1863
which constitute an address match list can be any of the following:</para>
1864
<itemizedlist><listitem>
1865
<simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
1866
<listitem>
1867
<simpara>an IP prefix (in `/' notation)</simpara></listitem>
1868
<listitem>
1869
<simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
1870
<listitem>
1871
<simpara>the name of an address match list defined with
1872
the <command>acl</command> statement</simpara></listitem>
1873
<listitem>
1874
<simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
1875
1876
<para>Elements can be negated with a leading exclamation mark (`!'),
1877
and the match list names "any", "none", "localhost", and "localnets"
1878
are predefined. More information on those names can be found in
1879
the description of the acl statement.</para>
1880
1881
<para>The addition of the key clause made the name of this syntactic
1882
element something of a misnomer, since security keys can be used
1883
to validate access without regard to a host or network address. Nonetheless,
1884
the term "address match list" is still used throughout the documentation.</para>
1885
1886
<para>When a given IP address or prefix is compared to an address
1887
match list, the list is traversed in order until an element matches.
1888
The interpretation of a match depends on whether the list is being used
1889
for access control, defining listen-on ports, or in a sortlist,
1890
and whether the element was negated.</para>
1891
1892
<para>When used as an access control list, a non-negated match allows
1893
access and a negated match denies access. If there is no match,
1894
access is denied. The clauses <command>allow-notify</command>,
1895
<command>allow-query</command>, <command>allow-transfer</command>,
1896
<command>allow-update</command>, <command>allow-update-forwarding</command>,
1897
and <command>blackhole</command> all
1898
use address match lists this. Similarly, the listen-on option will cause
1899
the server to not accept queries on any of the machine's addresses
1900
which do not match the list.</para>
1901
1902
<para>Because of the first-match aspect of the algorithm, an element
1903
that defines a subset of another element in the list should come
1904
before the broader element, regardless of whether either is negated. For
1905
example, in
1906
<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
1907
completely useless because the algorithm will match any lookup for
1908
1.2.3.13 to the 1.2.3/24 element.
1909
Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
1910
that problem by having 1.2.3.13 blocked by the negation but all
1911
other 1.2.3.* hosts fall through.</para>
1912
</sect3>
1913
</sect2>
1914
1915
<sect2>
1916
<title>Comment Syntax</title>
1917
1918
<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
1919
anywhere that white space may appear in a <acronym>BIND</acronym> configuration
1920
file. To appeal to programmers of all kinds, they can be written
1921
in the C, C++, or shell/perl style.</para>
1922
1923
<sect3>
1924
<title>Syntax</title>
1925
1926
<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
1927
<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
1928
<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
1929
</para>
1930
</sect3>
1931
<sect3>
1932
<title>Definition and Usage</title>
1933
<para>Comments may appear anywhere that whitespace may appear in
1934
a <acronym>BIND</acronym> configuration file.</para>
1935
<para>C-style comments start with the two characters /* (slash,
1936
star) and end with */ (star, slash). Because they are completely
1937
delimited with these characters, they can be used to comment only
1938
a portion of a line or to span multiple lines.</para>
1939
<para>C-style comments cannot be nested. For example, the following
1940
is not valid because the entire comment ends with the first */:</para>
1941
<para><programlisting>/* This is the start of a comment.
3019
3020
</sect3>
3021
<sect3>
3022
<title>Definition and Usage</title>
3023
<para>
3024
Address match lists are primarily used to determine access
3025
control for various server operations. They are also used in
3026
the <command>listen-on</command> and <command>sortlist</command>
3027
statements. The elements which constitute an address match
3028
list can be any of the following:
3029
</para>
3030
<itemizedlist>
3031
<listitem>
3032
<simpara>an IP address (IPv4 or IPv6)</simpara>
3033
</listitem>
3034
<listitem>
3035
<simpara>an IP prefix (in `/' notation)</simpara>
3036
</listitem>
3037
<listitem>
3038
<simpara>
3039
a key ID, as defined by the <command>key</command>
3040
statement
3041
</simpara>
3042
</listitem>
3043
<listitem>
3044
<simpara>the name of an address match list defined with
3045
the <command>acl</command> statement
3046
</simpara>
3047
</listitem>
3048
<listitem>
3049
<simpara>a nested address match list enclosed in braces</simpara>
3050
</listitem>
3051
</itemizedlist>
3052
3053
<para>
3054
Elements can be negated with a leading exclamation mark (`!'),
3055
and the match list names "any", "none", "localhost", and
3056
"localnets" are predefined. More information on those names
3057
can be found in the description of the acl statement.
3058
</para>
3059
3060
<para>
3061
The addition of the key clause made the name of this syntactic
3062
element something of a misnomer, since security keys can be used
3063
to validate access without regard to a host or network address.
3064
Nonetheless, the term "address match list" is still used
3065
throughout the documentation.
3066
</para>
3067
3068
<para>
3069
When a given IP address or prefix is compared to an address
3070
match list, the comparison takes place in approximately O(1)
3071
time. However, key comparisons require that the list of keys
3072
be traversed until a matching key is found, and therefore may
3073
be somewhat slower.
3074
</para>
3075
3076
<para>
3077
The interpretation of a match depends on whether the list is being
3078
used for access control, defining listen-on ports, or in a
3079
sortlist, and whether the element was negated.
3080
</para>
3081
3082
<para>
3083
When used as an access control list, a non-negated match
3084
allows access and a negated match denies access. If
3085
there is no match, access is denied. The clauses
3086
<command>allow-notify</command>,
3087
<command>allow-recursion</command>,
3088
<command>allow-recursion-on</command>,
3089
<command>allow-query</command>,
3090
<command>allow-query-on</command>,
3091
<command>allow-query-cache</command>,
3092
<command>allow-query-cache-on</command>,
3093
<command>allow-transfer</command>,
3094
<command>allow-update</command>,
3095
<command>allow-update-forwarding</command>, and
3096
<command>blackhole</command> all use address match
3097
lists. Similarly, the listen-on option will cause the
3098
server to refuse queries on any of the machine's
3099
addresses which do not match the list.
3100
</para>
3101
3102
<para>
3103
Order of insertion is signficant. If more than one element
3104
in an ACL is found to match a given IP address or prefix,
3105
preference will be given to the one that came
3106
<emphasis>first</emphasis> in the ACL definition.
3107
Because of this first-match behavior, an element that
3108
defines a subset of another element in the list should
3109
come before the broader element, regardless of whether
3110
either is negated. For example, in
3111
<command>1.2.3/24; ! 1.2.3.13;</command>
3112
the 1.2.3.13 element is completely useless because the
3113
algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3114
element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3115
that problem by having 1.2.3.13 blocked by the negation, but
3116
all other 1.2.3.* hosts fall through.
3117
</para>
3118
</sect3>
3119
</sect2>
3120
3121
<sect2>
3122
<title>Comment Syntax</title>
3123
3124
<para>
3125
The <acronym>BIND</acronym> 9 comment syntax allows for
3126
comments to appear
3127
anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3128
file. To appeal to programmers of all kinds, they can be written
3129
in the C, C++, or shell/perl style.
3130
</para>
3131
3132
<sect3>
3133
<title>Syntax</title>
3134
3135
<para>
3136
<programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3137
<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3138
<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3139
</para>
3140
</sect3>
3141
<sect3>
3142
<title>Definition and Usage</title>
3143
<para>
3144
Comments may appear anywhere that whitespace may appear in
3145
a <acronym>BIND</acronym> configuration file.
3146
</para>
3147
<para>
3148
C-style comments start with the two characters /* (slash,
3149
star) and end with */ (star, slash). Because they are completely
3150
delimited with these characters, they can be used to comment only
3151
a portion of a line or to span multiple lines.
3152
</para>
3153
<para>
3154
C-style comments cannot be nested. For example, the following
3155
is not valid because the entire comment ends with the first */:
3156
</para>
3157
<para>
3158
3159
<programlisting>/* This is the start of a comment.
1942
3160
This is still part of the comment.
1943
3161
/* This is an incorrect attempt at nesting a comment. */
1944
3162
This is no longer in any comment. */
1945
</programlisting></para>
1946
1947
<para>C++-style comments start with the two characters // (slash,
1948
slash) and continue to the end of the physical line. They cannot
1949
be continued across multiple physical lines; to have one logical
1950
comment span multiple lines, each line must use the // pair.</para>
1951
<para>For example:</para>
1952
<para><programlisting>// This is the start of a comment. The next line
3163
</programlisting>
3164
3165
</para>
3166
3167
<para>
3168
C++-style comments start with the two characters // (slash,
3169
slash) and continue to the end of the physical line. They cannot
3170
be continued across multiple physical lines; to have one logical
3171
comment span multiple lines, each line must use the // pair.
3172
</para>
3173
<para>
3174
For example:
3175
</para>
3176
<para>
3177
3178
<programlisting>// This is the start of a comment. The next line
1953
3179
// is a new comment, even though it is logically
1954
3180
// part of the previous comment.
1955
</programlisting></para>
1956
<para>Shell-style (or perl-style, if you prefer) comments start
1957
with the character <literal>#</literal> (number sign) and continue to the end of the
1958
physical line, as in C++ comments.</para>
1959
<para>For example:</para>
1960
1961
<para><programlisting># This is the start of a comment. The next line
3181
</programlisting>
3182
3183
</para>
3184
<para>
3185
Shell-style (or perl-style, if you prefer) comments start
3186
with the character <literal>#</literal> (number sign)
3187
and continue to the end of the
3188
physical line, as in C++ comments.
3189
</para>
3190
<para>
3191
For example:
3192
</para>
3193
3194
<para>
3195
3196
<programlisting># This is the start of a comment. The next line
1962
3197
# is a new comment, even though it is logically
1963
3198
# part of the previous comment.
1964
3199
</programlisting>
1965
</para>
1966
1967
<warning>
1968
<para>You cannot use the semicolon (`;') character
1969
to start a comment such as you would in a zone file. The
1970
semicolon indicates the end of a configuration
1971
statement.</para>
1972
</warning>
1973
</sect3>
1974
</sect2>
1975
</sect1>
1976
1977
<sect1 id="Configuration_File_Grammar">
1978
<title>Configuration File Grammar</title>
1979
1980
<para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
1981
Statements end with a semicolon. Statements and comments are the
1982
only elements that can appear without enclosing braces. Many
1983
statements contain a block of sub-statements, which are also
1984
terminated with a semicolon.</para>
1985
1986
<para>The following statements are supported:</para>
1987
1988
<informaltable colsep = "0" rowsep = "0">
1989
<tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
1990
"2Level-table">
1991
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
1992
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
1993
<tbody>
1994
<row rowsep = "0">
1995
<entry colname = "1"><para><command>acl</command></para></entry>
1996
<entry colname = "2"><para>defines a named IP address
1997
matching list, for access control and other uses.</para></entry>
1998
</row>
1999
<row rowsep = "0">
2000
<entry colname = "1"><para><command>controls</command></para></entry>
2001
<entry colname = "2"><para>declares control channels to be used
2002
by the <command>rndc</command> utility.</para></entry>
2003
</row>
2004
<row rowsep = "0">
2005
<entry colname = "1"><para><command>include</command></para></entry>
2006
<entry colname = "2"><para>includes a file.</para></entry>
2007
</row>
2008
<row rowsep = "0">
2009
<entry colname = "1"><para><command>key</command></para></entry>
2010
<entry colname = "2"><para>specifies key information for use in
2011
authentication and authorization using TSIG.</para></entry>
2012
</row>
2013
<row rowsep = "0">
2014
<entry colname = "1"><para><command>logging</command></para></entry>
2015
<entry colname = "2"><para>specifies what the server logs, and where
2016
the log messages are sent.</para></entry>
2017
</row>
2018
<row rowsep = "0">
2019
<entry colname = "1"><para><command>lwres</command></para></entry>
2020
<entry colname = "2"><para>configures <command>named</command> to
2021
also act as a light weight resolver daemon (<command>lwresd</command>).</para></entry>
2022
</row>
2023
<row rowsep = "0">
2024
<entry colname = "1"><para><command>masters</command></para></entry>
2025
<entry colname = "2"><para>defines a named masters list for
2026
inclusion in stub and slave zone masters clauses.</para></entry>
2027
</row>
2028
<row rowsep = "0">
2029
<entry colname = "1"><para><command>options</command></para></entry>
2030
<entry colname = "2"><para>controls global server configuration
2031
options and sets defaults for other statements.</para></entry>
2032
</row>
2033
<row rowsep = "0">
2034
<entry colname = "1"><para><command>server</command></para></entry>
2035
<entry colname = "2"><para>sets certain configuration options on
2036
a per-server basis.</para></entry>
2037
</row>
2038
<row rowsep = "0">
2039
<entry colname = "1"><para><command>trusted-keys</command></para></entry>
2040
<entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
2041
</row>
2042
<row rowsep = "0">
2043
<entry colname = "1"><para><command>view</command></para></entry>
2044
<entry colname = "2"><para>defines a view.</para></entry>
2045
</row>
2046
<row rowsep = "0">
2047
<entry colname = "1"><para><command>zone</command></para></entry>
2048
<entry colname = "2"><para>defines a zone.</para></entry>
2049
</row>
2050
</tbody>
2051
</tgroup></informaltable>
2052
2053
<para>The <command>logging</command> and
2054
<command>options</command> statements may only occur once per
2055
configuration.</para>
2056
2057
<sect2>
2058
<title><command>acl</command> Statement Grammar</title>
2059
2060
<programlisting><command>acl</command> acl-name {
2061
address_match_list
3200
3201
</para>
3202
3203
<warning>
3204
<para>
3205
You cannot use the semicolon (`;') character
3206
to start a comment such as you would in a zone file. The
3207
semicolon indicates the end of a configuration
3208
statement.
3209
</para>
3210
</warning>
3211
</sect3>
3212
</sect2>
3213
</sect1>
3214
3215
<sect1 id="Configuration_File_Grammar">
3216
<title>Configuration File Grammar</title>
3217
3218
<para>
3219
A <acronym>BIND</acronym> 9 configuration consists of
3220
statements and comments.
3221
Statements end with a semicolon. Statements and comments are the
3222
only elements that can appear without enclosing braces. Many
3223
statements contain a block of sub-statements, which are also
3224
terminated with a semicolon.
3225
</para>
3226
3227
<para>
3228
The following statements are supported:
3229
</para>
3230
3231
<informaltable colsep="0" rowsep="0">
3232
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3233
<colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3234
<colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3235
<tbody>
3236
<row rowsep="0">
3237
<entry colname="1">
3238
<para><command>acl</command></para>
3239
</entry>
3240
<entry colname="2">
3241
<para>
3242
defines a named IP address
3243
matching list, for access control and other uses.
3244
</para>
3245
</entry>
3246
</row>
3247
<row rowsep="0">
3248
<entry colname="1">
3249
<para><command>controls</command></para>
3250
</entry>
3251
<entry colname="2">
3252
<para>
3253
declares control channels to be used
3254
by the <command>rndc</command> utility.
3255
</para>
3256
</entry>
3257
</row>
3258
<row rowsep="0">
3259
<entry colname="1">
3260
<para><command>include</command></para>
3261
</entry>
3262
<entry colname="2">
3263
<para>
3264
includes a file.
3265
</para>
3266
</entry>
3267
</row>
3268
<row rowsep="0">
3269
<entry colname="1">
3270
<para><command>key</command></para>
3271
</entry>
3272
<entry colname="2">
3273
<para>
3274
specifies key information for use in
3275
authentication and authorization using TSIG.
3276
</para>
3277
</entry>
3278
</row>
3279
<row rowsep="0">
3280
<entry colname="1">
3281
<para><command>logging</command></para>
3282
</entry>
3283
<entry colname="2">
3284
<para>
3285
specifies what the server logs, and where
3286
the log messages are sent.
3287
</para>
3288
</entry>
3289
</row>
3290
<row rowsep="0">
3291
<entry colname="1">
3292
<para><command>lwres</command></para>
3293
</entry>
3294
<entry colname="2">
3295
<para>
3296
configures <command>named</command> to
3297
also act as a light-weight resolver daemon (<command>lwresd</command>).
3298
</para>
3299
</entry>
3300
</row>
3301
<row rowsep="0">
3302
<entry colname="1">
3303
<para><command>masters</command></para>
3304
</entry>
3305
<entry colname="2">
3306
<para>
3307
defines a named masters list for
3308
inclusion in stub and slave zone masters clauses.
3309
</para>
3310
</entry>
3311
</row>
3312
<row rowsep="0">
3313
<entry colname="1">
3314
<para><command>options</command></para>
3315
</entry>
3316
<entry colname="2">
3317
<para>
3318
controls global server configuration
3319
options and sets defaults for other statements.
3320
</para>
3321
</entry>
3322
</row>
3323
<row rowsep="0">
3324
<entry colname="1">
3325
<para><command>statistics-channels</command></para>
3326
</entry>
3327
<entry colname="2">
3328
<para>
3329
declares communication channels to get access to
3330
<command>named</command> statistics.
3331
</para>
3332
</entry>
3333
</row>
3334
<row rowsep="0">
3335
<entry colname="1">
3336
<para><command>server</command></para>
3337
</entry>
3338
<entry colname="2">
3339
<para>
3340
sets certain configuration options on
3341
a per-server basis.
3342
</para>
3343
</entry>
3344
</row>
3345
<row rowsep="0">
3346
<entry colname="1">
3347
<para><command>trusted-keys</command></para>
3348
</entry>
3349
<entry colname="2">
3350
<para>
3351
defines trusted DNSSEC keys.
3352
</para>
3353
</entry>
3354
</row>
3355
<row rowsep="0">
3356
<entry colname="1">
3357
<para><command>view</command></para>
3358
</entry>
3359
<entry colname="2">
3360
<para>
3361
defines a view.
3362
</para>
3363
</entry>
3364
</row>
3365
<row rowsep="0">
3366
<entry colname="1">
3367
<para><command>zone</command></para>
3368
</entry>
3369
<entry colname="2">
3370
<para>
3371
defines a zone.
3372
</para>
3373
</entry>
3374
</row>
3375
</tbody>
3376
</tgroup>
3377
</informaltable>
3378
3379
<para>
3380
The <command>logging</command> and
3381
<command>options</command> statements may only occur once
3382
per
3383
configuration.
3384
</para>
3385
3386
<sect2>
3387
<title><command>acl</command> Statement Grammar</title>
3388
3389
<programlisting><command>acl</command> acl-name {
3390
address_match_list
2062
3391
};
2063
3392
</programlisting>
2064
</sect2>
2065
<sect2 id="acl">
2066
<title><command>acl</command> Statement Definition and
2067
Usage</title>
2068
2069
<para>The <command>acl</command> statement assigns a symbolic
2070
name to an address match list. It gets its name from a primary
2071
use of address match lists: Access Control Lists (ACLs).</para>
2072
2073
<para>Note that an address match list's name must be defined
2074
with <command>acl</command> before it can be used elsewhere; no
2075
forward references are allowed.</para>
2076
2077
<para>The following ACLs are built-in:</para>
2078
2079
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
2080
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
2081
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
2082
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
2083
<tbody>
2084
<row rowsep = "0">
2085
<entry colname = "1"><para><command>any</command></para></entry>
2086
<entry colname = "2"><para>Matches all hosts.</para></entry>
2087
</row>
2088
<row rowsep = "0">
2089
<entry colname = "1"><para><command>none</command></para></entry>
2090
<entry colname = "2"><para>Matches no hosts.</para></entry>
2091
</row>
2092
<row rowsep = "0">
2093
<entry colname = "1"><para><command>localhost</command></para></entry>
2094
<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
2095
interfaces on the system.</para></entry>
2096
</row>
2097
<row rowsep = "0">
2098
<entry colname = "1"><para><command>localnets</command></para></entry>
2099
<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
2100
for which the system has an interface.
2101
Some systems do not provide a way to determine the prefix lengths of
2102
local IPv6 addresses.
2103
In such a case, <command>localnets</command> only matches the local
2104
IPv6 addresses, just like <command>localhost</command>.
2105
</para></entry>
2106
</row>
2107
</tbody>
2108
</tgroup></informaltable>
2109
2110
</sect2>
2111
<sect2>
2112
<title><command>controls</command> Statement Grammar</title>
3393
3394
</sect2>
3395
<sect2 id="acl">
3396
<title><command>acl</command> Statement Definition and
3397
Usage</title>
3398
3399
<para>
3400
The <command>acl</command> statement assigns a symbolic
3401
name to an address match list. It gets its name from a primary
3402
use of address match lists: Access Control Lists (ACLs).
3403
</para>
3404
3405
<para>
3406
Note that an address match list's name must be defined
3407
with <command>acl</command> before it can be used
3408
elsewhere; no forward references are allowed.
3409
</para>
3410
3411
<para>
3412
The following ACLs are built-in:
3413
</para>
3414
3415
<informaltable colsep="0" rowsep="0">
3416
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3417
<colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3418
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3419
<tbody>
3420
<row rowsep="0">
3421
<entry colname="1">
3422
<para><command>any</command></para>
3423
</entry>
3424
<entry colname="2">
3425
<para>
3426
Matches all hosts.
3427
</para>
3428
</entry>
3429
</row>
3430
<row rowsep="0">
3431
<entry colname="1">
3432
<para><command>none</command></para>
3433
</entry>
3434
<entry colname="2">
3435
<para>
3436
Matches no hosts.
3437
</para>
3438
</entry>
3439
</row>
3440
<row rowsep="0">
3441
<entry colname="1">
3442
<para><command>localhost</command></para>
3443
</entry>
3444
<entry colname="2">
3445
<para>
3446
Matches the IPv4 and IPv6 addresses of all network
3447
interfaces on the system.
3448
</para>
3449
</entry>
3450
</row>
3451
<row rowsep="0">
3452
<entry colname="1">
3453
<para><command>localnets</command></para>
3454
</entry>
3455
<entry colname="2">
3456
<para>
3457
Matches any host on an IPv4 or IPv6 network
3458
for which the system has an interface.
3459
Some systems do not provide a way to determine the prefix
3460
lengths of
3461
local IPv6 addresses.
3462
In such a case, <command>localnets</command>
3463
only matches the local
3464
IPv6 addresses, just like <command>localhost</command>.
3465
</para>
3466
</entry>
3467
</row>
3468
</tbody>
3469
</tgroup>
3470
</informaltable>
3471
3472
</sect2>
3473
<sect2>
3474
<title><command>controls</command> Statement Grammar</title>
3475
2113
3476
<programlisting><command>controls</command> {
2114
inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
2115
keys { <replaceable> key_list </replaceable> };
2116
<optional> inet ...; </optional>
3477
[ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3478
keys { <replaceable>key_list</replaceable> }; ]
3479
[ inet ...; ]
3480
[ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3481
[ unix ...; ]
2117
3482
};
2118
3483
</programlisting>
2119
</sect2>
2120
2121
<sect2 id="controls_statement_definition_and_usage">
2122
<title><command>controls</command> Statement Definition and Usage</title>
2123
2124
<para>The <command>controls</command> statement declares control
2125
channels to be used by system administrators to control the
2126
operation of the name server. These control channels are
2127
used by the <command>rndc</command> utility to send commands to
2128
and retrieve non-DNS results from a name server.</para>
2129
2130
<para>An <command>inet</command> control channel is a TCP
2131
socket listening at the specified
2132
<command>ip_port</command> on the specified
2133
<command>ip_addr</command>, which can be an IPv4 or IPv6
2134
address. An <command>ip_addr</command>
2135
of <literal>*</literal> is interpreted as the IPv4 wildcard
2136
address; connections will be accepted on any of the system's
2137
IPv4 addresses. To listen on the IPv6 wildcard address,
2138
use an <command>ip_addr</command> of <literal>::</literal>.
2139
If you will only use <command>rndc</command> on the local host,
2140
using the loopback address (<literal>127.0.0.1</literal>
2141
or <literal>::1</literal>) is recommended for maximum
2142
security.
2143
</para>
2144
2145
<para>
2146
If no port is specified, port 953
2147
is used. "<literal>*</literal>" cannot be used for
2148
<command>ip_port</command>.</para>
2149
2150
<para>The ability to issue commands over the control channel is
2151
restricted by the <command>allow</command> and
2152
<command>keys</command> clauses. Connections to the control
2153
channel are permitted based on the
2154
<command>address_match_list</command>. This is for simple
2155
IP address based filtering only; any <command>key_id</command>
2156
elements of the <command>address_match_list</command> are
2157
ignored.
2158
</para>
2159
2160
<para>The primary authorization mechanism of the command
2161
channel is the <command>key_list</command>, which contains
2162
a list of <command>key_id</command>s.
2163
Each <command>key_id</command> in
2164
the <command>key_list</command> is authorized to execute
2165
commands over the control channel.
2166
See <xref linkend="rndc"/> in
2167
<xref linkend="admin_tools"/>) for information about
2168
configuring keys in <command>rndc</command>.</para>
2169
2170
<para>
2171
If no <command>controls</command> statement is present,
2172
<command>named</command> will set up a default
2173
control channel listening on the loopback address 127.0.0.1
2174
and its IPv6 counterpart ::1.
2175
In this case, and also when the <command>controls</command> statement
2176
is present but does not have a <command>keys</command> clause,
2177
<command>named</command> will attempt to load the command channel key
2178
from the file <filename>rndc.key</filename> in
2179
<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
2180
was specified as when <acronym>BIND</acronym> was built).
2181
To create a <filename>rndc.key</filename> file, run
2182
<userinput>rndc-confgen -a</userinput>.
2183
</para>
2184
2185
<para>The <filename>rndc.key</filename> feature was created to
2186
ease the transition of systems from <acronym>BIND</acronym> 8,
2187
which did not have digital signatures on its command channel messages
2188
and thus did not have a <command>keys</command> clause.
2189
2190
It makes it possible to use an existing <acronym>BIND</acronym> 8
2191
configuration file in <acronym>BIND</acronym> 9 unchanged,
2192
and still have <command>rndc</command> work the same way
2193
<command>ndc</command> worked in BIND 8, simply by executing the
2194
command <userinput>rndc-confgen -a</userinput> after BIND 9 is
2195
installed.
2196
</para>
2197
2198
<para>
2199
Since the <filename>rndc.key</filename> feature
2200
is only intended to allow the backward-compatible usage of
2201
<acronym>BIND</acronym> 8 configuration files, this feature does not
2202
have a high degree of configurability. You cannot easily change
2203
the key name or the size of the secret, so you should make a
2204
<filename>rndc.conf</filename> with your own key if you wish to change
2205
those things. The <filename>rndc.key</filename> file also has its
2206
permissions set such that only the owner of the file (the user that
2207
<command>named</command> is running as) can access it. If you
2208
desire greater flexibility in allowing other users to access
2209
<command>rndc</command> commands then you need to create an
2210
<filename>rndc.conf</filename> and make it group readable by a group
2211
that contains the users who should have access.</para>
2212
2213
<para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
2214
in <acronym>BIND</acronym> 9, and is not expected to be added in future
2215
releases. If it is present in the controls statement from a
2216
<acronym>BIND</acronym> 8 configuration file, it is ignored
2217
and a warning is logged.</para>
2218
2219
<para>
2220
To disable the command channel, use an empty <command>controls</command>
2221
statement: <command>controls { };</command>.
2222
</para>
2223
2224
</sect2>
2225
<sect2>
2226
<title><command>include</command> Statement Grammar</title>
2227
<programlisting>include <replaceable>filename</replaceable>;</programlisting>
2228
</sect2>
2229
<sect2>
2230
<title><command>include</command> Statement Definition and Usage</title>
2231
2232
<para>The <command>include</command> statement inserts the
2233
specified file at the point where the <command>include</command>
2234
statement is encountered. The <command>include</command>
2235
statement facilitates the administration of configuration files
2236
by permitting the reading or writing of some things but not
2237
others. For example, the statement could include private keys
2238
that are readable only by the name server.</para>
2239
2240
</sect2>
2241
<sect2>
2242
<title><command>key</command> Statement Grammar</title>
2243
<programlisting>key <replaceable>key_id</replaceable> {
3484
3485
</sect2>
3486
3487
<sect2 id="controls_statement_definition_and_usage">
3488
<title><command>controls</command> Statement Definition and
3489
Usage</title>
3490
3491
<para>
3492
The <command>controls</command> statement declares control
3493
channels to be used by system administrators to control the
3494
operation of the name server. These control channels are
3495
used by the <command>rndc</command> utility to send
3496
commands to and retrieve non-DNS results from a name server.
3497
</para>
3498
3499
<para>
3500
An <command>inet</command> control channel is a TCP socket
3501
listening at the specified <command>ip_port</command> on the
3502
specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3503
address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3504
interpreted as the IPv4 wildcard address; connections will be
3505
accepted on any of the system's IPv4 addresses.
3506
To listen on the IPv6 wildcard address,
3507
use an <command>ip_addr</command> of <literal>::</literal>.
3508
If you will only use <command>rndc</command> on the local host,
3509
using the loopback address (<literal>127.0.0.1</literal>
3510
or <literal>::1</literal>) is recommended for maximum security.
3511
</para>
3512
3513
<para>
3514
If no port is specified, port 953 is used. The asterisk
3515
"<literal>*</literal>" cannot be used for <command>ip_port</command>.
3516
</para>
3517
3518
<para>
3519
The ability to issue commands over the control channel is
3520
restricted by the <command>allow</command> and
3521
<command>keys</command> clauses.
3522
Connections to the control channel are permitted based on the
3523
<command>address_match_list</command>. This is for simple
3524
IP address based filtering only; any <command>key_id</command>
3525
elements of the <command>address_match_list</command>
3526
are ignored.
3527
</para>
3528
3529
<para>
3530
A <command>unix</command> control channel is a UNIX domain
3531
socket listening at the specified path in the file system.
3532
Access to the socket is specified by the <command>perm</command>,
3533
<command>owner</command> and <command>group</command> clauses.
3534
Note on some platforms (SunOS and Solaris) the permissions
3535
(<command>perm</command>) are applied to the parent directory
3536
as the permissions on the socket itself are ignored.
3537
</para>
3538
3539
<para>
3540
The primary authorization mechanism of the command
3541
channel is the <command>key_list</command>, which
3542
contains a list of <command>key_id</command>s.
3543
Each <command>key_id</command> in the <command>key_list</command>
3544
is authorized to execute commands over the control channel.
3545
See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3546
for information about configuring keys in <command>rndc</command>.
3547
</para>
3548
3549
<para>
3550
If no <command>controls</command> statement is present,
3551
<command>named</command> will set up a default
3552
control channel listening on the loopback address 127.0.0.1
3553
and its IPv6 counterpart ::1.
3554
In this case, and also when the <command>controls</command> statement
3555
is present but does not have a <command>keys</command> clause,
3556
<command>named</command> will attempt to load the command channel key
3557
from the file <filename>rndc.key</filename> in
3558
<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3559
was specified as when <acronym>BIND</acronym> was built).
3560
To create a <filename>rndc.key</filename> file, run
3561
<userinput>rndc-confgen -a</userinput>.
3562
</para>
3563
3564
<para>
3565
The <filename>rndc.key</filename> feature was created to
3566
ease the transition of systems from <acronym>BIND</acronym> 8,
3567
which did not have digital signatures on its command channel
3568
messages and thus did not have a <command>keys</command> clause.
3569
3570
It makes it possible to use an existing <acronym>BIND</acronym> 8
3571
configuration file in <acronym>BIND</acronym> 9 unchanged,
3572
and still have <command>rndc</command> work the same way
3573
<command>ndc</command> worked in BIND 8, simply by executing the
3574
command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3575
installed.
3576
</para>
3577
3578
<para>
3579
Since the <filename>rndc.key</filename> feature
3580
is only intended to allow the backward-compatible usage of
3581
<acronym>BIND</acronym> 8 configuration files, this
3582
feature does not
3583
have a high degree of configurability. You cannot easily change
3584
the key name or the size of the secret, so you should make a
3585
<filename>rndc.conf</filename> with your own key if you
3586
wish to change
3587
those things. The <filename>rndc.key</filename> file
3588
also has its
3589
permissions set such that only the owner of the file (the user that
3590
<command>named</command> is running as) can access it.
3591
If you
3592
desire greater flexibility in allowing other users to access
3593
<command>rndc</command> commands, then you need to create
3594
a
3595
<filename>rndc.conf</filename> file and make it group
3596
readable by a group
3597
that contains the users who should have access.
3598
</para>
3599
3600
<para>
3601
To disable the command channel, use an empty
3602
<command>controls</command> statement:
3603
<command>controls { };</command>.
3604
</para>
3605
3606
</sect2>
3607
<sect2>
3608
<title><command>include</command> Statement Grammar</title>
3609
<programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3610
</sect2>
3611
<sect2>
3612
<title><command>include</command> Statement Definition and
3613
Usage</title>
3614
3615
<para>
3616
The <command>include</command> statement inserts the
3617
specified file at the point where the <command>include</command>
3618
statement is encountered. The <command>include</command>
3619
statement facilitates the administration of configuration
3620
files
3621
by permitting the reading or writing of some things but not
3622
others. For example, the statement could include private keys
3623
that are readable only by the name server.
3624
</para>
3625
3626
</sect2>
3627
<sect2>
3628
<title><command>key</command> Statement Grammar</title>
3629
3630
<programlisting><command>key</command> <replaceable>key_id</replaceable> {
2244
3631
algorithm <replaceable>string</replaceable>;
2245
3632
secret <replaceable>string</replaceable>;
2246
3633
};
2247
3634
</programlisting>
2248
</sect2>
2249
2250
<sect2>
2251
<title><command>key</command> Statement Definition and Usage</title>
2252
2253
<para>The <command>key</command> statement defines a shared
2254
secret key for use with TSIG (see <xref linkend="tsig"/>)
2255
or the command channel
2256
(see <xref linkend="controls_statement_definition_and_usage"/>).
2257
</para>
2258
2259
<para>
2260
The <command>key</command> statement can occur at the top level
2261
of the configuration file or inside a <command>view</command>
2262
statement. Keys defined in top-level <command>key</command>
2263
statements can be used in all views. Keys intended for use in
2264
a <command>controls</command> statement
2265
(see <xref linkend="controls_statement_definition_and_usage"/>)
2266
must be defined at the top level.
2267
</para>
2268
2269
<para>The <replaceable>key_id</replaceable>, also known as the
2270
key name, is a domain name uniquely identifying the key. It can
2271
be used in a <command>server</command>
2272
statement to cause requests sent to that
2273
server to be signed with this key, or in address match lists to
2274
verify that incoming requests have been signed with a key
2275
matching this name, algorithm, and secret.</para>
2276
2277
<para>The <replaceable>algorithm_id</replaceable> is a string
2278
that specifies a security/authentication algorithm. The only
2279
algorithm currently supported with TSIG authentication is
2280
<literal>hmac-md5</literal>. The
2281
<replaceable>secret_string</replaceable> is the secret to be
2282
used by the algorithm, and is treated as a base-64 encoded
2283
string.</para>
2284
2285
</sect2>
2286
<sect2>
2287
<title><command>logging</command> Statement Grammar</title>
2288
<programlisting><command>logging</command> {
3635
3636
</sect2>
3637
3638
<sect2>
3639
<title><command>key</command> Statement Definition and Usage</title>
3640
3641
<para>
3642
The <command>key</command> statement defines a shared
3643
secret key for use with TSIG (see <xref linkend="tsig"/>)
3644
or the command channel
3645
(see <xref linkend="controls_statement_definition_and_usage"/>).
3646
</para>
3647
3648
<para>
3649
The <command>key</command> statement can occur at the
3650
top level
3651
of the configuration file or inside a <command>view</command>
3652
statement. Keys defined in top-level <command>key</command>
3653
statements can be used in all views. Keys intended for use in
3654
a <command>controls</command> statement
3655
(see <xref linkend="controls_statement_definition_and_usage"/>)
3656
must be defined at the top level.
3657
</para>
3658
3659
<para>
3660
The <replaceable>key_id</replaceable>, also known as the
3661
key name, is a domain name uniquely identifying the key. It can
3662
be used in a <command>server</command>
3663
statement to cause requests sent to that
3664
server to be signed with this key, or in address match lists to
3665
verify that incoming requests have been signed with a key
3666
matching this name, algorithm, and secret.
3667
</para>
3668
3669
<para>
3670
The <replaceable>algorithm_id</replaceable> is a string
3671
that specifies a security/authentication algorithm. Named
3672
supports <literal>hmac-md5</literal>,
3673
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3674
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3675
and <literal>hmac-sha512</literal> TSIG authentication.
3676
Truncated hashes are supported by appending the minimum
3677
number of required bits preceded by a dash, e.g.
3678
<literal>hmac-sha1-80</literal>. The
3679
<replaceable>secret_string</replaceable> is the secret
3680
to be used by the algorithm, and is treated as a base-64
3681
encoded string.
3682
</para>
3683
3684
</sect2>
3685
<sect2>
3686
<title><command>logging</command> Statement Grammar</title>
3687
3688
<programlisting><command>logging</command> {
2289
3689
[ <command>channel</command> <replaceable>channel_name</replaceable> {
2290
3690
( <command>file</command> <replaceable>path name</replaceable>
2291
[ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
3691
[ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
2292
3692
[ <command>size</command> <replaceable>size spec</replaceable> ]
2293
3693
| <command>syslog</command> <replaceable>syslog_facility</replaceable>
2294
3694
| <command>stderr</command>
2300
3700
[ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
2301
3701
}; ]
2302
3702
[ <command>category</command> <replaceable>category_name</replaceable> {
2303
<replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
3703
<replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
2304
3704
}; ]
2305
3705
...
2306
3706
};
2307
3707
</programlisting>
2308
</sect2>
2309
2310
<sect2>
2311
<title><command>logging</command> Statement Definition and Usage</title>
2312
2313
<para>The <command>logging</command> statement configures a wide
2314
variety of logging options for the name server. Its <command>channel</command> phrase
2315
associates output methods, format options and severity levels with
2316
a name that can then be used with the <command>category</command> phrase
2317
to select how various classes of messages are logged.</para>
2318
<para>Only one <command>logging</command> statement is used to define
2319
as many channels and categories as are wanted. If there is no <command>logging</command> statement,
2320
the logging configuration will be:</para>
3708
3709
</sect2>
3710
3711
<sect2>
3712
<title><command>logging</command> Statement Definition and
3713
Usage</title>
3714
3715
<para>
3716
The <command>logging</command> statement configures a
3717
wide
3718
variety of logging options for the name server. Its <command>channel</command> phrase
3719
associates output methods, format options and severity levels with
3720
a name that can then be used with the <command>category</command> phrase
3721
to select how various classes of messages are logged.
3722
</para>
3723
<para>
3724
Only one <command>logging</command> statement is used to
3725
define
3726
as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3727
the logging configuration will be:
3728
</para>
2321
3729
2322
3730
<programlisting>logging {
2323
3731
category default { default_syslog; default_debug; };
2325
3733
};
2326
3734
</programlisting>
2327
3735
2328
<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
2329
the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
2330
established as soon as the <command>logging</command> statement
2331
was parsed. When the server is starting up, all logging messages
2332
regarding syntax errors in the configuration file go to the default
2333
channels, or to standard error if the "<option>-g</option>" option
2334
was specified.</para>
2335
2336
<sect3>
2337
<title>The <command>channel</command> Phrase</title>
2338
2339
<para>All log output goes to one or more <emphasis>channels</emphasis>;
2340
you can make as many of them as you want.</para>
2341
2342
<para>Every channel definition must include a destination clause that
2343
says whether messages selected for the channel go to a file, to a
2344
particular syslog facility, to the standard error stream, or are
2345
discarded. It can optionally also limit the message severity level
2346
that will be accepted by the channel (the default is
2347
<command>info</command>), and whether to include a
2348
<command>named</command>-generated time stamp, the category name
2349
and/or severity level (the default is not to include any).</para>
2350
2351
<para>The <command>null</command> destination clause
2352
causes all messages sent to the channel to be discarded;
2353
in that case, other options for the channel are meaningless.</para>
2354
2355
<para>The <command>file</command> destination clause directs the channel
2356
to a disk file. It can include limitations
2357
both on how large the file is allowed to become, and how many versions
2358
of the file will be saved each time the file is opened.</para>
2359
2360
<para>If you use the <command>versions</command> log file option, then
2361
<command>named</command> will retain that many backup versions of the file by
2362
renaming them when opening. For example, if you choose to keep 3 old versions
2363
of the file <filename>lamers.log</filename> then just before it is opened
2364
<filename>lamers.log.1</filename> is renamed to
2365
<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
2366
to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
2367
renamed to <filename>lamers.log.0</filename>.
2368
You can say <command>versions unlimited</command> to not limit
2369
the number of versions.
2370
If a <command>size</command> option is associated with the log file,
2371
then renaming is only done when the file being opened exceeds the
2372
indicated size. No backup versions are kept by default; any existing
2373
log file is simply appended.</para>
2374
2375
<para>The <command>size</command> option for files is used to limit log
2376
growth. If the file ever exceeds the size, then <command>named</command> will
2377
stop writing to the file unless it has a <command>versions</command> option
2378
associated with it. If backup versions are kept, the files are rolled as
2379
described above and a new one begun. If there is no
2380
<command>versions</command> option, no more data will be written to the log
2381
until some out-of-band mechanism removes or truncates the log to less than the
2382
maximum size. The default behavior is not to limit the size of the
2383
file.</para>
2384
2385
<para>Example usage of the <command>size</command> and
2386
<command>versions</command> options:</para>
3736
<para>
3737
In <acronym>BIND</acronym> 9, the logging configuration
3738
is only established when
3739
the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3740
established as soon as the <command>logging</command>
3741
statement
3742
was parsed. When the server is starting up, all logging messages
3743
regarding syntax errors in the configuration file go to the default
3744
channels, or to standard error if the "<option>-g</option>" option
3745
was specified.
3746
</para>
3747
3748
<sect3>
3749
<title>The <command>channel</command> Phrase</title>
3750
3751
<para>
3752
All log output goes to one or more <emphasis>channels</emphasis>;
3753
you can make as many of them as you want.
3754
</para>
3755
3756
<para>
3757
Every channel definition must include a destination clause that
3758
says whether messages selected for the channel go to a file, to a
3759
particular syslog facility, to the standard error stream, or are
3760
discarded. It can optionally also limit the message severity level
3761
that will be accepted by the channel (the default is
3762
<command>info</command>), and whether to include a
3763
<command>named</command>-generated time stamp, the
3764
category name
3765
and/or severity level (the default is not to include any).
3766
</para>
3767
3768
<para>
3769
The <command>null</command> destination clause
3770
causes all messages sent to the channel to be discarded;
3771
in that case, other options for the channel are meaningless.
3772
</para>
3773
3774
<para>
3775
The <command>file</command> destination clause directs
3776
the channel
3777
to a disk file. It can include limitations
3778
both on how large the file is allowed to become, and how many
3779
versions
3780
of the file will be saved each time the file is opened.
3781
</para>
3782
3783
<para>
3784
If you use the <command>versions</command> log file
3785
option, then
3786
<command>named</command> will retain that many backup
3787
versions of the file by
3788
renaming them when opening. For example, if you choose to keep
3789
three old versions
3790
of the file <filename>lamers.log</filename>, then just
3791
before it is opened
3792
<filename>lamers.log.1</filename> is renamed to
3793
<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3794
to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3795
renamed to <filename>lamers.log.0</filename>.
3796
You can say <command>versions unlimited</command> to
3797
not limit
3798
the number of versions.
3799
If a <command>size</command> option is associated with
3800
the log file,
3801
then renaming is only done when the file being opened exceeds the
3802
indicated size. No backup versions are kept by default; any
3803
existing
3804
log file is simply appended.
3805
</para>
3806
3807
<para>
3808
The <command>size</command> option for files is used
3809
to limit log
3810
growth. If the file ever exceeds the size, then <command>named</command> will
3811
stop writing to the file unless it has a <command>versions</command> option
3812
associated with it. If backup versions are kept, the files are
3813
rolled as
3814
described above and a new one begun. If there is no
3815
<command>versions</command> option, no more data will
3816
be written to the log
3817
until some out-of-band mechanism removes or truncates the log to
3818
less than the
3819
maximum size. The default behavior is not to limit the size of
3820
the
3821
file.
3822
</para>
3823
3824
<para>
3825
Example usage of the <command>size</command> and
3826
<command>versions</command> options:
3827
</para>
2387
3828
2388
3829
<programlisting>channel an_example_channel {
2389
3830
file "example.log" versions 3 size 20m;
2392
3833
};
2393
3834
</programlisting>
2394
3835
2395
<para>The <command>syslog</command> destination clause directs the
2396
channel to the system log. Its argument is a
2397
syslog facility as described in the <command>syslog</command> man
2398
page. Known facilities are <command>kern</command>, <command>user</command>,
2399
<command>mail</command>, <command>daemon</command>, <command>auth</command>,
2400
<command>syslog</command>, <command>lpr</command>, <command>news</command>,
2401
<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
2402
<command>ftp</command>, <command>local0</command>, <command>local1</command>,
2403
<command>local2</command>, <command>local3</command>, <command>local4</command>,
2404
<command>local5</command>, <command>local6</command> and
2405
<command>local7</command>, however not all facilities are supported on
2406
all operating systems.
2407
How <command>syslog</command> will handle messages sent to
2408
this facility is described in the <command>syslog.conf</command> man
2409
page. If you have a system which uses a very old version of <command>syslog</command> that
2410
only uses two arguments to the <command>openlog()</command> function,
2411
then this clause is silently ignored.</para>
2412
<para>The <command>severity</command> clause works like <command>syslog</command>'s
2413
"priorities", except that they can also be used if you are writing
2414
straight to a file rather than using <command>syslog</command>.
2415
Messages which are not at least of the severity level given will
2416
not be selected for the channel; messages of higher severity levels
2417
will be accepted.</para>
2418
<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
2419
will also determine what eventually passes through. For example,
2420
defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
2421
only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
2422
cause messages of severity <command>info</command> and <command>notice</command> to
2423
be dropped. If the situation were reversed, with <command>named</command> writing
2424
messages of only <command>warning</command> or higher, then <command>syslogd</command> would
2425
print all messages it received from the channel.</para>
2426
2427
<para>The <command>stderr</command> destination clause directs the
2428
channel to the server's standard error stream. This is intended for
2429
use when the server is running as a foreground process, for example
2430
when debugging a configuration.</para>
2431
2432
<para>The server can supply extensive debugging information when
2433
it is in debugging mode. If the server's global debug level is greater
2434
than zero, then debugging mode will be active. The global debug
2435
level is set either by starting the <command>named</command> server
2436
with the <option>-d</option> flag followed by a positive integer,
2437
or by running <command>rndc trace</command>.
2438
The global debug level
2439
can be set to zero, and debugging mode turned off, by running <command>ndc
3836
<para>
3837
The <command>syslog</command> destination clause
3838
directs the
3839
channel to the system log. Its argument is a
3840
syslog facility as described in the <command>syslog</command> man
3841
page. Known facilities are <command>kern</command>, <command>user</command>,
3842
<command>mail</command>, <command>daemon</command>, <command>auth</command>,
3843
<command>syslog</command>, <command>lpr</command>, <command>news</command>,
3844
<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3845
<command>ftp</command>, <command>local0</command>, <command>local1</command>,
3846
<command>local2</command>, <command>local3</command>, <command>local4</command>,
3847
<command>local5</command>, <command>local6</command> and
3848
<command>local7</command>, however not all facilities
3849
are supported on
3850
all operating systems.
3851
How <command>syslog</command> will handle messages
3852
sent to
3853
this facility is described in the <command>syslog.conf</command> man
3854
page. If you have a system which uses a very old version of <command>syslog</command> that
3855
only uses two arguments to the <command>openlog()</command> function,
3856
then this clause is silently ignored.
3857
</para>
3858
<para>
3859
The <command>severity</command> clause works like <command>syslog</command>'s
3860
"priorities", except that they can also be used if you are writing
3861
straight to a file rather than using <command>syslog</command>.
3862
Messages which are not at least of the severity level given will
3863
not be selected for the channel; messages of higher severity
3864
levels
3865
will be accepted.
3866
</para>
3867
<para>
3868
If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3869
will also determine what eventually passes through. For example,
3870
defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3871
only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3872
cause messages of severity <command>info</command> and
3873
<command>notice</command> to
3874
be dropped. If the situation were reversed, with <command>named</command> writing
3875
messages of only <command>warning</command> or higher,
3876
then <command>syslogd</command> would
3877
print all messages it received from the channel.
3878
</para>
3879
3880
<para>
3881
The <command>stderr</command> destination clause
3882
directs the
3883
channel to the server's standard error stream. This is intended
3884
for
3885
use when the server is running as a foreground process, for
3886
example
3887
when debugging a configuration.
3888
</para>
3889
3890
<para>
3891
The server can supply extensive debugging information when
3892
it is in debugging mode. If the server's global debug level is
3893
greater
3894
than zero, then debugging mode will be active. The global debug
3895
level is set either by starting the <command>named</command> server
3896
with the <option>-d</option> flag followed by a positive integer,
3897
or by running <command>rndc trace</command>.
3898
The global debug level
3899
can be set to zero, and debugging mode turned off, by running <command>rndc
2440
3900
notrace</command>. All debugging messages in the server have a debug
2441
level, and higher debug levels give more detailed output. Channels
2442
that specify a specific debug severity, for example:</para>
3901
level, and higher debug levels give more detailed output. Channels
3902
that specify a specific debug severity, for example:
3903
</para>
3904
2443
3905
<programlisting>channel specific_debug_level {
2444
3906
file "foo";
2445
3907
severity debug 3;
2446
3908
};
2447
3909
</programlisting>
2448
<para>will get debugging output of level 3 or less any time the
2449
server is in debugging mode, regardless of the global debugging
2450
level. Channels with <command>dynamic</command> severity use the
2451
server's global debug level to determine what messages to print.</para>
2452
<para>If <command>print-time</command> has been turned on, then
2453
the date and time will be logged. <command>print-time</command> may
2454
be specified for a <command>syslog</command> channel, but is usually
2455
pointless since <command>syslog</command> also prints the date and
2456
time. If <command>print-category</command> is requested, then the
2457
category of the message will be logged as well. Finally, if <command>print-severity</command> is
2458
on, then the severity level of the message will be logged. The <command>print-</command> options may
2459
be used in any combination, and will always be printed in the following
2460
order: time, category, severity. Here is an example where all three <command>print-</command> options
2461
are on:</para>
2462
2463
<para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
2464
2465
<para>There are four predefined channels that are used for
2466
<command>named</command>'s default logging as follows. How they are
2467
used is described in <xref linkend="the_category_phrase"/>.
2468
</para>
3910
3911
<para>
3912
will get debugging output of level 3 or less any time the
3913
server is in debugging mode, regardless of the global debugging
3914
level. Channels with <command>dynamic</command>
3915
severity use the
3916
server's global debug level to determine what messages to print.
3917
</para>
3918
<para>
3919
If <command>print-time</command> has been turned on,
3920
then
3921
the date and time will be logged. <command>print-time</command> may
3922
be specified for a <command>syslog</command> channel,
3923
but is usually
3924
pointless since <command>syslog</command> also prints
3925
the date and
3926
time. If <command>print-category</command> is
3927
requested, then the
3928
category of the message will be logged as well. Finally, if <command>print-severity</command> is
3929
on, then the severity level of the message will be logged. The <command>print-</command> options may
3930
be used in any combination, and will always be printed in the
3931
following
3932
order: time, category, severity. Here is an example where all
3933
three <command>print-</command> options
3934
are on:
3935
</para>
3936
3937
<para>
3938
<computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3939
</para>
3940
3941
<para>
3942
There are four predefined channels that are used for
3943
<command>named</command>'s default logging as follows.
3944
How they are
3945
used is described in <xref linkend="the_category_phrase"/>.
3946
</para>
2469
3947
2470
3948
<programlisting>channel default_syslog {
2471
3949
syslog daemon; // send to syslog's daemon
2497
3975
};
2498
3976
</programlisting>
2499
3977
2500
<para>The <command>default_debug</command> channel has the special
2501
property that it only produces output when the server's debug level is
2502
nonzero. It normally writes to a file <filename>named.run</filename>
2503
in the server's working directory.</para>
2504
2505
<para>For security reasons, when the "<option>-u</option>"
2506
command line option is used, the <filename>named.run</filename> file
2507
is created only after <command>named</command> has changed to the
2508
new UID, and any debug output generated while <command>named</command> is
2509
starting up and still running as root is discarded. If you need
2510
to capture this output, you must run the server with the "<option>-g</option>"
2511
option and redirect standard error to a file.</para>
2512
2513
<para>Once a channel is defined, it cannot be redefined. Thus you
2514
cannot alter the built-in channels directly, but you can modify
2515
the default logging by pointing categories at channels you have defined.</para>
2516
</sect3>
2517
2518
<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
2519
2520
<para>There are many categories, so you can send the logs you want
2521
to see wherever you want, without seeing logs you don't want. If
2522
you don't specify a list of channels for a category, then log messages
2523
in that category will be sent to the <command>default</command> category
2524
instead. If you don't specify a default category, the following
2525
"default default" is used:</para>
3978
<para>
3979
The <command>default_debug</command> channel has the
3980
special
3981
property that it only produces output when the server's debug
3982
level is
3983
nonzero. It normally writes to a file called <filename>named.run</filename>
3984
in the server's working directory.
3985
</para>
3986
3987
<para>
3988
For security reasons, when the "<option>-u</option>"
3989
command line option is used, the <filename>named.run</filename> file
3990
is created only after <command>named</command> has
3991
changed to the
3992
new UID, and any debug output generated while <command>named</command> is
3993
starting up and still running as root is discarded. If you need
3994
to capture this output, you must run the server with the "<option>-g</option>"
3995
option and redirect standard error to a file.
3996
</para>
3997
3998
<para>
3999
Once a channel is defined, it cannot be redefined. Thus you
4000
cannot alter the built-in channels directly, but you can modify
4001
the default logging by pointing categories at channels you have
4002
defined.
4003
</para>
4004
</sect3>
4005
4006
<sect3 id="the_category_phrase">
4007
<title>The <command>category</command> Phrase</title>
4008
4009
<para>
4010
There are many categories, so you can send the logs you want
4011
to see wherever you want, without seeing logs you don't want. If
4012
you don't specify a list of channels for a category, then log
4013
messages
4014
in that category will be sent to the <command>default</command> category
4015
instead. If you don't specify a default category, the following
4016
"default default" is used:
4017
</para>
4018
2526
4019
<programlisting>category default { default_syslog; default_debug; };
2527
4020
</programlisting>
2528
<para>As an example, let's say you want to log security events to
2529
a file, but you also want keep the default logging behavior. You'd
2530
specify the following:</para>
4021
4022
<para>
4023
As an example, let's say you want to log security events to
4024
a file, but you also want keep the default logging behavior. You'd
4025
specify the following:
4026
</para>
4027
2531
4028
<programlisting>channel my_security_channel {
2532
4029
file "my_security_file";
2533
4030
severity info;
2537
4034
default_syslog;
2538
4035
default_debug;
2539
4036
};</programlisting>
2540
<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
4037
4038
<para>
4039
To discard all messages in a category, specify the <command>null</command> channel:
4040
</para>
4041
2541
4042
<programlisting>category xfer-out { null; };
2542
4043
category notify { null; };
2543
4044
</programlisting>
2544
<para>Following are the available categories and brief descriptions
2545
of the types of log information they contain. More
2546
categories may be added in future <acronym>BIND</acronym> releases.</para>
2547
<informaltable
2548
colsep = "0" rowsep = "0"><tgroup cols = "2"
2549
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
2550
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
2551
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
2552
<tbody>
2553
<row rowsep = "0">
2554
<entry colname = "1"><para><command>default</command></para></entry>
2555
<entry colname = "2"><para>The default category defines the logging
2556
options for those categories where no specific configuration has been
2557
defined.</para></entry>
2558
</row>
2559
<row rowsep = "0">
2560
<entry colname = "1"><para><command>general</command></para></entry>
2561
<entry colname = "2"><para>The catch-all. Many things still aren't
2562
classified into categories, and they all end up here.</para></entry>
2563
</row>
2564
<row rowsep = "0">
2565
<entry colname = "1"><para><command>database</command></para></entry>
2566
<entry colname = "2"><para>Messages relating to the databases used
2567
internally by the name server to store zone and cache data.</para></entry>
2568
</row>
2569
<row rowsep = "0">
2570
<entry colname = "1"><para><command>security</command></para></entry>
2571
<entry colname = "2"><para>Approval and denial of requests.</para></entry>
2572
</row>
2573
<row rowsep = "0">
2574
<entry colname = "1"><para><command>config</command></para></entry>
2575
<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
2576
</row>
2577
<row rowsep = "0">
2578
<entry colname = "1"><para><command>resolver</command></para></entry>
2579
<entry colname = "2"><para>DNS resolution, such as the recursive
2580
lookups performed on behalf of clients by a caching name server.</para></entry>
2581
</row>
2582
<row rowsep = "0">
2583
<entry colname = "1"><para><command>xfer-in</command></para></entry>
2584
<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
2585
</row>
2586
<row rowsep = "0">
2587
<entry colname = "1"><para><command>xfer-out</command></para></entry>
2588
<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
2589
</row>
2590
<row rowsep = "0">
2591
<entry colname = "1"><para><command>notify</command></para></entry>
2592
<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
2593
</row>
2594
<row rowsep = "0">
2595
<entry colname = "1"><para><command>client</command></para></entry>
2596
<entry colname = "2"><para>Processing of client requests.</para></entry>
2597
</row>
2598
<row rowsep = "0">
2599
<entry colname = "1"><para><command>unmatched</command></para></entry>
2600
<entry colname = "2"><para>Messages that named was unable to determine the
2601
class of or for which there was no matching <command>view</command>.
2602
A one line summary is also logged to the <command>client</command> category.
2603
This category is best sent to a file or stderr, by default it is sent to
2604
the <command>null</command> channel.</para></entry>
2605
</row>
2606
<row rowsep = "0">
2607
<entry colname = "1"><para><command>network</command></para></entry>
2608
<entry colname = "2"><para>Network operations.</para></entry>
2609
</row>
2610
<row rowsep = "0">
2611
<entry colname = "1"><para><command>update</command></para></entry>
2612
<entry colname = "2"><para>Dynamic updates.</para></entry>
2613
</row>
2614
<row rowsep = "0">
2615
<entry colname = "1"><para><command>update-security</command></para></entry>
2616
<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
2617
</row>
2618
<row rowsep = "0">
2619
<entry colname = "1"><para><command>queries</command></para></entry>
2620
<entry colname = "2"><para>Specify where queries should be logged to.</para>
2621
<para>
2622
At startup, specifing the category <command>queries</command> will also
2623
enable query logging unless <command>querylog</command> option has been
2624
specified.
2625
</para>
2626
<para>
2627
The query log entry reports the client's IP address and port number. The
2628
query name, class and type. It also reports whether the Recursion Desired
2629
flag was set (+ if set, - if not set), EDNS was in use (E) or if the
2630
query was signed (S).</para>
2631
<para><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
2632
</para>
2633
<para><computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
2634
</para>
2635
</entry>
2636
</row>
2637
<row rowsep = "0">
2638
<entry colname = "1"><para><command>dispatch</command></para></entry>
2639
<entry colname = "2"><para>Dispatching of incoming packets to the
2640
server modules where they are to be processed.
2641
</para></entry>
2642
</row>
2643
<row rowsep = "0">
2644
<entry colname = "1"><para><command>dnssec</command></para></entry>
2645
<entry colname = "2"><para>DNSSEC and TSIG protocol processing.
2646
</para></entry>
2647
</row>
2648
<row rowsep = "0">
2649
<entry colname = "1"><para><command>lame-servers</command></para></entry>
2650
<entry colname = "2"><para>Lame servers. These are misconfigurations
2651
in remote servers, discovered by BIND 9 when trying to query
2652
those servers during resolution.
2653
</para></entry>
2654
</row>
2655
<row rowsep = "0">
2656
<entry colname = "1"><para><command>delegation-only</command></para></entry>
2657
<entry colname = "2"><para>Delegation only. Logs queries that have have
2658
been forced to NXDOMAIN as the result of a delegation-only zone or
2659
a <command>delegation-only</command> in a hint or stub zone declaration.
2660
</para></entry>
2661
</row>
2662
</tbody>
2663
</tgroup></informaltable>
2664
</sect3>
2665
</sect2>
2666
2667
<sect2>
2668
<title><command>lwres</command> Statement Grammar</title>
2669
2670
<para> This is the grammar of the <command>lwres</command>
2671
statement in the <filename>named.conf</filename> file:</para>
4045
4046
<para>
4047
Following are the available categories and brief descriptions
4048
of the types of log information they contain. More
4049
categories may be added in future <acronym>BIND</acronym> releases.
4050
</para>
4051
<informaltable colsep="0" rowsep="0">
4052
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4053
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4054
<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4055
<tbody>
4056
<row rowsep="0">
4057
<entry colname="1">
4058
<para><command>default</command></para>
4059
</entry>
4060
<entry colname="2">
4061
<para>
4062
The default category defines the logging
4063
options for those categories where no specific
4064
configuration has been
4065
defined.
4066
</para>
4067
</entry>
4068
</row>
4069
<row rowsep="0">
4070
<entry colname="1">
4071
<para><command>general</command></para>
4072
</entry>
4073
<entry colname="2">
4074
<para>
4075
The catch-all. Many things still aren't
4076
classified into categories, and they all end up here.
4077
</para>
4078
</entry>
4079
</row>
4080
<row rowsep="0">
4081
<entry colname="1">
4082
<para><command>database</command></para>
4083
</entry>
4084
<entry colname="2">
4085
<para>
4086
Messages relating to the databases used
4087
internally by the name server to store zone and cache
4088
data.
4089
</para>
4090
</entry>
4091
</row>
4092
<row rowsep="0">
4093
<entry colname="1">
4094
<para><command>security</command></para>
4095
</entry>
4096
<entry colname="2">
4097
<para>
4098
Approval and denial of requests.
4099
</para>
4100
</entry>
4101
</row>
4102
<row rowsep="0">
4103
<entry colname="1">
4104
<para><command>config</command></para>
4105
</entry>
4106
<entry colname="2">
4107
<para>
4108
Configuration file parsing and processing.
4109
</para>
4110
</entry>
4111
</row>
4112
<row rowsep="0">
4113
<entry colname="1">
4114
<para><command>resolver</command></para>
4115
</entry>
4116
<entry colname="2">
4117
<para>
4118
DNS resolution, such as the recursive
4119
lookups performed on behalf of clients by a caching name
4120
server.
4121
</para>
4122
</entry>
4123
</row>
4124
<row rowsep="0">
4125
<entry colname="1">
4126
<para><command>xfer-in</command></para>
4127
</entry>
4128
<entry colname="2">
4129
<para>
4130
Zone transfers the server is receiving.
4131
</para>
4132
</entry>
4133
</row>
4134
<row rowsep="0">
4135
<entry colname="1">
4136
<para><command>xfer-out</command></para>
4137
</entry>
4138
<entry colname="2">
4139
<para>
4140
Zone transfers the server is sending.
4141
</para>
4142
</entry>
4143
</row>
4144
<row rowsep="0">
4145
<entry colname="1">
4146
<para><command>notify</command></para>
4147
</entry>
4148
<entry colname="2">
4149
<para>
4150
The NOTIFY protocol.
4151
</para>
4152
</entry>
4153
</row>
4154
<row rowsep="0">
4155
<entry colname="1">
4156
<para><command>client</command></para>
4157
</entry>
4158
<entry colname="2">
4159
<para>
4160
Processing of client requests.
4161
</para>
4162
</entry>
4163
</row>
4164
<row rowsep="0">
4165
<entry colname="1">
4166
<para><command>unmatched</command></para>
4167
</entry>
4168
<entry colname="2">
4169
<para>
4170
Messages that named was unable to determine the
4171
class of or for which there was no matching <command>view</command>.
4172
A one line summary is also logged to the <command>client</command> category.
4173
This category is best sent to a file or stderr, by
4174
default it is sent to
4175
the <command>null</command> channel.
4176
</para>
4177
</entry>
4178
</row>
4179
<row rowsep="0">
4180
<entry colname="1">
4181
<para><command>network</command></para>
4182
</entry>
4183
<entry colname="2">
4184
<para>
4185
Network operations.
4186
</para>
4187
</entry>
4188
</row>
4189
<row rowsep="0">
4190
<entry colname="1">
4191
<para><command>update</command></para>
4192
</entry>
4193
<entry colname="2">
4194
<para>
4195
Dynamic updates.
4196
</para>
4197
</entry>
4198
</row>
4199
<row rowsep="0">
4200
<entry colname="1">
4201
<para><command>update-security</command></para>
4202
</entry>
4203
<entry colname="2">
4204
<para>
4205
Approval and denial of update requests.
4206
</para>
4207
</entry>
4208
</row>
4209
<row rowsep="0">
4210
<entry colname="1">
4211
<para><command>queries</command></para>
4212
</entry>
4213
<entry colname="2">
4214
<para>
4215
Specify where queries should be logged to.
4216
</para>
4217
<para>
4218
At startup, specifying the category <command>queries</command> will also
4219
enable query logging unless <command>querylog</command> option has been
4220
specified.
4221
</para>
4222
4223
<para>
4224
The query log entry reports the client's IP
4225
address and port number, and the query name,
4226
class and type. It also reports whether the
4227
Recursion Desired flag was set (+ if set, -
4228
if not set), if the query was signed (S),
4229
EDNS was in use (E), if DO (DNSSEC Ok) was
4230
set (D), or if CD (Checking Disabled) was set
4231
(C).
4232
</para>
4233
4234
<para>
4235
<computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4236
</para>
4237
<para>
4238
<computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4239
</para>
4240
</entry>
4241
</row>
4242
<row rowsep="0">
4243
<entry colname="1">
4244
<para><command>dispatch</command></para>
4245
</entry>
4246
<entry colname="2">
4247
<para>
4248
Dispatching of incoming packets to the
4249
server modules where they are to be processed.
4250
</para>
4251
</entry>
4252
</row>
4253
<row rowsep="0">
4254
<entry colname="1">
4255
<para><command>dnssec</command></para>
4256
</entry>
4257
<entry colname="2">
4258
<para>
4259
DNSSEC and TSIG protocol processing.
4260
</para>
4261
</entry>
4262
</row>
4263
<row rowsep="0">
4264
<entry colname="1">
4265
<para><command>lame-servers</command></para>
4266
</entry>
4267
<entry colname="2">
4268
<para>
4269
Lame servers. These are misconfigurations
4270
in remote servers, discovered by BIND 9 when trying to
4271
query
4272
those servers during resolution.
4273
</para>
4274
</entry>
4275
</row>
4276
<row rowsep="0">
4277
<entry colname="1">
4278
<para><command>delegation-only</command></para>
4279
</entry>
4280
<entry colname="2">
4281
<para>
4282
Delegation only. Logs queries that have have
4283
been forced to NXDOMAIN as the result of a
4284
delegation-only zone or
4285
a <command>delegation-only</command> in a
4286
hint or stub zone declaration.
4287
</para>
4288
</entry>
4289
</row>
4290
<row rowsep="0">
4291
<entry colname="1">
4292
<para><command>edns-disabled</command></para>
4293
</entry>
4294
<entry colname="2">
4295
<para>
4296
Log queries that have been forced to use plain
4297
DNS due to timeouts. This is often due to
4298
the remote servers not being RFC 1034 compliant
4299
(not always returning FORMERR or similar to
4300
EDNS queries and other extensions to the DNS
4301
when they are not understood). In other words, this is
4302
targeted at servers that fail to respond to
4303
DNS queries that they don't understand.
4304
</para>
4305
<para>
4306
Note: the log message can also be due to
4307
packet loss. Before reporting servers for
4308
non-RFC 1034 compliance they should be re-tested
4309
to determine the nature of the non-compliance.
4310
This testing should prevent or reduce the
4311
number of false-positive reports.
4312
</para>
4313
<para>
4314
Note: eventually named will have to stop
4315
treating such timeouts as due to RFC 1034 non
4316
compliance and start treating it as plain
4317
packet loss. Falsely classifying packet
4318
loss as due to RFC 1034 non compliance impacts
4319
on DNSSEC validation which requires EDNS for
4320
the DNSSEC records to be returned.
4321
</para>
4322
</entry>
4323
</row>
4324
</tbody>
4325
</tgroup>
4326
</informaltable>
4327
</sect3>
4328
</sect2>
4329
4330
<sect2>
4331
<title><command>lwres</command> Statement Grammar</title>
4332
4333
<para>
4334
This is the grammar of the <command>lwres</command>
4335
statement in the <filename>named.conf</filename> file:
4336
</para>
2672
4337
2673
4338
<programlisting><command>lwres</command> {
2674
4339
<optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
2678
4343
};
2679
4344
</programlisting>
2680
4345
2681
</sect2>
2682
<sect2>
2683
<title><command>lwres</command> Statement Definition and Usage</title>
2684
2685
<para>The <command>lwres</command> statement configures the name
2686
server to also act as a lightweight resolver server, see
2687
<xref linkend="lwresd"/>. There may be be multiple
2688
<command>lwres</command> statements configuring
2689
lightweight resolver servers with different properties.</para>
2690
2691
<para>The <command>listen-on</command> statement specifies a list of
2692
addresses (and ports) that this instance of a lightweight resolver daemon
2693
should accept requests on. If no port is specified, port 921 is used.
2694
If this statement is omitted, requests will be accepted on 127.0.0.1,
2695
port 921.</para>
2696
2697
<para>The <command>view</command> statement binds this instance of a
2698
lightweight resolver daemon to a view in the DNS namespace, so that the
2699
response will be constructed in the same manner as a normal DNS query
2700
matching this view. If this statement is omitted, the default view is
2701
used, and if there is no default view, an error is triggered.</para>
2702
2703
<para>The <command>search</command> statement is equivalent to the
2704
<command>search</command> statement in
2705
<filename>/etc/resolv.conf</filename>. It provides a list of domains
2706
which are appended to relative names in queries.</para>
2707
2708
<para>The <command>ndots</command> statement is equivalent to the
2709
<command>ndots</command> statement in
2710
<filename>/etc/resolv.conf</filename>. It indicates the minimum
2711
number of dots in a relative domain name that should result in an
2712
exact match lookup before search path elements are appended.</para>
2713
</sect2>
2714
<sect2>
2715
<title><command>masters</command> Statement Grammar</title>
4346
</sect2>
4347
<sect2>
4348
<title><command>lwres</command> Statement Definition and Usage</title>
4349
4350
<para>
4351
The <command>lwres</command> statement configures the
4352
name
4353
server to also act as a lightweight resolver server. (See
4354
<xref linkend="lwresd"/>.) There may be multiple
4355
<command>lwres</command> statements configuring
4356
lightweight resolver servers with different properties.
4357
</para>
4358
4359
<para>
4360
The <command>listen-on</command> statement specifies a
4361
list of
4362
addresses (and ports) that this instance of a lightweight resolver
4363
daemon
4364
should accept requests on. If no port is specified, port 921 is
4365
used.
4366
If this statement is omitted, requests will be accepted on
4367
127.0.0.1,
4368
port 921.
4369
</para>
4370
4371
<para>
4372
The <command>view</command> statement binds this
4373
instance of a
4374
lightweight resolver daemon to a view in the DNS namespace, so that
4375
the
4376
response will be constructed in the same manner as a normal DNS
4377
query
4378
matching this view. If this statement is omitted, the default view
4379
is
4380
used, and if there is no default view, an error is triggered.
4381
</para>
4382
4383
<para>
4384
The <command>search</command> statement is equivalent to
4385
the
4386
<command>search</command> statement in
4387
<filename>/etc/resolv.conf</filename>. It provides a
4388
list of domains
4389
which are appended to relative names in queries.
4390
</para>
4391
4392
<para>
4393
The <command>ndots</command> statement is equivalent to
4394
the
4395
<command>ndots</command> statement in
4396
<filename>/etc/resolv.conf</filename>. It indicates the
4397
minimum
4398
number of dots in a relative domain name that should result in an
4399
exact match lookup before search path elements are appended.
4400
</para>
4401
</sect2>
4402
<sect2>
4403
<title><command>masters</command> Statement Grammar</title>
4404
2716
4405
<programlisting>
2717
<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ;
4406
<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
2718
4407
</programlisting>
2719
</sect2>
2720
<sect2>
2721
<title><command>masters</command> Statement Definition and Usage </title>
2722
<para><command>masters</command> lists allow for a common set of masters
2723
to be easily used by multiple stub and slave zones.</para>
2724
</sect2>
2725
<sect2>
2726
<title><command>options</command> Statement Grammar</title>
2727
2728
<para>This is the grammar of the <command>options</command>
2729
statement in the <filename>named.conf</filename> file:</para>
2730
2731
<programlisting>options {
4408
4409
</sect2>
4410
4411
<sect2>
4412
<title><command>masters</command> Statement Definition and
4413
Usage</title>
4414
<para><command>masters</command>
4415
lists allow for a common set of masters to be easily used by
4416
multiple stub and slave zones.
4417
</para>
4418
</sect2>
4419
4420
<sect2>
4421
<title><command>options</command> Statement Grammar</title>
4422
4423
<para>
4424
This is the grammar of the <command>options</command>
4425
statement in the <filename>named.conf</filename> file:
4426
</para>
4427
4428
<programlisting><command>options</command> {
2732
4429
<optional> version <replaceable>version_string</replaceable>; </optional>
2733
4430
<optional> hostname <replaceable>hostname_string</replaceable>; </optional>
2734
4431
<optional> server-id <replaceable>server_id_string</replaceable>; </optional>
2735
4432
<optional> directory <replaceable>path_name</replaceable>; </optional>
2736
4433
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
2737
4434
<optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4435
<optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
2738
4436
<optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
2739
4437
<optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4438
<optional> cache-file <replaceable>path_name</replaceable>; </optional>
2740
4439
<optional> dump-file <replaceable>path_name</replaceable>; </optional>
4440
<optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
2741
4441
<optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
2742
4442
<optional> pid-file <replaceable>path_name</replaceable>; </optional>
4443
<optional> recursing-file <replaceable>path_name</replaceable>; </optional>
2743
4444
<optional> statistics-file <replaceable>path_name</replaceable>; </optional>
2744
4445
<optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
2745
4446
<optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
2753
4454
<optional> host-statistics-max <replaceable>number</replaceable>; </optional>
2754
4455
<optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
2755
4456
<optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
2756
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
4457
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
2757
4458
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
2758
4459
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
2759
4460
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
2760
4461
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
2761
4462
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4463
<optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
2762
4464
<optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
2763
4465
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4466
<optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
2764
4467
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
2765
4468
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
2766
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
2767
<optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4469
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4470
( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4471
<replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4472
... }; </optional>
4473
<optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4474
( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4475
<optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4476
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4477
<optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4478
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4479
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4480
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
2768
4481
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
2769
4482
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4483
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
4484
<optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4485
<optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
2770
4486
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
2771
4487
<optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4488
<optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
4489
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
2772
4490
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4491
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4492
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
2773
4493
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
2774
4494
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
2775
4495
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
2776
4496
<optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
2777
4497
<optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
2778
4498
<optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
2779
<optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
2780
<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
4499
<optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4500
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4501
<optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4502
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4503
<optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4504
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4505
<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4506
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4507
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
4508
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
4509
<optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
2781
4510
<optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
2782
4511
<optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
2783
4512
<optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
2784
4513
<optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
2785
4514
<optional> tcp-clients <replaceable>number</replaceable>; </optional>
4515
<optional> reserved-sockets <replaceable>number</replaceable>; </optional>
2786
4516
<optional> recursive-clients <replaceable>number</replaceable>; </optional>
2787
4517
<optional> serial-query-rate <replaceable>number</replaceable>; </optional>
2788
4518
<optional> serial-queries <replaceable>number</replaceable>; </optional>
2796
4526
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
2797
4527
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
2798
4528
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4529
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
2799
4530
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
2800
4531
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4532
<optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
2801
4533
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
2802
4534
<optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
2803
4535
<optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
2833
4565
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
2834
4566
<optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
2835
4567
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4568
<optional> max-udp-size <replaceable>number</replaceable>; </optional>
2836
4569
<optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
2837
4570
<optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
2838
4571
<optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4572
<optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4573
<optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4574
<optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4575
<optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4576
<optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4577
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4578
<optional> empty-server <replaceable>name</replaceable> ; </optional>
4579
<optional> empty-contact <replaceable>name</replaceable> ; </optional>
4580
<optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4581
<optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4582
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4583
<optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
2839
4584
};
2840
4585
</programlisting>
2841
</sect2>
2842
2843
<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
2844
2845
<para>The <command>options</command> statement sets up global options
2846
to be used by <acronym>BIND</acronym>. This statement may appear only
2847
once in a configuration file. If there is no <command>options</command>
2848
statement, an options block with each option set to its default will
2849
be used.</para>
2850
2851
<variablelist>
2852
2853
<varlistentry><term><command>directory</command></term>
2854
<listitem><para>The working directory of the server.
2855
Any non-absolute pathnames in the configuration file will be taken
2856
as relative to this directory. The default location for most server
2857
output files (e.g. <filename>named.run</filename>) is this directory.
2858
If a directory is not specified, the working directory defaults
2859
to `<filename>.</filename>', the directory from which the server
2860
was started. The directory specified should be an absolute path.</para>
2861
</listitem></varlistentry>
2862
2863
<varlistentry><term><command>key-directory</command></term>
2864
<listitem><para>When performing dynamic update of secure zones, the
2865
directory where the public and private key files should be found,
2866
if different than the current working directory. The directory specified
2867
must be an absolute path.</para>
2868
</listitem></varlistentry>
2869
2870
<varlistentry><term><command>named-xfer</command></term>
2871
<listitem><para><emphasis>This option is obsolete.</emphasis>
2872
It was used in <acronym>BIND</acronym> 8 to
2873
specify the pathname to the <command>named-xfer</command> program.
2874
In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
2875
needed; its functionality is built into the name server.</para>
2876
2877
</listitem></varlistentry>
2878
2879
<varlistentry><term><command>tkey-domain</command></term>
2880
<listitem><para>The domain appended to the names of all
2881
shared keys generated with <command>TKEY</command>. When a client
2882
requests a <command>TKEY</command> exchange, it may or may not specify
2883
the desired name for the key. If present, the name of the shared
2884
key will be "<varname>client specified part</varname>" +
2885
"<varname>tkey-domain</varname>".
2886
Otherwise, the name of the shared key will be "<varname>random hex
2887
digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
2888
the <command>domainname</command> should be the server's domain
2889
name.</para>
2890
</listitem></varlistentry>
2891
2892
<varlistentry><term><command>tkey-dhkey</command></term>
2893
<listitem><para>The Diffie-Hellman key used by the server
2894
to generate shared keys with clients using the Diffie-Hellman mode
2895
of <command>TKEY</command>. The server must be able to load the
2896
public and private keys from files in the working directory. In
2897
most cases, the keyname should be the server's host name.</para>
2898
</listitem></varlistentry>
2899
2900
<varlistentry><term><command>dump-file</command></term>
2901
<listitem><para>The pathname of the file the server dumps
2902
the database to when instructed to do so with
2903
<command>rndc dumpdb</command>.
2904
If not specified, the default is <filename>named_dump.db</filename>.</para>
2905
</listitem></varlistentry>
2906
<varlistentry><term><command>memstatistics-file</command></term>
2907
<listitem><para>The pathname of the file the server writes memory
2908
usage statistics to on exit. If not specified,
2909
the default is <filename>named.memstats</filename>.</para>
2910
</listitem></varlistentry>
2911
2912
<varlistentry><term><command>pid-file</command></term>
2913
<listitem><para>The pathname of the file the server writes its process ID
2914
in. If not specified, the default is <filename>/var/run/named.pid</filename>.
2915
The pid-file is used by programs that want to send signals to the running
2916
name server. Specifying <command>pid-file none</command> disables the
2917
use of a PID file — no file will be written and any
2918
existing one will be removed. Note that <command>none</command>
2919
is a keyword, not a file name, and therefore is not enclosed in
2920
double quotes.</para>
2921
</listitem></varlistentry>
2922
2923
<varlistentry><term><command>statistics-file</command></term>
2924
<listitem><para>The pathname of the file the server appends statistics
2925
to when instructed to do so using <command>rndc stats</command>.
2926
If not specified, the default is <filename>named.stats</filename> in the
2927
server's current directory. The format of the file is described
2928
in <xref linkend="statsfile"/></para>
2929
</listitem></varlistentry>
2930
2931
<varlistentry><term><command>port</command></term>
2932
<listitem><para>
2933
The UDP/TCP port number the server uses for
2934
receiving and sending DNS protocol traffic.
2935
The default is 53. This option is mainly intended for server testing;
2936
a server using a port other than 53 will not be able to communicate with
2937
the global DNS.
2938
</para>
2939
</listitem></varlistentry>
2940
2941
<varlistentry><term><command>random-device</command></term>
2942
<listitem><para>
2943
The source of entropy to be used by the server. Entropy is primarily needed
2944
for DNSSEC operations, such as TKEY transactions and dynamic update of signed
2945
zones. This options specifies the device (or file) from which to read
2946
entropy. If this is a file, operations requiring entropy will fail when the
2947
file has been exhausted. If not specified, the default value is
2948
<filename>/dev/random</filename>
2949
(or equivalent) when present, and none otherwise. The
2950
<command>random-device</command> option takes effect during
2951
the initial configuration load at server startup time and
2952
is ignored on subsequent reloads.</para>
2953
</listitem></varlistentry>
2954
2955
<varlistentry><term><command>preferred-glue</command></term>
2956
<listitem><para>
2957
If specified the listed type (A or AAAA) will be emitted before other glue
2958
in the additional section of a query response.
2959
The default is not to preference any type (NONE).
2960
</para>
2961
</listitem></varlistentry>
2962
2963
<varlistentry><term><command>root-delegation-only</command></term>
2964
<listitem><para>
2965
Turn on enforcement of delegation-only in TLDs and root zones with an optional
2966
exclude list.
2967
</para>
2968
<para>
2969
Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
2970
</para>
4586
4587
</sect2>
4588
4589
<sect2 id="options">
4590
<title><command>options</command> Statement Definition and
4591
Usage</title>
4592
4593
<para>
4594
The <command>options</command> statement sets up global
4595
options
4596
to be used by <acronym>BIND</acronym>. This statement
4597
may appear only
4598
once in a configuration file. If there is no <command>options</command>
4599
statement, an options block with each option set to its default will
4600
be used.
4601
</para>
4602
4603
<variablelist>
4604
4605
<varlistentry>
4606
<term><command>directory</command></term>
4607
<listitem>
4608
<para>
4609
The working directory of the server.
4610
Any non-absolute pathnames in the configuration file will be
4611
taken
4612
as relative to this directory. The default location for most
4613
server
4614
output files (e.g. <filename>named.run</filename>)
4615
is this directory.
4616
If a directory is not specified, the working directory
4617
defaults to `<filename>.</filename>', the directory from
4618
which the server
4619
was started. The directory specified should be an absolute
4620
path.
4621
</para>
4622
</listitem>
4623
</varlistentry>
4624
4625
<varlistentry>
4626
<term><command>key-directory</command></term>
4627
<listitem>
4628
<para>
4629
When performing dynamic update of secure zones, the
4630
directory where the public and private key files should be
4631
found,
4632
if different than the current working directory. The
4633
directory specified
4634
must be an absolute path.
4635
</para>
4636
</listitem>
4637
</varlistentry>
4638
4639
<varlistentry>
4640
<term><command>named-xfer</command></term>
4641
<listitem>
4642
<para>
4643
<emphasis>This option is obsolete.</emphasis> It
4644
was used in <acronym>BIND</acronym> 8 to specify
4645
the pathname to the <command>named-xfer</command>
4646
program. In <acronym>BIND</acronym> 9, no separate
4647
<command>named-xfer</command> program is needed;
4648
its functionality is built into the name server.
4649
</para>
4650
</listitem>
4651
</varlistentry>
4652
4653
<varlistentry>
4654
<term><command>tkey-gssapi-credential</command></term>
4655
<listitem>
4656
<para>
4657
The security credential with which the server should
4658
authenticate keys requested by the GSS-TSIG protocol.
4659
Currently only Kerberos 5 authentication is available
4660
and the credential is a Kerberos principal which
4661
the server can acquire through the default system
4662
key file, normally <filename>/etc/krb5.keytab</filename>.
4663
Normally this principal is of the form
4664
"<userinput>dns/</userinput><varname>server.domain</varname>".
4665
To use GSS-TSIG, <command>tkey-domain</command>
4666
must also be set.
4667
</para>
4668
</listitem>
4669
</varlistentry>
4670
4671
<varlistentry>
4672
<term><command>tkey-domain</command></term>
4673
<listitem>
4674
<para>
4675
The domain appended to the names of all shared keys
4676
generated with <command>TKEY</command>. When a
4677
client requests a <command>TKEY</command> exchange,
4678
it may or may not specify the desired name for the
4679
key. If present, the name of the shared key will
4680
will be <varname>client specified part</varname> +
4681
<varname>tkey-domain</varname>. Otherwise, the
4682
name of the shared key will be <varname>random hex
4683
digits</varname> + <varname>tkey-domain</varname>.
4684
In most cases, the <command>domainname</command>
4685
should be the server's domain name, or an otherwise
4686
non-existent subdomain like
4687
"_tkey.<varname>domainname</varname>". If you are
4688
using GSS-TSIG, this variable must be defined.
4689
</para>
4690
</listitem>
4691
</varlistentry>
4692
4693
<varlistentry>
4694
<term><command>tkey-dhkey</command></term>
4695
<listitem>
4696
<para>
4697
The Diffie-Hellman key used by the server
4698
to generate shared keys with clients using the Diffie-Hellman
4699
mode
4700
of <command>TKEY</command>. The server must be
4701
able to load the
4702
public and private keys from files in the working directory.
4703
In
4704
most cases, the keyname should be the server's host name.
4705
</para>
4706
</listitem>
4707
</varlistentry>
4708
4709
<varlistentry>
4710
<term><command>cache-file</command></term>
4711
<listitem>
4712
<para>
4713
This is for testing only. Do not use.
4714
</para>
4715
</listitem>
4716
</varlistentry>
4717
4718
<varlistentry>
4719
<term><command>dump-file</command></term>
4720
<listitem>
4721
<para>
4722
The pathname of the file the server dumps
4723
the database to when instructed to do so with
4724
<command>rndc dumpdb</command>.
4725
If not specified, the default is <filename>named_dump.db</filename>.
4726
</para>
4727
</listitem>
4728
</varlistentry>
4729
4730
<varlistentry>
4731
<term><command>memstatistics-file</command></term>
4732
<listitem>
4733
<para>
4734
The pathname of the file the server writes memory
4735
usage statistics to on exit. If not specified,
4736
the default is <filename>named.memstats</filename>.
4737
</para>
4738
</listitem>
4739
</varlistentry>
4740
4741
<varlistentry>
4742
<term><command>pid-file</command></term>
4743
<listitem>
4744
<para>
4745
The pathname of the file the server writes its process ID
4746
in. If not specified, the default is <filename>/var/run/named.pid</filename>.
4747
The pid-file is used by programs that want to send signals to
4748
the running
4749
name server. Specifying <command>pid-file none</command> disables the
4750
use of a PID file — no file will be written and any
4751
existing one will be removed. Note that <command>none</command>
4752
is a keyword, not a filename, and therefore is not enclosed
4753
in
4754
double quotes.
4755
</para>
4756
</listitem>
4757
</varlistentry>
4758
4759
<varlistentry>
4760
<term><command>recursing-file</command></term>
4761
<listitem>
4762
<para>
4763
The pathname of the file the server dumps
4764
the queries that are currently recursing when instructed
4765
to do so with <command>rndc recursing</command>.
4766
If not specified, the default is <filename>named.recursing</filename>.
4767
</para>
4768
</listitem>
4769
</varlistentry>
4770
4771
<varlistentry>
4772
<term><command>statistics-file</command></term>
4773
<listitem>
4774
<para>
4775
The pathname of the file the server appends statistics
4776
to when instructed to do so using <command>rndc stats</command>.
4777
If not specified, the default is <filename>named.stats</filename> in the
4778
server's current directory. The format of the file is
4779
described
4780
in <xref linkend="statsfile"/>.
4781
</para>
4782
</listitem>
4783
</varlistentry>
4784
4785
<varlistentry>
4786
<term><command>port</command></term>
4787
<listitem>
4788
<para>
4789
The UDP/TCP port number the server uses for
4790
receiving and sending DNS protocol traffic.
4791
The default is 53. This option is mainly intended for server
4792
testing;
4793
a server using a port other than 53 will not be able to
4794
communicate with
4795
the global DNS.
4796
</para>
4797
</listitem>
4798
</varlistentry>
4799
4800
<varlistentry>
4801
<term><command>random-device</command></term>
4802
<listitem>
4803
<para>
4804
The source of entropy to be used by the server. Entropy is
4805
primarily needed
4806
for DNSSEC operations, such as TKEY transactions and dynamic
4807
update of signed
4808
zones. This options specifies the device (or file) from which
4809
to read
4810
entropy. If this is a file, operations requiring entropy will
4811
fail when the
4812
file has been exhausted. If not specified, the default value
4813
is
4814
<filename>/dev/random</filename>
4815
(or equivalent) when present, and none otherwise. The
4816
<command>random-device</command> option takes
4817
effect during
4818
the initial configuration load at server startup time and
4819
is ignored on subsequent reloads.
4820
</para>
4821
</listitem>
4822
</varlistentry>
4823
4824
<varlistentry>
4825
<term><command>preferred-glue</command></term>
4826
<listitem>
4827
<para>
4828
If specified, the listed type (A or AAAA) will be emitted
4829
before other glue
4830
in the additional section of a query response.
4831
The default is not to prefer any type (NONE).
4832
</para>
4833
</listitem>
4834
</varlistentry>
4835
4836
<varlistentry>
4837
<term><command>root-delegation-only</command></term>
4838
<listitem>
4839
<para>
4840
Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
4841
with an optional
4842
exclude list.
4843
</para>
4844
<para>
4845
Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
4846
and "MUSEUM").
4847
</para>
4848
2971
4849
<programlisting>
2972
4850
options {
2973
4851
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
2974
4852
};
2975
4853
</programlisting>
2976
</listitem></varlistentry>
2977
2978
<varlistentry><term><command>disable-algorithms</command></term>
2979
<listitem><para>
2980
Disable the specified DNSSEC algorithms at and below the specified name.
2981
Multiple <command>disable-algorithms</command> statements are allowed.
2982
Only the most specific will be applied.
2983
</para></listitem></varlistentry>
2984
2985
<varlistentry><term><command>dnssec-lookaside</command></term>
2986
<listitem><para>
2987
When set <command>dnssec-lookaside</command> provides the
2988
validator with an alternate method to validate DNSKEY records at the
2989
top of a zone. When a DNSKEY is at or below a domain specified by the
2990
deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
2991
has left the key untrusted, the trust-anchor will be append to the key
2992
name and a DLV record will be looked up to see if it can validate the
2993
key. If the DLV record validates a DNSKEY (similarly to the way a DS
2994
record does) the DNSKEY RRset is deemed to be trusted.
2995
</para></listitem></varlistentry>
2996
2997
<varlistentry><term><command>dnssec-must-be-secure</command></term>
2998
<listitem><para>
2999
Specify heirarchies which must / may not be secure (signed and validated).
3000
If <userinput>yes</userinput> then named will only accept answers if they
3001
are secure.
3002
If <userinput>no</userinput> then normal dnssec validation applies
3003
allowing for insecure answers to be accepted.
3004
The specified domain must be under a <command>trusted-key</command> or
3005
<command>dnssec-lookaside</command> must be active.
3006
</para></listitem></varlistentry>
3007
3008
</variablelist>
3009
3010
<sect3 id="boolean_options"><title>Boolean Options</title>
3011
3012
<variablelist>
3013
3014
<varlistentry><term><command>auth-nxdomain</command></term>
3015
<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
3016
is always set on NXDOMAIN responses, even if the server is not actually
3017
authoritative. The default is <userinput>no</userinput>; this is
3018
a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
3019
may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
3020
3021
<varlistentry><term><command>deallocate-on-exit</command></term>
3022
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
3023
for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
3024
the checks.</para></listitem></varlistentry>
3025
3026
<varlistentry><term><command>dialup</command></term>
3027
<listitem><para>If <userinput>yes</userinput>, then the
3028
server treats all zones as if they are doing zone transfers across
3029
a dial on demand dialup link, which can be brought up by traffic
3030
originating from this server. This has different effects according
3031
to zone type and concentrates the zone maintenance so that it all
3032
happens in a short interval, once every <command>heartbeat-interval</command> and
3033
hopefully during the one call. It also suppresses some of the normal
3034
zone maintenance traffic. The default is <userinput>no</userinput>.</para>
3035
<para>The <command>dialup</command> option
3036
may also be specified in the <command>view</command> and
3037
<command>zone</command> statements,
3038
in which case it overrides the global <command>dialup</command>
3039
option.</para>
3040
<para>If the zone is a master zone then the server will send out a NOTIFY
3041
request to all the slaves (default). This should trigger the zone serial
3042
number check in the slave (providing it supports NOTIFY) allowing the slave
3043
to verify the zone while the connection is active.
3044
The set of servers to which NOTIFY is sent can be controlled by
3045
<command>notify</command> and <command>also-notify</command>.</para>
3046
<para>If the
3047
zone is a slave or stub zone, then the server will suppress the regular
3048
"zone up to date" (refresh) queries and only perform them when the
3049
<command>heartbeat-interval</command> expires in addition to sending
3050
NOTIFY requests.</para><para>Finer control can be achieved by using
3051
<userinput>notify</userinput> which only sends NOTIFY messages,
3052
<userinput>notify-passive</userinput> which sends NOTIFY messages and
3053
suppresses the normal refresh queries, <userinput>refresh</userinput>
3054
which suppresses normal refresh processing and sends refresh queries
3055
when the <command>heartbeat-interval</command> expires, and
3056
<userinput>passive</userinput> which just disables normal refresh
3057
processing.</para>
3058
3059
<informaltable colsep = "0" rowsep = "0">
3060
<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
3061
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
3062
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
3063
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
3064
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
3065
<tbody>
3066
<row rowsep = "0">
3067
<entry colname = "1"><para>dialup mode</para></entry>
3068
<entry colname = "2"><para>normal refresh</para></entry>
3069
<entry colname = "3"><para>heart-beat refresh</para></entry>
3070
<entry colname = "4"><para>heart-beat notify</para></entry>
3071
</row>
3072
<row rowsep = "0">
3073
<entry colname = "1"><para><command>no</command> (default)</para></entry>
3074
<entry colname = "2"><para>yes</para></entry>
3075
<entry colname = "3"><para>no</para></entry>
3076
<entry colname = "4"><para>no</para></entry>
3077
</row>
3078
<row rowsep = "0">
3079
<entry colname = "1"><para><command>yes</command></para></entry>
3080
<entry colname = "2"><para>no</para></entry>
3081
<entry colname = "3"><para>yes</para></entry>
3082
<entry colname = "4"><para>yes</para></entry>
3083
</row>
3084
<row rowsep = "0">
3085
<entry colname = "1"><para><command>notify</command></para></entry>
3086
<entry colname = "2"><para>yes</para></entry>
3087
<entry colname = "3"><para>no</para></entry>
3088
<entry colname = "4"><para>yes</para></entry>
3089
</row>
3090
<row rowsep = "0">
3091
<entry colname = "1"><para><command>refresh</command></para></entry>
3092
<entry colname = "2"><para>no</para></entry>
3093
<entry colname = "3"><para>yes</para></entry>
3094
<entry colname = "4"><para>no</para></entry>
3095
</row>
3096
<row rowsep = "0">
3097
<entry colname = "1"><para><command>passive</command></para></entry>
3098
<entry colname = "2"><para>no</para></entry>
3099
<entry colname = "3"><para>no</para></entry>
3100
<entry colname = "4"><para>no</para></entry>
3101
</row>
3102
<row rowsep = "0">
3103
<entry colname = "1"><para><command>notify-passive</command></para></entry>
3104
<entry colname = "2"><para>no</para></entry>
3105
<entry colname = "3"><para>no</para></entry>
3106
<entry colname = "4"><para>yes</para></entry>
3107
</row>
3108
</tbody>
3109
</tgroup></informaltable>
3110
3111
<para>Note that normal NOTIFY processing is not affected by
3112
<command>dialup</command>.</para>
3113
3114
</listitem></varlistentry>
3115
3116
<varlistentry><term><command>fake-iquery</command></term>
3117
<listitem><para>In <acronym>BIND</acronym> 8, this option
3118
enabled simulating the obsolete DNS query type
3119
IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
3120
</para></listitem></varlistentry>
3121
3122
<varlistentry><term><command>fetch-glue</command></term>
3123
<listitem><para>This option is obsolete.
3124
In BIND 8, <userinput>fetch-glue yes</userinput>
3125
caused the server to attempt to fetch glue resource records it
3126
didn't have when constructing the additional
3127
data section of a response. This is now considered a bad idea
3128
and BIND 9 never does it.</para></listitem></varlistentry>
3129
3130
<varlistentry><term><command>flush-zones-on-shutdown</command></term>
3131
<listitem><para>When the nameserver exits due receiving SIGTERM,
3132
flush / do not flush any pending zone writes. The default is
3133
<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
3134
</para></listitem></varlistentry>
3135
3136
<varlistentry><term><command>has-old-clients</command></term>
3137
<listitem><para>This option was incorrectly implemented
3138
in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
3139
To achieve the intended effect
3140
of
3141
<command>has-old-clients</command> <userinput>yes</userinput>, specify
3142
the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
3143
and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
3144
</para></listitem></varlistentry>
3145
3146
<varlistentry><term><command>host-statistics</command></term>
3147
<listitem><para>In BIND 8, this enables keeping of
3148
statistics for every host that the name server interacts with.
3149
Not implemented in BIND 9.
3150
</para></listitem></varlistentry>
3151
3152
<varlistentry><term><command>maintain-ixfr-base</command></term>
3153
<listitem><para><emphasis>This option is obsolete</emphasis>.
3154
It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
3155
kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
3156
log whenever possible. If you need to disable outgoing incremental zone
3157
transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
3158
</para></listitem></varlistentry>
3159
3160
<varlistentry><term><command>minimal-responses</command></term>
3161
<listitem><para>If <userinput>yes</userinput>, then when generating
3162
responses the server will only add records to the authority and
3163
additional data sections when they are required (e.g. delegations,
3164
negative responses). This may improve the performance of the server.
3165
The default is <userinput>no</userinput>.
3166
</para></listitem></varlistentry>
3167
3168
<varlistentry><term><command>multiple-cnames</command></term>
3169
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
3170
a domain name to have multiple CNAME records in violation of the
3171
DNS standards. <acronym>BIND</acronym> 9.2 always strictly
3172
enforces the CNAME rules both in master files and dynamic updates.
3173
</para></listitem></varlistentry>
3174
3175
<varlistentry><term><command>notify</command></term>
3176
<listitem><para>If <userinput>yes</userinput> (the default),
3177
DNS NOTIFY messages are sent when a zone the server is authoritative for
3178
changes, see <xref linkend="notify"/>. The messages are sent to the
3179
servers listed in the zone's NS records (except the master server identified
3180
in the SOA MNAME field), and to any servers listed in the
3181
<command>also-notify</command> option.
3182
</para><para>
3183
If <userinput>explicit</userinput>, notifies are sent only to
3184
servers explicitly listed using <command>also-notify</command>.
3185
If <userinput>no</userinput>, no notifies are sent.
3186
</para><para>
3187
The <command>notify</command> option may also be
3188
specified in the <command>zone</command> statement,
3189
in which case it overrides the <command>options notify</command> statement.
3190
It would only be necessary to turn off this option if it caused slaves
3191
to crash.</para></listitem></varlistentry>
3192
3193
<varlistentry><term><command>recursion</command></term>
3194
<listitem><para>If <userinput>yes</userinput>, and a
3195
DNS query requests recursion, then the server will attempt to do
3196
all the work required to answer the query. If recursion is off
3197
and the server does not already know the answer, it will return a
3198
referral response. The default is <userinput>yes</userinput>.
3199
Note that setting <command>recursion no</command> does not prevent
3200
clients from getting data from the server's cache; it only
3201
prevents new data from being cached as an effect of client queries.
3202
Caching may still occur as an effect the server's internal
3203
operation, such as NOTIFY address lookups.
3204
See also <command>fetch-glue</command> above.
3205
</para></listitem></varlistentry>
3206
3207
<varlistentry><term><command>rfc2308-type1</command></term>
3208
<listitem><para>Setting this to <userinput>yes</userinput> will
3209
cause the server to send NS records along with the SOA record for negative
3210
answers. The default is <userinput>no</userinput>.</para>
3211
<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
3212
</listitem></varlistentry>
3213
3214
<varlistentry><term><command>use-id-pool</command></term>
3215
<listitem><para><emphasis>This option is obsolete</emphasis>.
3216
<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
3217
</para></listitem></varlistentry>
3218
3219
<varlistentry><term><command>zone-statistics</command></term>
3220
<listitem><para>If <userinput>yes</userinput>, the server will collect
3221
statistical data on all zones (unless specifically turned off
3222
on a per-zone basis by specifying <command>zone-statistics no</command>
3223
in the <command>zone</command> statement). These statistics may be accessed
3224
using <command>rndc stats</command>, which will dump them to the file listed
3225
in the <command>statistics-file</command>. See also <xref linkend="statsfile"/>.
3226
</para></listitem></varlistentry>
3227
3228
<varlistentry><term><command>use-ixfr</command></term>
3229
<listitem><para><emphasis>This option is obsolete</emphasis>.
3230
If you need to disable IXFR to a particular server or servers see
3231
the information on the <command>provide-ixfr</command> option
3232
in <xref linkend="server_statement_definition_and_usage"/>. See also
3233
<xref linkend="incremental_zone_transfers"/>.
3234
</para></listitem></varlistentry>
3235
3236
<varlistentry><term><command>provide-ixfr</command></term>
3237
<listitem>
3238
<para>
3239
See the description of
3240
<command>provide-ixfr</command> in
3241
<xref linkend="server_statement_definition_and_usage"/>
3242
</para></listitem></varlistentry>
3243
3244
<varlistentry><term><command>request-ixfr</command></term>
3245
<listitem>
3246
<para>
3247
See the description of
3248
<command>request-ixfr</command> in
3249
<xref linkend="server_statement_definition_and_usage"/>
3250
</para></listitem></varlistentry>
3251
3252
<varlistentry><term><command>treat-cr-as-space</command></term>
3253
<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
3254
the server treat carriage return ("<command>\r</command>") characters the same way
3255
as a space or tab character,
3256
to facilitate loading of zone files on a UNIX system that were generated
3257
on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
3258
and NT/DOS "<command>\r\n</command>" newlines are always accepted,
3259
and the option is ignored.</para></listitem></varlistentry>
3260
3261
<varlistentry>
3262
<term><command>additional-from-auth</command></term>
3263
<term><command>additional-from-cache</command></term>
3264
<listitem>
3265
3266
<para>
3267
These options control the behavior of an authoritative server when
3268
answering queries which have additional data, or when following CNAME
3269
and DNAME chains.
3270
</para>
3271
3272
<para>
3273
When both of these options are set to <userinput>yes</userinput>
3274
(the default) and a
3275
query is being answered from authoritative data (a zone
3276
configured into the server), the additional data section of the
3277
reply will be filled in using data from other authoritative zones
3278
and from the cache. In some situations this is undesirable, such
3279
as when there is concern over the correctness of the cache, or
3280
in servers where slave zones may be added and modified by
3281
untrusted third parties. Also, avoiding
3282
the search for this additional data will speed up server operations
3283
at the possible expense of additional queries to resolve what would
3284
otherwise be provided in the additional section.
3285
</para>
3286
3287
<para>
3288
For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
3289
and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
3290
records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
3291
if known, even though they are not in the example.com zone.
3292
Setting these options to <command>no</command> disables this behavior and makes
3293
the server only search for additional data in the zone it answers from.
3294
</para>
3295
3296
<para>
3297
These options are intended for use in authoritative-only
3298
servers, or in authoritative-only views. Attempts to set
3299
them to <command>no</command> without also specifying
3300
<command>recursion no</command> will cause the server to
3301
ignore the options and log a warning message.
3302
</para>
3303
3304
<para>
3305
Specifying <command>additional-from-cache no</command> actually
3306
disables the use of the cache not only for additional data lookups
3307
but also when looking up the answer. This is usually the desired
3308
behavior in an authoritative-only server where the correctness of
3309
the cached data is an issue.
3310
</para>
3311
3312
<para>
3313
When a name server is non-recursively queried for a name that is not
3314
below the apex of any served zone, it normally answers with an
3315
"upwards referral" to the root servers or the servers of some other
3316
known parent of the query name. Since the data in an upwards referral
3317
comes from the cache, the server will not be able to provide upwards
3318
referrals when <command>additional-from-cache no</command>
3319
has been specified. Instead, it will respond to such queries
3320
with REFUSED. This should not cause any problems since
3321
upwards referrals are not required for the resolution process.
3322
</para>
3323
3324
</listitem></varlistentry>
3325
3326
<varlistentry><term><command>match-mapped-addresses</command></term>
3327
<listitem><para>If <userinput>yes</userinput>, then an
3328
IPv4-mapped IPv6 address will match any address match
3329
list entries that match the corresponding IPv4 address.
3330
Enabling this option is sometimes useful on IPv6-enabled Linux
3331
systems, to work around a kernel quirk that causes IPv4
3332
TCP connections such as zone transfers to be accepted
3333
on an IPv6 socket using mapped addresses, causing
3334
address match lists designed for IPv4 to fail to match.
3335
The use of this option for any other purpose is discouraged.
3336
</para></listitem></varlistentry>
3337
3338
<varlistentry><term><command>ixfr-from-differences</command></term>
3339
<listitem>
3340
<para>
3341
When 'yes' and the server loads a new version of a master
3342
zone from its zone file or receives a new version of a slave
3343
file by a non-incremental zone transfer, it will compare
3344
the new version to the previous one and calculate a set
3345
of differences. The differences are then logged in the
3346
zone's journal file such that the changes can be transmitted
3347
to downstream slaves as an incremental zone transfer.
3348
</para><para>
3349
By allowing incremental zone transfers to be used for
3350
non-dynamic zones, this option saves bandwidth at the
3351
expense of increased CPU and memory consumption at the master.
3352
In particular, if the new version of a zone is completely
3353
different from the previous one, the set of differences
3354
will be of a size comparable to the combined size of the
3355
old and new zone version, and the server will need to
3356
temporarily allocate memory to hold this complete
3357
difference set.
3358
</para></listitem></varlistentry>
3359
3360
<varlistentry><term><command>multi-master</command></term>
3361
<listitem>
3362
<para>
3363
This should be set when you have multiple masters for a zone and the
3364
addresses refer to different machines. If 'yes' named will not log
3365
when the serial number on the master is less than what named currently
3366
has. The default is <userinput>no</userinput>.
3367
</para></listitem></varlistentry>
3368
3369
<varlistentry><term><command>dnssec-enable</command></term>
3370
<listitem>
3371
<para>
3372
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
3373
named behaves as if it does not support DNSSEC.
3374
The default is <userinput>no</userinput>.
3375
</para></listitem></varlistentry>
3376
3377
<varlistentry><term><command>querylog</command></term>
3378
<listitem>
3379
<para>
3380
Specify whether query logging should be started when named start.
3381
If <command>querylog</command> is not specified then the query logging
3382
is determined by the presence of the logging category <command>queries</command>.
3383
</para></listitem></varlistentry>
3384
3385
<varlistentry><term><command>check-names</command></term>
3386
<listitem>
3387
<para>
3388
This option is used to restrict the character set and syntax of
3389
certain domain names in master files and/or DNS responses received
3390
from the network. The default varies according to usage area. For
3391
<command>master</command> zones the default is <command>fail</command>.
3392
For <command>slave</command> zones the default is <command>warn</command>.
3393
For answer received from the network (<command>response</command>)
3394
the default is <command>ignore</command>.
3395
</para>
3396
<para>The rules for legal hostnames / mail domains are derived from RFC 952
3397
and RFC 821 as modified by RFC 1123.
3398
</para>
3399
<para><command>check-names</command> applies to the owner names of A, AAA and
3400
MX records. It also applies to the domain names in the RDATA of NS, SOA and MX
3401
records. It also applies to the RDATA of PTR records where the owner name
3402
indicated that it is a reverse lookup of a hostname (the owner name ends in
3403
IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
3404
</para>
3405
</listitem></varlistentry>
3406
3407
</variablelist>
3408
3409
</sect3>
3410
3411
<sect3><title>Forwarding</title>
3412
<para>The forwarding facility can be used to create a large site-wide
3413
cache on a few servers, reducing traffic over links to external
3414
name servers. It can also be used to allow queries by servers that
3415
do not have direct access to the Internet, but wish to look up exterior
3416
names anyway. Forwarding occurs only on those queries for which
3417
the server is not authoritative and does not have the answer in
3418
its cache.</para>
3419
3420
<variablelist>
3421
<varlistentry><term><command>forward</command></term>
3422
<listitem><para>This option is only meaningful if the
3423
forwarders list is not empty. A value of <varname>first</varname>,
3424
the default, causes the server to query the forwarders first, and
3425
if that doesn't answer the question the server will then look for
3426
the answer itself. If <varname>only</varname> is specified, the
3427
server will only query the forwarders.
3428
</para></listitem></varlistentry>
3429
3430
<varlistentry><term><command>forwarders</command></term>
3431
<listitem><para>Specifies the IP addresses to be used
3432
for forwarding. The default is the empty list (no forwarding).
3433
</para></listitem></varlistentry>
3434
3435
</variablelist>
3436
3437
<para>Forwarding can also be configured on a per-domain basis, allowing
3438
for the global forwarding options to be overridden in a variety
3439
of ways. You can set particular domains to use different forwarders,
3440
or have a different <command>forward only/first</command> behavior,
3441
or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
3442
</sect3>
3443
3444
<sect3><title>Dual-stack Servers</title>
3445
<para>Dual-stack servers are used as servers of last resort to work around
3446
problems in reachability due the lack of support for either IPv4 or IPv6
3447
on the host machine.</para>
3448
3449
<variablelist>
3450
<varlistentry><term><command>dual-stack-servers</command></term>
3451
<listitem><para>Specifies host names / addresses of machines with access to
3452
both IPv4 and IPv6 transports. If a hostname is used the server must be able
3453
to resolve the name using only the transport it has. If the machine is dual
3454
stacked then the <command>dual-stack-servers</command> have no effect unless
3455
access to a transport has been disabled on the command line
3456
(e.g. <command>named -4</command>).</para></listitem>
3457
</varlistentry>
3458
</variablelist>
3459
</sect3>
3460
3461
<sect3 id="access_control"><title>Access Control</title>
3462
3463
<para>Access to the server can be restricted based on the IP address
3464
of the requesting system. See <xref linkend="address_match_lists"/> for
3465
details on how to specify IP address lists.</para>
3466
3467
<variablelist>
3468
3469
<varlistentry><term><command>allow-notify</command></term>
3470
<listitem><para>Specifies which hosts are allowed to
3471
notify this server, a slave, of zone changes in addition
3472
to the zone masters.
3473
<command>allow-notify</command> may also be specified in the
3474
<command>zone</command> statement, in which case it overrides the
3475
<command>options allow-notify</command> statement. It is only meaningful
3476
for a slave zone. If not specified, the default is to process notify messages
3477
only from a zone's master.</para>
3478
</listitem></varlistentry>
3479
3480
<varlistentry><term><command>allow-query</command></term>
3481
<listitem><para>Specifies which hosts are allowed to
3482
ask ordinary DNS questions. <command>allow-query</command> may also
3483
be specified in the <command>zone</command> statement, in which
3484
case it overrides the <command>options allow-query</command> statement. If
3485
not specified, the default is to allow queries from all hosts.</para>
3486
</listitem></varlistentry>
3487
3488
3489
<varlistentry><term><command>allow-recursion</command></term>
3490
<listitem><para>Specifies which hosts are allowed to
3491
make recursive queries through this server. If not specified, the
3492
default is to allow recursive queries from all hosts.
3493
Note that disallowing recursive queries for a host does not prevent the
3494
host from retrieving data that is already in the server's cache.
3495
</para>
3496
</listitem></varlistentry>
3497
3498
<varlistentry><term><command>allow-update-forwarding</command></term>
3499
<listitem><para>Specifies which hosts are allowed to
3500
submit Dynamic DNS updates to slave zones to be forwarded to the
3501
master. The default is <userinput>{ none; }</userinput>, which
3502
means that no update forwarding will be performed. To enable
3503
update forwarding, specify
3504
<userinput>allow-update-forwarding { any; };</userinput>.
3505
Specifying values other than <userinput>{ none; }</userinput> or
3506
<userinput>{ any; }</userinput> is usually counterproductive, since
3507
the responsibility for update access control should rest with the
3508
master server, not the slaves.</para>
3509
<para>Note that enabling the update forwarding feature on a slave server
3510
may expose master servers relying on insecure IP address based
3511
access control to attacks; see <xref linkend="dynamic_update_security"/>
3512
for more details.</para>
3513
</listitem></varlistentry>
3514
3515
<varlistentry><term><command>allow-v6-synthesis</command></term>
3516
<listitem><para>This option was introduced for the smooth transition from AAAA
3517
to A6 and from "nibble labels" to binary labels.
3518
However, since both A6 and binary labels were then deprecated,
3519
this option was also deprecated.
3520
It is now ignored with some warning messages.
3521
</para>
3522
</listitem></varlistentry>
3523
3524
<varlistentry><term><command>allow-transfer</command></term>
3525
<listitem><para>Specifies which hosts are allowed to
3526
receive zone transfers from the server. <command>allow-transfer</command> may
3527
also be specified in the <command>zone</command> statement, in which
3528
case it overrides the <command>options allow-transfer</command> statement.
3529
If not specified, the default is to allow transfers to all hosts.</para>
3530
</listitem></varlistentry>
3531
3532
<varlistentry><term><command>blackhole</command></term>
3533
<listitem><para>Specifies a list of addresses that the
3534
server will not accept queries from or use to resolve a query. Queries
3535
from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
3536
</listitem></varlistentry>
3537
3538
</variablelist>
3539
3540
</sect3>
3541
3542
<sect3><title>Interfaces</title>
3543
<para>The interfaces and ports that the server will answer queries
3544
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
3545
an optional port, and an <varname>address_match_list</varname>.
3546
The server will listen on all interfaces allowed by the address
3547
match list. If a port is not specified, port 53 will be used.</para>
3548
<para>Multiple <command>listen-on</command> statements are allowed.
3549
For example,</para>
4854
4855
</listitem>
4856
</varlistentry>
4857
4858
<varlistentry>
4859
<term><command>disable-algorithms</command></term>
4860
<listitem>
4861
<para>
4862
Disable the specified DNSSEC algorithms at and below the
4863
specified name.
4864
Multiple <command>disable-algorithms</command>
4865
statements are allowed.
4866
Only the most specific will be applied.
4867
</para>
4868
</listitem>
4869
</varlistentry>
4870
4871
<varlistentry>
4872
<term><command>dnssec-lookaside</command></term>
4873
<listitem>
4874
<para>
4875
When set, <command>dnssec-lookaside</command>
4876
provides the
4877
validator with an alternate method to validate DNSKEY records
4878
at the
4879
top of a zone. When a DNSKEY is at or below a domain
4880
specified by the
4881
deepest <command>dnssec-lookaside</command>, and
4882
the normal dnssec validation
4883
has left the key untrusted, the trust-anchor will be append to
4884
the key
4885
name and a DLV record will be looked up to see if it can
4886
validate the
4887
key. If the DLV record validates a DNSKEY (similarly to the
4888
way a DS
4889
record does) the DNSKEY RRset is deemed to be trusted.
4890
</para>
4891
</listitem>
4892
</varlistentry>
4893
4894
<varlistentry>
4895
<term><command>dnssec-must-be-secure</command></term>
4896
<listitem>
4897
<para>
4898
Specify hierarchies which must be or may not be secure (signed and
4899
validated).
4900
If <userinput>yes</userinput>, then named will only accept
4901
answers if they
4902
are secure.
4903
If <userinput>no</userinput>, then normal dnssec validation
4904
applies
4905
allowing for insecure answers to be accepted.
4906
The specified domain must be under a <command>trusted-key</command> or
4907
<command>dnssec-lookaside</command> must be
4908
active.
4909
</para>
4910
</listitem>
4911
</varlistentry>
4912
4913
</variablelist>
4914
4915
<sect3 id="boolean_options">
4916
<title>Boolean Options</title>
4917
4918
<variablelist>
4919
4920
<varlistentry>
4921
<term><command>auth-nxdomain</command></term>
4922
<listitem>
4923
<para>
4924
If <userinput>yes</userinput>, then the <command>AA</command> bit
4925
is always set on NXDOMAIN responses, even if the server is
4926
not actually
4927
authoritative. The default is <userinput>no</userinput>;
4928
this is
4929
a change from <acronym>BIND</acronym> 8. If you
4930
are using very old DNS software, you
4931
may need to set it to <userinput>yes</userinput>.
4932
</para>
4933
</listitem>
4934
</varlistentry>
4935
4936
<varlistentry>
4937
<term><command>deallocate-on-exit</command></term>
4938
<listitem>
4939
<para>
4940
This option was used in <acronym>BIND</acronym>
4941
8 to enable checking
4942
for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
4943
the checks.
4944
</para>
4945
</listitem>
4946
</varlistentry>
4947
4948
<varlistentry>
4949
<term><command>memstatistics</command></term>
4950
<listitem>
4951
<para>
4952
Write memory statistics to the file specfied by
4953
<command>memstatistics-file</command> at exit.
4954
The default is <userinput>no</userinput> unless
4955
'-m record' is specified on the command line in
4956
which case it is <userinput>yes</userinput>.
4957
</para>
4958
</listitem>
4959
</varlistentry>
4960
4961
<varlistentry>
4962
<term><command>dialup</command></term>
4963
<listitem>
4964
<para>
4965
If <userinput>yes</userinput>, then the
4966
server treats all zones as if they are doing zone transfers
4967
across
4968
a dial-on-demand dialup link, which can be brought up by
4969
traffic
4970
originating from this server. This has different effects
4971
according
4972
to zone type and concentrates the zone maintenance so that
4973
it all
4974
happens in a short interval, once every <command>heartbeat-interval</command> and
4975
hopefully during the one call. It also suppresses some of
4976
the normal
4977
zone maintenance traffic. The default is <userinput>no</userinput>.
4978
</para>
4979
<para>
4980
The <command>dialup</command> option
4981
may also be specified in the <command>view</command> and
4982
<command>zone</command> statements,
4983
in which case it overrides the global <command>dialup</command>
4984
option.
4985
</para>
4986
<para>
4987
If the zone is a master zone, then the server will send out a
4988
NOTIFY
4989
request to all the slaves (default). This should trigger the
4990
zone serial
4991
number check in the slave (providing it supports NOTIFY)
4992
allowing the slave
4993
to verify the zone while the connection is active.
4994
The set of servers to which NOTIFY is sent can be controlled
4995
by
4996
<command>notify</command> and <command>also-notify</command>.
4997
</para>
4998
<para>
4999
If the
5000
zone is a slave or stub zone, then the server will suppress
5001
the regular
5002
"zone up to date" (refresh) queries and only perform them
5003
when the
5004
<command>heartbeat-interval</command> expires in
5005
addition to sending
5006
NOTIFY requests.
5007
</para>
5008
<para>
5009
Finer control can be achieved by using
5010
<userinput>notify</userinput> which only sends NOTIFY
5011
messages,
5012
<userinput>notify-passive</userinput> which sends NOTIFY
5013
messages and
5014
suppresses the normal refresh queries, <userinput>refresh</userinput>
5015
which suppresses normal refresh processing and sends refresh
5016
queries
5017
when the <command>heartbeat-interval</command>
5018
expires, and
5019
<userinput>passive</userinput> which just disables normal
5020
refresh
5021
processing.
5022
</para>
5023
5024
<informaltable colsep="0" rowsep="0">
5025
<tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
5026
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
5027
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
5028
<colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
5029
<colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
5030
<tbody>
5031
<row rowsep="0">
5032
<entry colname="1">
5033
<para>
5034
dialup mode
5035
</para>
5036
</entry>
5037
<entry colname="2">
5038
<para>
5039
normal refresh
5040
</para>
5041
</entry>
5042
<entry colname="3">
5043
<para>
5044
heart-beat refresh
5045
</para>
5046
</entry>
5047
<entry colname="4">
5048
<para>
5049
heart-beat notify
5050
</para>
5051
</entry>
5052
</row>
5053
<row rowsep="0">
5054
<entry colname="1">
5055
<para><command>no</command> (default)</para>
5056
</entry>
5057
<entry colname="2">
5058
<para>
5059
yes
5060
</para>
5061
</entry>
5062
<entry colname="3">
5063
<para>
5064
no
5065
</para>
5066
</entry>
5067
<entry colname="4">
5068
<para>
5069
no
5070
</para>
5071
</entry>
5072
</row>
5073
<row rowsep="0">
5074
<entry colname="1">
5075
<para><command>yes</command></para>
5076
</entry>
5077
<entry colname="2">
5078
<para>
5079
no
5080
</para>
5081
</entry>
5082
<entry colname="3">
5083
<para>
5084
yes
5085
</para>
5086
</entry>
5087
<entry colname="4">
5088
<para>
5089
yes
5090
</para>
5091
</entry>
5092
</row>
5093
<row rowsep="0">
5094
<entry colname="1">
5095
<para><command>notify</command></para>
5096
</entry>
5097
<entry colname="2">
5098
<para>
5099
yes
5100
</para>
5101
</entry>
5102
<entry colname="3">
5103
<para>
5104
no
5105
</para>
5106
</entry>
5107
<entry colname="4">
5108
<para>
5109
yes
5110
</para>
5111
</entry>
5112
</row>
5113
<row rowsep="0">
5114
<entry colname="1">
5115
<para><command>refresh</command></para>
5116
</entry>
5117
<entry colname="2">
5118
<para>
5119
no
5120
</para>
5121
</entry>
5122
<entry colname="3">
5123
<para>
5124
yes
5125
</para>
5126
</entry>
5127
<entry colname="4">
5128
<para>
5129
no
5130
</para>
5131
</entry>
5132
</row>
5133
<row rowsep="0">
5134
<entry colname="1">
5135
<para><command>passive</command></para>
5136
</entry>
5137
<entry colname="2">
5138
<para>
5139
no
5140
</para>
5141
</entry>
5142
<entry colname="3">
5143
<para>
5144
no
5145
</para>
5146
</entry>
5147
<entry colname="4">
5148
<para>
5149
no
5150
</para>
5151
</entry>
5152
</row>
5153
<row rowsep="0">
5154
<entry colname="1">
5155
<para><command>notify-passive</command></para>
5156
</entry>
5157
<entry colname="2">
5158
<para>
5159
no
5160
</para>
5161
</entry>
5162
<entry colname="3">
5163
<para>
5164
no
5165
</para>
5166
</entry>
5167
<entry colname="4">
5168
<para>
5169
yes
5170
</para>
5171
</entry>
5172
</row>
5173
</tbody>
5174
</tgroup>
5175
</informaltable>
5176
5177
<para>
5178
Note that normal NOTIFY processing is not affected by
5179
<command>dialup</command>.
5180
</para>
5181
5182
</listitem>
5183
</varlistentry>
5184
5185
<varlistentry>
5186
<term><command>fake-iquery</command></term>
5187
<listitem>
5188
<para>
5189
In <acronym>BIND</acronym> 8, this option
5190
enabled simulating the obsolete DNS query type
5191
IQUERY. <acronym>BIND</acronym> 9 never does
5192
IQUERY simulation.
5193
</para>
5194
</listitem>
5195
</varlistentry>
5196
5197
<varlistentry>
5198
<term><command>fetch-glue</command></term>
5199
<listitem>
5200
<para>
5201
This option is obsolete.
5202
In BIND 8, <userinput>fetch-glue yes</userinput>
5203
caused the server to attempt to fetch glue resource records
5204
it
5205
didn't have when constructing the additional
5206
data section of a response. This is now considered a bad
5207
idea
5208
and BIND 9 never does it.
5209
</para>
5210
</listitem>
5211
</varlistentry>
5212
5213
<varlistentry>
5214
<term><command>flush-zones-on-shutdown</command></term>
5215
<listitem>
5216
<para>
5217
When the nameserver exits due receiving SIGTERM,
5218
flush or do not flush any pending zone writes. The default
5219
is
5220
<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5221
</para>
5222
</listitem>
5223
</varlistentry>
5224
5225
<varlistentry>
5226
<term><command>has-old-clients</command></term>
5227
<listitem>
5228
<para>
5229
This option was incorrectly implemented
5230
in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5231
To achieve the intended effect
5232
of
5233
<command>has-old-clients</command> <userinput>yes</userinput>, specify
5234
the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5235
and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5236
</para>
5237
</listitem>
5238
</varlistentry>
5239
5240
<varlistentry>
5241
<term><command>host-statistics</command></term>
5242
<listitem>
5243
<para>
5244
In BIND 8, this enables keeping of
5245
statistics for every host that the name server interacts
5246
with.
5247
Not implemented in BIND 9.
5248
</para>
5249
</listitem>
5250
</varlistentry>
5251
5252
<varlistentry>
5253
<term><command>maintain-ixfr-base</command></term>
5254
<listitem>
5255
<para>
5256
<emphasis>This option is obsolete</emphasis>.
5257
It was used in <acronym>BIND</acronym> 8 to
5258
determine whether a transaction log was
5259
kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5260
log whenever possible. If you need to disable outgoing
5261
incremental zone
5262
transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5263
</para>
5264
</listitem>
5265
</varlistentry>
5266
5267
<varlistentry>
5268
<term><command>minimal-responses</command></term>
5269
<listitem>
5270
<para>
5271
If <userinput>yes</userinput>, then when generating
5272
responses the server will only add records to the authority
5273
and additional data sections when they are required (e.g.
5274
delegations, negative responses). This may improve the
5275
performance of the server.
5276
The default is <userinput>no</userinput>.
5277
</para>
5278
</listitem>
5279
</varlistentry>
5280
5281
<varlistentry>
5282
<term><command>multiple-cnames</command></term>
5283
<listitem>
5284
<para>
5285
This option was used in <acronym>BIND</acronym> 8 to allow
5286
a domain name to have multiple CNAME records in violation of
5287
the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5288
always strictly enforces the CNAME rules both in master
5289
files and dynamic updates.
5290
</para>
5291
</listitem>
5292
</varlistentry>
5293
5294
<varlistentry>
5295
<term><command>notify</command></term>
5296
<listitem>
5297
<para>
5298
If <userinput>yes</userinput> (the default),
5299
DNS NOTIFY messages are sent when a zone the server is
5300
authoritative for
5301
changes, see <xref linkend="notify"/>. The messages are
5302
sent to the
5303
servers listed in the zone's NS records (except the master
5304
server identified
5305
in the SOA MNAME field), and to any servers listed in the
5306
<command>also-notify</command> option.
5307
</para>
5308
<para>
5309
If <userinput>master-only</userinput>, notifies are only
5310
sent
5311
for master zones.
5312
If <userinput>explicit</userinput>, notifies are sent only
5313
to
5314
servers explicitly listed using <command>also-notify</command>.
5315
If <userinput>no</userinput>, no notifies are sent.
5316
</para>
5317
<para>
5318
The <command>notify</command> option may also be
5319
specified in the <command>zone</command>
5320
statement,
5321
in which case it overrides the <command>options notify</command> statement.
5322
It would only be necessary to turn off this option if it
5323
caused slaves
5324
to crash.
5325
</para>
5326
</listitem>
5327
</varlistentry>
5328
5329
<varlistentry>
5330
<term><command>notify-to-soa</command></term>
5331
<listitem>
5332
<para>
5333
If <userinput>yes</userinput> do not check the nameservers
5334
in the NS RRset against the SOA MNAME. Normally a NOTIFY
5335
message is not sent to the SOA MNAME (SOA ORIGIN) as it is
5336
supposed to contain the name of the ultimate master.
5337
Sometimes, however, a slave is listed as the SOA MNAME in
5338
hidden master configurations and in that case you would
5339
want the ultimate master to still send NOTIFY messages to
5340
all the nameservers listed in the NS RRset.
5341
</para>
5342
</listitem>
5343
</varlistentry>
5344
5345
<varlistentry>
5346
<term><command>recursion</command></term>
5347
<listitem>
5348
<para>
5349
If <userinput>yes</userinput>, and a
5350
DNS query requests recursion, then the server will attempt
5351
to do
5352
all the work required to answer the query. If recursion is
5353
off
5354
and the server does not already know the answer, it will
5355
return a
5356
referral response. The default is
5357
<userinput>yes</userinput>.
5358
Note that setting <command>recursion no</command> does not prevent
5359
clients from getting data from the server's cache; it only
5360
prevents new data from being cached as an effect of client
5361
queries.
5362
Caching may still occur as an effect the server's internal
5363
operation, such as NOTIFY address lookups.
5364
See also <command>fetch-glue</command> above.
5365
</para>
5366
</listitem>
5367
</varlistentry>
5368
5369
<varlistentry>
5370
<term><command>rfc2308-type1</command></term>
5371
<listitem>
5372
<para>
5373
Setting this to <userinput>yes</userinput> will
5374
cause the server to send NS records along with the SOA
5375
record for negative
5376
answers. The default is <userinput>no</userinput>.
5377
</para>
5378
<note>
5379
<simpara>
5380
Not yet implemented in <acronym>BIND</acronym>
5381
9.
5382
</simpara>
5383
</note>
5384
</listitem>
5385
</varlistentry>
5386
5387
<varlistentry>
5388
<term><command>use-id-pool</command></term>
5389
<listitem>
5390
<para>
5391
<emphasis>This option is obsolete</emphasis>.
5392
<acronym>BIND</acronym> 9 always allocates query
5393
IDs from a pool.
5394
</para>
5395
</listitem>
5396
</varlistentry>
5397
5398
<varlistentry>
5399
<term><command>zone-statistics</command></term>
5400
<listitem>
5401
<para>
5402
If <userinput>yes</userinput>, the server will collect
5403
statistical data on all zones (unless specifically turned
5404
off
5405
on a per-zone basis by specifying <command>zone-statistics no</command>
5406
in the <command>zone</command> statement).
5407
These statistics may be accessed
5408
using <command>rndc stats</command>, which will
5409
dump them to the file listed
5410
in the <command>statistics-file</command>. See
5411
also <xref linkend="statsfile"/>.
5412
</para>
5413
</listitem>
5414
</varlistentry>
5415
5416
<varlistentry>
5417
<term><command>use-ixfr</command></term>
5418
<listitem>
5419
<para>
5420
<emphasis>This option is obsolete</emphasis>.
5421
If you need to disable IXFR to a particular server or
5422
servers, see
5423
the information on the <command>provide-ixfr</command> option
5424
in <xref linkend="server_statement_definition_and_usage"/>.
5425
See also
5426
<xref linkend="incremental_zone_transfers"/>.
5427
</para>
5428
</listitem>
5429
</varlistentry>
5430
5431
<varlistentry>
5432
<term><command>provide-ixfr</command></term>
5433
<listitem>
5434
<para>
5435
See the description of
5436
<command>provide-ixfr</command> in
5437
<xref linkend="server_statement_definition_and_usage"/>.
5438
</para>
5439
</listitem>
5440
</varlistentry>
5441
5442
<varlistentry>
5443
<term><command>request-ixfr</command></term>
5444
<listitem>
5445
<para>
5446
See the description of
5447
<command>request-ixfr</command> in
5448
<xref linkend="server_statement_definition_and_usage"/>.
5449
</para>
5450
</listitem>
5451
</varlistentry>
5452
5453
<varlistentry>
5454
<term><command>treat-cr-as-space</command></term>
5455
<listitem>
5456
<para>
5457
This option was used in <acronym>BIND</acronym>
5458
8 to make
5459
the server treat carriage return ("<command>\r</command>") characters the same way
5460
as a space or tab character,
5461
to facilitate loading of zone files on a UNIX system that
5462
were generated
5463
on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5464
and NT/DOS "<command>\r\n</command>" newlines
5465
are always accepted,
5466
and the option is ignored.
5467
</para>
5468
</listitem>
5469
</varlistentry>
5470
5471
<varlistentry>
5472
<term><command>additional-from-auth</command></term>
5473
<term><command>additional-from-cache</command></term>
5474
<listitem>
5475
5476
<para>
5477
These options control the behavior of an authoritative
5478
server when
5479
answering queries which have additional data, or when
5480
following CNAME
5481
and DNAME chains.
5482
</para>
5483
5484
<para>
5485
When both of these options are set to <userinput>yes</userinput>
5486
(the default) and a
5487
query is being answered from authoritative data (a zone
5488
configured into the server), the additional data section of
5489
the
5490
reply will be filled in using data from other authoritative
5491
zones
5492
and from the cache. In some situations this is undesirable,
5493
such
5494
as when there is concern over the correctness of the cache,
5495
or
5496
in servers where slave zones may be added and modified by
5497
untrusted third parties. Also, avoiding
5498
the search for this additional data will speed up server
5499
operations
5500
at the possible expense of additional queries to resolve
5501
what would
5502
otherwise be provided in the additional section.
5503
</para>
5504
5505
<para>
5506
For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5507
and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5508
records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5509
if known, even though they are not in the example.com zone.
5510
Setting these options to <command>no</command>
5511
disables this behavior and makes
5512
the server only search for additional data in the zone it
5513
answers from.
5514
</para>
5515
5516
<para>
5517
These options are intended for use in authoritative-only
5518
servers, or in authoritative-only views. Attempts to set
5519
them to <command>no</command> without also
5520
specifying
5521
<command>recursion no</command> will cause the
5522
server to
5523
ignore the options and log a warning message.
5524
</para>
5525
5526
<para>
5527
Specifying <command>additional-from-cache no</command> actually
5528
disables the use of the cache not only for additional data
5529
lookups
5530
but also when looking up the answer. This is usually the
5531
desired
5532
behavior in an authoritative-only server where the
5533
correctness of
5534
the cached data is an issue.
5535
</para>
5536
5537
<para>
5538
When a name server is non-recursively queried for a name
5539
that is not
5540
below the apex of any served zone, it normally answers with
5541
an
5542
"upwards referral" to the root servers or the servers of
5543
some other
5544
known parent of the query name. Since the data in an
5545
upwards referral
5546
comes from the cache, the server will not be able to provide
5547
upwards
5548
referrals when <command>additional-from-cache no</command>
5549
has been specified. Instead, it will respond to such
5550
queries
5551
with REFUSED. This should not cause any problems since
5552
upwards referrals are not required for the resolution
5553
process.
5554
</para>
5555
5556
</listitem>
5557
</varlistentry>
5558
5559
<varlistentry>
5560
<term><command>match-mapped-addresses</command></term>
5561
<listitem>
5562
<para>
5563
If <userinput>yes</userinput>, then an
5564
IPv4-mapped IPv6 address will match any address match
5565
list entries that match the corresponding IPv4 address.
5566
Enabling this option is sometimes useful on IPv6-enabled
5567
Linux
5568
systems, to work around a kernel quirk that causes IPv4
5569
TCP connections such as zone transfers to be accepted
5570
on an IPv6 socket using mapped addresses, causing
5571
address match lists designed for IPv4 to fail to match.
5572
The use of this option for any other purpose is discouraged.
5573
</para>
5574
</listitem>
5575
</varlistentry>
5576
5577
<varlistentry>
5578
<term><command>ixfr-from-differences</command></term>
5579
<listitem>
5580
<para>
5581
When <userinput>yes</userinput> and the server loads a new version of a master
5582
zone from its zone file or receives a new version of a slave
5583
file by a non-incremental zone transfer, it will compare
5584
the new version to the previous one and calculate a set
5585
of differences. The differences are then logged in the
5586
zone's journal file such that the changes can be transmitted
5587
to downstream slaves as an incremental zone transfer.
5588
</para>
5589
<para>
5590
By allowing incremental zone transfers to be used for
5591
non-dynamic zones, this option saves bandwidth at the
5592
expense of increased CPU and memory consumption at the
5593
master.
5594
In particular, if the new version of a zone is completely
5595
different from the previous one, the set of differences
5596
will be of a size comparable to the combined size of the
5597
old and new zone version, and the server will need to
5598
temporarily allocate memory to hold this complete
5599
difference set.
5600
</para>
5601
<para><command>ixfr-from-differences</command>
5602
also accepts <command>master</command> and
5603
<command>slave</command> at the view and options
5604
levels which causes
5605
<command>ixfr-from-differences</command> to apply to
5606
all <command>master</command> or
5607
<command>slave</command> zones respectively.
5608
</para>
5609
</listitem>
5610
</varlistentry>
5611
5612
<varlistentry>
5613
<term><command>multi-master</command></term>
5614
<listitem>
5615
<para>
5616
This should be set when you have multiple masters for a zone
5617
and the
5618
addresses refer to different machines. If <userinput>yes</userinput>, named will
5619
not log
5620
when the serial number on the master is less than what named
5621
currently
5622
has. The default is <userinput>no</userinput>.
5623
</para>
5624
</listitem>
5625
</varlistentry>
5626
5627
<varlistentry>
5628
<term><command>dnssec-enable</command></term>
5629
<listitem>
5630
<para>
5631
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
5632
named behaves as if it does not support DNSSEC.
5633
The default is <userinput>yes</userinput>.
5634
</para>
5635
</listitem>
5636
</varlistentry>
5637
5638
<varlistentry>
5639
<term><command>dnssec-validation</command></term>
5640
<listitem>
5641
<para>
5642
Enable DNSSEC validation in named.
5643
Note <command>dnssec-enable</command> also needs to be
5644
set to <userinput>yes</userinput> to be effective.
5645
The default is <userinput>yes</userinput>.
5646
</para>
5647
</listitem>
5648
</varlistentry>
5649
5650
<varlistentry>
5651
<term><command>dnssec-accept-expired</command></term>
5652
<listitem>
5653
<para>
5654
Accept expired signatures when verifying DNSSEC signatures.
5655
The default is <userinput>no</userinput>.
5656
Setting this option to "yes" leaves named vulnerable to replay attacks.
5657
</para>
5658
</listitem>
5659
</varlistentry>
5660
5661
<varlistentry>
5662
<term><command>querylog</command></term>
5663
<listitem>
5664
<para>
5665
Specify whether query logging should be started when named
5666
starts.
5667
If <command>querylog</command> is not specified,
5668
then the query logging
5669
is determined by the presence of the logging category <command>queries</command>.
5670
</para>
5671
</listitem>
5672
</varlistentry>
5673
5674
<varlistentry>
5675
<term><command>check-names</command></term>
5676
<listitem>
5677
<para>
5678
This option is used to restrict the character set and syntax
5679
of
5680
certain domain names in master files and/or DNS responses
5681
received
5682
from the network. The default varies according to usage
5683
area. For
5684
<command>master</command> zones the default is <command>fail</command>.
5685
For <command>slave</command> zones the default
5686
is <command>warn</command>.
5687
For answers received from the network (<command>response</command>)
5688
the default is <command>ignore</command>.
5689
</para>
5690
<para>
5691
The rules for legal hostnames and mail domains are derived
5692
from RFC 952 and RFC 821 as modified by RFC 1123.
5693
</para>
5694
<para><command>check-names</command>
5695
applies to the owner names of A, AAAA and MX records.
5696
It also applies to the domain names in the RDATA of NS, SOA
5697
and MX records.
5698
It also applies to the RDATA of PTR records where the owner
5699
name indicated that it is a reverse lookup of a hostname
5700
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
5701
</para>
5702
</listitem>
5703
</varlistentry>
5704
5705
<varlistentry>
5706
<term><command>check-mx</command></term>
5707
<listitem>
5708
<para>
5709
Check whether the MX record appears to refer to a IP address.
5710
The default is to <command>warn</command>. Other possible
5711
values are <command>fail</command> and
5712
<command>ignore</command>.
5713
</para>
5714
</listitem>
5715
</varlistentry>
5716
5717
<varlistentry>
5718
<term><command>check-wildcard</command></term>
5719
<listitem>
5720
<para>
5721
This option is used to check for non-terminal wildcards.
5722
The use of non-terminal wildcards is almost always as a
5723
result of a failure
5724
to understand the wildcard matching algorithm (RFC 1034).
5725
This option
5726
affects master zones. The default (<command>yes</command>) is to check
5727
for non-terminal wildcards and issue a warning.
5728
</para>
5729
</listitem>
5730
</varlistentry>
5731
5732
<varlistentry>
5733
<term><command>check-integrity</command></term>
5734
<listitem>
5735
<para>
5736
Perform post load zone integrity checks on master
5737
zones. This checks that MX and SRV records refer
5738
to address (A or AAAA) records and that glue
5739
address records exist for delegated zones. For
5740
MX and SRV records only in-zone hostnames are
5741
checked (for out-of-zone hostnames use named-checkzone).
5742
For NS records only names below top of zone are
5743
checked (for out-of-zone names and glue consistency
5744
checks use named-checkzone). The default is
5745
<command>yes</command>.
5746
</para>
5747
</listitem>
5748
</varlistentry>
5749
5750
<varlistentry>
5751
<term><command>check-mx-cname</command></term>
5752
<listitem>
5753
<para>
5754
If <command>check-integrity</command> is set then
5755
fail, warn or ignore MX records that refer
5756
to CNAMES. The default is to <command>warn</command>.
5757
</para>
5758
</listitem>
5759
</varlistentry>
5760
5761
<varlistentry>
5762
<term><command>check-srv-cname</command></term>
5763
<listitem>
5764
<para>
5765
If <command>check-integrity</command> is set then
5766
fail, warn or ignore SRV records that refer
5767
to CNAMES. The default is to <command>warn</command>.
5768
</para>
5769
</listitem>
5770
</varlistentry>
5771
5772
<varlistentry>
5773
<term><command>check-sibling</command></term>
5774
<listitem>
5775
<para>
5776
When performing integrity checks, also check that
5777
sibling glue exists. The default is <command>yes</command>.
5778
</para>
5779
</listitem>
5780
</varlistentry>
5781
5782
<varlistentry>
5783
<term><command>zero-no-soa-ttl</command></term>
5784
<listitem>
5785
<para>
5786
When returning authoritative negative responses to
5787
SOA queries set the TTL of the SOA recored returned in
5788
the authority section to zero.
5789
The default is <command>yes</command>.
5790
</para>
5791
</listitem>
5792
</varlistentry>
5793
5794
<varlistentry>
5795
<term><command>zero-no-soa-ttl-cache</command></term>
5796
<listitem>
5797
<para>
5798
When caching a negative response to a SOA query
5799
set the TTL to zero.
5800
The default is <command>no</command>.
5801
</para>
5802
</listitem>
5803
</varlistentry>
5804
5805
<varlistentry>
5806
<term><command>update-check-ksk</command></term>
5807
<listitem>
5808
<para>
5809
When regenerating the RRSIGs following a UPDATE
5810
request to a secure zone, check the KSK flag on
5811
the DNSKEY RR to determine if this key should be
5812
used to generate the RRSIG. This flag is ignored
5813
if there are not DNSKEY RRs both with and without
5814
a KSK.
5815
The default is <command>yes</command>.
5816
</para>
5817
</listitem>
5818
</varlistentry>
5819
5820
<varlistentry>
5821
<term><command>try-tcp-refresh</command></term>
5822
<listitem>
5823
<para>
5824
Try to refresh the zone using TCP if UDP queries fail.
5825
For BIND 8 compatibility, the default is
5826
<command>yes</command>.
5827
</para>
5828
</listitem>
5829
</varlistentry>
5830
5831
</variablelist>
5832
5833
</sect3>
5834
5835
<sect3>
5836
<title>Forwarding</title>
5837
<para>
5838
The forwarding facility can be used to create a large site-wide
5839
cache on a few servers, reducing traffic over links to external
5840
name servers. It can also be used to allow queries by servers that
5841
do not have direct access to the Internet, but wish to look up
5842
exterior
5843
names anyway. Forwarding occurs only on those queries for which
5844
the server is not authoritative and does not have the answer in
5845
its cache.
5846
</para>
5847
5848
<variablelist>
5849
<varlistentry>
5850
<term><command>forward</command></term>
5851
<listitem>
5852
<para>
5853
This option is only meaningful if the
5854
forwarders list is not empty. A value of <varname>first</varname>,
5855
the default, causes the server to query the forwarders
5856
first — and
5857
if that doesn't answer the question, the server will then
5858
look for
5859
the answer itself. If <varname>only</varname> is
5860
specified, the
5861
server will only query the forwarders.
5862
</para>
5863
</listitem>
5864
</varlistentry>
5865
5866
<varlistentry>
5867
<term><command>forwarders</command></term>
5868
<listitem>
5869
<para>
5870
Specifies the IP addresses to be used
5871
for forwarding. The default is the empty list (no
5872
forwarding).
5873
</para>
5874
</listitem>
5875
</varlistentry>
5876
5877
</variablelist>
5878
5879
<para>
5880
Forwarding can also be configured on a per-domain basis, allowing
5881
for the global forwarding options to be overridden in a variety
5882
of ways. You can set particular domains to use different
5883
forwarders,
5884
or have a different <command>forward only/first</command> behavior,
5885
or not forward at all, see <xref linkend="zone_statement_grammar"/>.
5886
</para>
5887
</sect3>
5888
5889
<sect3>
5890
<title>Dual-stack Servers</title>
5891
<para>
5892
Dual-stack servers are used as servers of last resort to work
5893
around
5894
problems in reachability due the lack of support for either IPv4
5895
or IPv6
5896
on the host machine.
5897
</para>
5898
5899
<variablelist>
5900
<varlistentry>
5901
<term><command>dual-stack-servers</command></term>
5902
<listitem>
5903
<para>
5904
Specifies host names or addresses of machines with access to
5905
both IPv4 and IPv6 transports. If a hostname is used, the
5906
server must be able
5907
to resolve the name using only the transport it has. If the
5908
machine is dual
5909
stacked, then the <command>dual-stack-servers</command> have no effect unless
5910
access to a transport has been disabled on the command line
5911
(e.g. <command>named -4</command>).
5912
</para>
5913
</listitem>
5914
</varlistentry>
5915
</variablelist>
5916
</sect3>
5917
5918
<sect3 id="access_control">
5919
<title>Access Control</title>
5920
5921
<para>
5922
Access to the server can be restricted based on the IP address
5923
of the requesting system. See <xref linkend="address_match_lists"/> for
5924
details on how to specify IP address lists.
5925
</para>
5926
5927
<variablelist>
5928
5929
<varlistentry>
5930
<term><command>allow-notify</command></term>
5931
<listitem>
5932
<para>
5933
Specifies which hosts are allowed to
5934
notify this server, a slave, of zone changes in addition
5935
to the zone masters.
5936
<command>allow-notify</command> may also be
5937
specified in the
5938
<command>zone</command> statement, in which case
5939
it overrides the
5940
<command>options allow-notify</command>
5941
statement. It is only meaningful
5942
for a slave zone. If not specified, the default is to
5943
process notify messages
5944
only from a zone's master.
5945
</para>
5946
</listitem>
5947
</varlistentry>
5948
5949
<varlistentry>
5950
<term><command>allow-query</command></term>
5951
<listitem>
5952
<para>
5953
Specifies which hosts are allowed to ask ordinary
5954
DNS questions. <command>allow-query</command> may
5955
also be specified in the <command>zone</command>
5956
statement, in which case it overrides the
5957
<command>options allow-query</command> statement.
5958
If not specified, the default is to allow queries
5959
from all hosts.
5960
</para>
5961
<note>
5962
<para>
5963
<command>allow-query-cache</command> is now
5964
used to specify access to the cache.
5965
</para>
5966
</note>
5967
</listitem>
5968
</varlistentry>
5969
5970
<varlistentry>
5971
<term><command>allow-query-on</command></term>
5972
<listitem>
5973
<para>
5974
Specifies which local addresses can accept ordinary
5975
DNS questions. This makes it possible, for instance,
5976
to allow queries on internal-facing interfaces but
5977
disallow them on external-facing ones, without
5978
necessarily knowing the internal network's addresses.
5979
</para>
5980
<para>
5981
<command>allow-query-on</command> may
5982
also be specified in the <command>zone</command>
5983
statement, in which case it overrides the
5984
<command>options allow-query-on</command> statement.
5985
</para>
5986
<para>
5987
If not specified, the default is to allow queries
5988
on all addresses.
5989
</para>
5990
<note>
5991
<para>
5992
<command>allow-query-cache</command> is
5993
used to specify access to the cache.
5994
</para>
5995
</note>
5996
</listitem>
5997
</varlistentry>
5998
5999
<varlistentry>
6000
<term><command>allow-query-cache</command></term>
6001
<listitem>
6002
<para>
6003
Specifies which hosts are allowed to get answers
6004
from the cache. If <command>allow-query-cache</command>
6005
is not set then <command>allow-recursion</command>
6006
is used if set, otherwise <command>allow-query</command>
6007
is used if set, otherwise the default
6008
(<command>localnets;</command>
6009
<command>localhost;</command>) is used.
6010
</para>
6011
</listitem>
6012
</varlistentry>
6013
6014
<varlistentry>
6015
<term><command>allow-query-cache-on</command></term>
6016
<listitem>
6017
<para>
6018
Specifies which local addresses can give answers
6019
from the cache. If not specified, the default is
6020
to allow cache queries on any address,
6021
<command>localnets</command> and
6022
<command>localhost</command>.
6023
</para>
6024
</listitem>
6025
</varlistentry>
6026
6027
<varlistentry>
6028
<term><command>allow-recursion</command></term>
6029
<listitem>
6030
<para>
6031
Specifies which hosts are allowed to make recursive
6032
queries through this server. If
6033
<command>allow-recursion</command> is not set
6034
then <command>allow-query-cache</command> is
6035
used if set, otherwise <command>allow-query</command>
6036
is used if set, otherwise the default
6037
(<command>localnets;</command>
6038
<command>localhost;</command>) is used.
6039
</para>
6040
</listitem>
6041
</varlistentry>
6042
6043
<varlistentry>
6044
<term><command>allow-recursion-on</command></term>
6045
<listitem>
6046
<para>
6047
Specifies which local addresses can accept recursive
6048
queries. If not specified, the default is to allow
6049
recursive queries on all addresses.
6050
</para>
6051
</listitem>
6052
</varlistentry>
6053
6054
<varlistentry>
6055
<term><command>allow-update</command></term>
6056
<listitem>
6057
<para>
6058
Specifies which hosts are allowed to
6059
submit Dynamic DNS updates for master zones. The default is
6060
to deny
6061
updates from all hosts. Note that allowing updates based
6062
on the requestor's IP address is insecure; see
6063
<xref linkend="dynamic_update_security"/> for details.
6064
</para>
6065
</listitem>
6066
</varlistentry>
6067
6068
<varlistentry>
6069
<term><command>allow-update-forwarding</command></term>
6070
<listitem>
6071
<para>
6072
Specifies which hosts are allowed to
6073
submit Dynamic DNS updates to slave zones to be forwarded to
6074
the
6075
master. The default is <userinput>{ none; }</userinput>,
6076
which
6077
means that no update forwarding will be performed. To
6078
enable
6079
update forwarding, specify
6080
<userinput>allow-update-forwarding { any; };</userinput>.
6081
Specifying values other than <userinput>{ none; }</userinput> or
6082
<userinput>{ any; }</userinput> is usually
6083
counterproductive, since
6084
the responsibility for update access control should rest
6085
with the
6086
master server, not the slaves.
6087
</para>
6088
<para>
6089
Note that enabling the update forwarding feature on a slave
6090
server
6091
may expose master servers relying on insecure IP address
6092
based
6093
access control to attacks; see <xref linkend="dynamic_update_security"/>
6094
for more details.
6095
</para>
6096
</listitem>
6097
</varlistentry>
6098
6099
<varlistentry>
6100
<term><command>allow-v6-synthesis</command></term>
6101
<listitem>
6102
<para>
6103
This option was introduced for the smooth transition from
6104
AAAA
6105
to A6 and from "nibble labels" to binary labels.
6106
However, since both A6 and binary labels were then
6107
deprecated,
6108
this option was also deprecated.
6109
It is now ignored with some warning messages.
6110
</para>
6111
</listitem>
6112
</varlistentry>
6113
6114
<varlistentry>
6115
<term><command>allow-transfer</command></term>
6116
<listitem>
6117
<para>
6118
Specifies which hosts are allowed to
6119
receive zone transfers from the server. <command>allow-transfer</command> may
6120
also be specified in the <command>zone</command>
6121
statement, in which
6122
case it overrides the <command>options allow-transfer</command> statement.
6123
If not specified, the default is to allow transfers to all
6124
hosts.
6125
</para>
6126
</listitem>
6127
</varlistentry>
6128
6129
<varlistentry>
6130
<term><command>blackhole</command></term>
6131
<listitem>
6132
<para>
6133
Specifies a list of addresses that the
6134
server will not accept queries from or use to resolve a
6135
query. Queries
6136
from these addresses will not be responded to. The default
6137
is <userinput>none</userinput>.
6138
</para>
6139
</listitem>
6140
</varlistentry>
6141
6142
</variablelist>
6143
6144
</sect3>
6145
6146
<sect3>
6147
<title>Interfaces</title>
6148
<para>
6149
The interfaces and ports that the server will answer queries
6150
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
6151
an optional port, and an <varname>address_match_list</varname>.
6152
The server will listen on all interfaces allowed by the address
6153
match list. If a port is not specified, port 53 will be used.
6154
</para>
6155
<para>
6156
Multiple <command>listen-on</command> statements are
6157
allowed.
6158
For example,
6159
</para>
3550
6160
3551
6161
<programlisting>listen-on { 5.6.7.8; };
3552
6162
listen-on port 1234 { !1.2.3.4; 1.2/16; };
3553
6163
</programlisting>
3554
6164
3555
<para>will enable the name server on port 53 for the IP address
3556
5.6.7.8, and on port 1234 of an address on the machine in net
3557
1.2 that is not 1.2.3.4.</para>
3558
3559
<para>If no <command>listen-on</command> is specified, the
3560
server will listen on port 53 on all interfaces.</para>
3561
3562
<para>The <command>listen-on-v6</command> option is used to
3563
specify the interfaces and the ports on which the server will listen
3564
for incoming queries sent using IPv6.</para>
3565
3566
<para>When <programlisting>{ any; }</programlisting> is specified
3567
as the <varname>address_match_list</varname> for the
3568
<command>listen-on-v6</command> option,
3569
the server does not bind a separate socket to each IPv6 interface
3570
address as it does for IPv4 if the operating system has enough API
3571
support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
3572
Instead, it listens on the IPv6 wildcard address.
3573
If the system only has incomplete API support for IPv6, however,
3574
the behavior is the same as that for IPv4.</para>
3575
3576
<para>A list of particular IPv6 addresses can also be specified, in which case
3577
the server listens on a separate socket for each specified address,
3578
regardless of whether the desired API is supported by the system.</para>
3579
3580
<para>Multiple <command>listen-on-v6</command> options can be used.
3581
For example,</para>
6165
<para>
6166
will enable the name server on port 53 for the IP address
6167
5.6.7.8, and on port 1234 of an address on the machine in net
6168
1.2 that is not 1.2.3.4.
6169
</para>
6170
6171
<para>
6172
If no <command>listen-on</command> is specified, the
6173
server will listen on port 53 on all interfaces.
6174
</para>
6175
6176
<para>
6177
The <command>listen-on-v6</command> option is used to
6178
specify the interfaces and the ports on which the server will
6179
listen
6180
for incoming queries sent using IPv6.
6181
</para>
6182
6183
<para>
6184
When <programlisting>{ any; }</programlisting> is
6185
specified
6186
as the <varname>address_match_list</varname> for the
6187
<command>listen-on-v6</command> option,
6188
the server does not bind a separate socket to each IPv6 interface
6189
address as it does for IPv4 if the operating system has enough API
6190
support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6191
3542).
6192
Instead, it listens on the IPv6 wildcard address.
6193
If the system only has incomplete API support for IPv6, however,
6194
the behavior is the same as that for IPv4.
6195
</para>
6196
6197
<para>
6198
A list of particular IPv6 addresses can also be specified, in
6199
which case
6200
the server listens on a separate socket for each specified
6201
address,
6202
regardless of whether the desired API is supported by the system.
6203
</para>
6204
6205
<para>
6206
Multiple <command>listen-on-v6</command> options can
6207
be used.
6208
For example,
6209
</para>
3582
6210
3583
6211
<programlisting>listen-on-v6 { any; };
3584
6212
listen-on-v6 port 1234 { !2001:db8::/32; any; };
3585
6213
</programlisting>
3586
6214
3587
<para>will enable the name server on port 53 for any IPv6 addresses
3588
(with a single wildcard socket),
3589
and on port 1234 of IPv6 addresses that is not in the prefix
3590
2001:db8::/32 (with separate sockets for each matched address.)</para>
3591
3592
<para>To make the server not listen on any IPv6 address, use</para>
6215
<para>
6216
will enable the name server on port 53 for any IPv6 addresses
6217
(with a single wildcard socket),
6218
and on port 1234 of IPv6 addresses that is not in the prefix
6219
2001:db8::/32 (with separate sockets for each matched address.)
6220
</para>
6221
6222
<para>
6223
To make the server not listen on any IPv6 address, use
6224
</para>
6225
3593
6226
<programlisting>listen-on-v6 { none; };
3594
6227
</programlisting>
3595
<para>If no <command>listen-on-v6</command> option is specified,
3596
the server will not listen on any IPv6 address.</para></sect3>
3597
3598
<sect3><title>Query Address</title>
3599
<para>If the server doesn't know the answer to a question, it will
3600
query other name servers. <command>query-source</command> specifies
3601
the address and port used for such queries. For queries sent over
3602
IPv6, there is a separate <command>query-source-v6</command> option.
3603
If <command>address</command> is <command>*</command> or is omitted,
3604
a wildcard IP address (<command>INADDR_ANY</command>) will be used.
3605
If <command>port</command> is <command>*</command> or is omitted,
3606
a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
3607
and <command>avoid-v6-udp-ports</command> can be used to prevent named
3608
from selecting certain ports. The defaults are</para>
6228
6229
<para>
6230
If no <command>listen-on-v6</command> option is
6231
specified,
6232
the server will not listen on any IPv6 address.
6233
</para>
6234
</sect3>
6235
6236
<sect3 id="query_address">
6237
<title>Query Address</title>
6238
<para>
6239
If the server doesn't know the answer to a question, it will
6240
query other name servers. <command>query-source</command> specifies
6241
the address and port used for such queries. For queries sent over
6242
IPv6, there is a separate <command>query-source-v6</command> option.
6243
If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6244
a wildcard IP address (<command>INADDR_ANY</command>)
6245
will be used.
6246
If <command>port</command> is <command>*</command> or is omitted,
6247
a random unprivileged port number is picked up and will be
6248
used for each query.
6249
Previously, the <command>use-queryport-pool</command> was provided
6250
to support a pool of such random ports, but this option is now
6251
obsolete because reusing the same ports in the pool is not
6252
sufficiently secure.
6253
For the same reason, it is generally strongly discouraged to
6254
specify a particular port for the
6255
<command>query-source</command> or
6256
<command>query-source-v6</command> options;
6257
it implicitly disables the use of randomized port numbers.
6258
The <command>avoid-v4-udp-ports</command>
6259
and <command>avoid-v6-udp-ports</command> options can be used
6260
to prevent named
6261
from selecting certain ports.
6262
The defaults are:
6263
</para>
6264
3609
6265
<programlisting>query-source address * port *;
3610
6266
query-source-v6 address * port *;
3611
6267
</programlisting>
3612
<note>
3613
<para>The address specified in the <command>query-source</command> option
3614
is used for both UDP and TCP queries, but the port applies only to
3615
UDP queries. TCP queries always use a random
3616
unprivileged port.</para></note>
3617
<note>
3618
<para>See also <command>transfer-source</command> and
3619
<command>notify-source</command>.</para></note>
3620
</sect3>
3621
3622
<sect3 id="zone_transfers"><title>Zone Transfers</title>
3623
<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
3624
and set limits on the amount of load that transfers place on the
3625
system. The following options apply to zone transfers.</para>
3626
3627
<variablelist>
3628
3629
<varlistentry><term><command>also-notify</command></term>
3630
<listitem><para>Defines a global list of IP addresses of name servers
3631
that are also sent NOTIFY messages whenever a fresh copy of the
3632
zone is loaded, in addition to the servers listed in the zone's NS records.
3633
This helps to ensure that copies of the zones will
3634
quickly converge on stealth servers. If an <command>also-notify</command> list
3635
is given in a <command>zone</command> statement, it will override
3636
the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
3637
is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
3638
not be sent NOTIFY messages for that zone. The default is the empty
3639
list (no global notification list).</para>
3640
</listitem></varlistentry>
3641
3642
<varlistentry><term><command>max-transfer-time-in</command></term>
3643
<listitem><para>Inbound zone transfers running longer than
3644
this many minutes will be terminated. The default is 120 minutes
3645
(2 hours). The maximum value is 28 days (40320 minutes).</para>
3646
</listitem></varlistentry>
3647
3648
<varlistentry><term><command>max-transfer-idle-in</command></term>
3649
<listitem><para>Inbound zone transfers making no progress
3650
in this many minutes will be terminated. The default is 60 minutes
3651
(1 hour). The maximum value is 28 days (40320 minutes).</para>
3652
</listitem></varlistentry>
3653
3654
<varlistentry><term><command>max-transfer-time-out</command></term>
3655
<listitem><para>Outbound zone transfers running longer than
3656
this many minutes will be terminated. The default is 120 minutes
3657
(2 hours). The maximum value is 28 days (40320 minutes).</para>
3658
</listitem></varlistentry>
3659
3660
<varlistentry><term><command>max-transfer-idle-out</command></term>
3661
<listitem><para>Outbound zone transfers making no progress
3662
in this many minutes will be terminated. The default is 60 minutes (1
3663
hour). The maximum value is 28 days (40320 minutes).</para>
3664
</listitem></varlistentry>
3665
3666
<varlistentry><term><command>serial-query-rate</command></term>
3667
<listitem><para>Slave servers will periodically query master servers
3668
to find out if zone serial numbers have changed. Each such query uses
3669
a minute amount of the slave server's network bandwidth. To limit the
3670
amount of bandwidth used, BIND 9 limits the rate at which queries are
3671
sent. The value of the <command>serial-query-rate</command> option,
3672
an integer, is the maximum number of queries sent per second.
3673
The default is 20.
3674
</para>
3675
</listitem></varlistentry>
3676
3677
<varlistentry><term><command>serial-queries</command></term>
3678
<listitem><para>In BIND 8, the <command>serial-queries</command> option
3679
set the maximum number of concurrent serial number queries
3680
allowed to be outstanding at any given time.
3681
BIND 9 does not limit the number of outstanding
3682
serial queries and ignores the <command>serial-queries</command> option.
3683
Instead, it limits the rate at which the queries are sent
3684
as defined using the <command>serial-query-rate</command> option.
3685
</para>
3686
</listitem></varlistentry>
3687
3688
<varlistentry><term><command>transfer-format</command></term>
3689
<listitem>
3690
3691
<para>
3692
Zone transfers can be sent using two different formats,
3693
<command>one-answer</command> and <command>many-answers</command>.
3694
The <command>transfer-format</command> option is used
3695
on the master server to determine which format it sends.
3696
<command>one-answer</command> uses one DNS message per
3697
resource record transferred.
3698
<command>many-answers</command> packs as many resource records as
3699
possible into a message. <command>many-answers</command> is more
3700
efficient, but is only supported by relatively new slave servers,
3701
such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
3702
versions of <acronym>BIND</acronym> 4.9.5. The default is
3703
<command>many-answers</command>. <command>transfer-format</command>
3704
may be overridden on a per-server basis by using the
3705
<command>server</command> statement.
3706
</para>
3707
3708
</listitem></varlistentry>
3709
3710
<varlistentry><term><command>transfers-in</command></term>
3711
<listitem><para>The maximum number of inbound zone transfers
3712
that can be running concurrently. The default value is <literal>10</literal>.
3713
Increasing <command>transfers-in</command> may speed up the convergence
3714
of slave zones, but it also may increase the load on the local system.</para>
3715
</listitem></varlistentry>
3716
3717
<varlistentry><term><command>transfers-out</command></term>
3718
<listitem><para>The maximum number of outbound zone transfers
3719
that can be running concurrently. Zone transfer requests in excess
3720
of the limit will be refused. The default value is <literal>10</literal>.</para>
3721
</listitem></varlistentry>
3722
3723
<varlistentry><term><command>transfers-per-ns</command></term>
3724
<listitem><para>The maximum number of inbound zone transfers
3725
that can be concurrently transferring from a given remote name server.
3726
The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
3727
speed up the convergence of slave zones, but it also may increase
3728
the load on the remote name server. <command>transfers-per-ns</command> may
3729
be overridden on a per-server basis by using the <command>transfers</command> phrase
3730
of the <command>server</command> statement.</para>
3731
</listitem></varlistentry>
3732
3733
<varlistentry><term><command>transfer-source</command></term>
3734
<listitem><para><command>transfer-source</command> determines
3735
which local address will be bound to IPv4 TCP connections used to
3736
fetch zones transferred inbound by the server. It also determines
3737
the source IPv4 address, and optionally the UDP port, used for the
3738
refresh queries and forwarded dynamic updates. If not set, it defaults
3739
to a system controlled value which will usually be the address of
3740
the interface "closest to" the remote end. This address must appear
3741
in the remote end's <command>allow-transfer</command> option for
3742
the zone being transferred, if one is specified. This statement
3743
sets the <command>transfer-source</command> for all zones, but can
3744
be overridden on a per-view or per-zone basis by including a
3745
<command>transfer-source</command> statement within the
3746
<command>view</command> or <command>zone</command> block
3747
in the configuration file.</para>
3748
</listitem></varlistentry>
3749
3750
<varlistentry><term><command>transfer-source-v6</command></term>
3751
<listitem><para>The same as <command>transfer-source</command>,
3752
except zone transfers are performed using IPv6.</para>
3753
</listitem></varlistentry>
3754
3755
<varlistentry>
3756
<term><command>alt-transfer-source</command></term>
3757
<listitem>
3758
<para>
3759
An alternate transfer source if the one listed in
3760
<command>transfer-source</command> fails and
3761
<command>use-alt-transfer-source</command> is
3762
set.
3763
</para>
6268
6269
<variablelist>
6270
<varlistentry>
6271
<term><command>use-queryport-pool</command></term>
6272
<listitem>
6273
<para>
6274
This option is obsolete.
6275
</para>
6276
</listitem>
6277
</varlistentry>
6278
6279
<varlistentry>
6280
<term><command>queryport-pool-ports</command></term>
6281
<listitem>
6282
<para>
6283
This option is obsolete.
6284
</para>
6285
</listitem>
6286
</varlistentry>
6287
6288
<varlistentry>
6289
<term><command>queryport-pool-updateinterval</command></term>
6290
<listitem>
6291
<para>
6292
This option is obsolete.
6293
</para>
6294
</listitem>
6295
</varlistentry>
6296
6297
</variablelist>
6298
<note>
6299
<para>
6300
The address specified in the <command>query-source</command> option
6301
is used for both UDP and TCP queries, but the port applies only
6302
to UDP queries. TCP queries always use a random
6303
unprivileged port.
6304
</para>
6305
</note>
6306
<note>
6307
<para>
6308
Solaris 2.5.1 and earlier does not support setting the source
6309
address for TCP sockets.
6310
</para>
6311
</note>
6312
<note>
6313
<para>
6314
See also <command>transfer-source</command> and
6315
<command>notify-source</command>.
6316
</para>
6317
</note>
6318
</sect3>
6319
6320
<sect3 id="zone_transfers">
6321
<title>Zone Transfers</title>
6322
<para>
6323
<acronym>BIND</acronym> has mechanisms in place to
6324
facilitate zone transfers
6325
and set limits on the amount of load that transfers place on the
6326
system. The following options apply to zone transfers.
6327
</para>
6328
6329
<variablelist>
6330
6331
<varlistentry>
6332
<term><command>also-notify</command></term>
6333
<listitem>
6334
<para>
6335
Defines a global list of IP addresses of name servers
6336
that are also sent NOTIFY messages whenever a fresh copy of
6337
the
6338
zone is loaded, in addition to the servers listed in the
6339
zone's NS records.
6340
This helps to ensure that copies of the zones will
6341
quickly converge on stealth servers. If an <command>also-notify</command> list
6342
is given in a <command>zone</command> statement,
6343
it will override
6344
the <command>options also-notify</command>
6345
statement. When a <command>zone notify</command>
6346
statement
6347
is set to <command>no</command>, the IP
6348
addresses in the global <command>also-notify</command> list will
6349
not be sent NOTIFY messages for that zone. The default is
6350
the empty
6351
list (no global notification list).
6352
</para>
6353
</listitem>
6354
</varlistentry>
6355
6356
<varlistentry>
6357
<term><command>max-transfer-time-in</command></term>
6358
<listitem>
6359
<para>
6360
Inbound zone transfers running longer than
6361
this many minutes will be terminated. The default is 120
6362
minutes
6363
(2 hours). The maximum value is 28 days (40320 minutes).
6364
</para>
6365
</listitem>
6366
</varlistentry>
6367
6368
<varlistentry>
6369
<term><command>max-transfer-idle-in</command></term>
6370
<listitem>
6371
<para>
6372
Inbound zone transfers making no progress
6373
in this many minutes will be terminated. The default is 60
6374
minutes
6375
(1 hour). The maximum value is 28 days (40320 minutes).
6376
</para>
6377
</listitem>
6378
</varlistentry>
6379
6380
<varlistentry>
6381
<term><command>max-transfer-time-out</command></term>
6382
<listitem>
6383
<para>
6384
Outbound zone transfers running longer than
6385
this many minutes will be terminated. The default is 120
6386
minutes
6387
(2 hours). The maximum value is 28 days (40320 minutes).
6388
</para>
6389
</listitem>
6390
</varlistentry>
6391
6392
<varlistentry>
6393
<term><command>max-transfer-idle-out</command></term>
6394
<listitem>
6395
<para>
6396
Outbound zone transfers making no progress
6397
in this many minutes will be terminated. The default is 60
6398
minutes (1
6399
hour). The maximum value is 28 days (40320 minutes).
6400
</para>
6401
</listitem>
6402
</varlistentry>
6403
6404
<varlistentry>
6405
<term><command>serial-query-rate</command></term>
6406
<listitem>
6407
<para>
6408
Slave servers will periodically query master servers
6409
to find out if zone serial numbers have changed. Each such
6410
query uses
6411
a minute amount of the slave server's network bandwidth. To
6412
limit the
6413
amount of bandwidth used, BIND 9 limits the rate at which
6414
queries are
6415
sent. The value of the <command>serial-query-rate</command> option,
6416
an integer, is the maximum number of queries sent per
6417
second.
6418
The default is 20.
6419
</para>
6420
</listitem>
6421
</varlistentry>
6422
6423
<varlistentry>
6424
<term><command>serial-queries</command></term>
6425
<listitem>
6426
<para>
6427
In BIND 8, the <command>serial-queries</command>
6428
option
6429
set the maximum number of concurrent serial number queries
6430
allowed to be outstanding at any given time.
6431
BIND 9 does not limit the number of outstanding
6432
serial queries and ignores the <command>serial-queries</command> option.
6433
Instead, it limits the rate at which the queries are sent
6434
as defined using the <command>serial-query-rate</command> option.
6435
</para>
6436
</listitem>
6437
</varlistentry>
6438
6439
<varlistentry>
6440
<term><command>transfer-format</command></term>
6441
<listitem>
6442
6443
<para>
6444
Zone transfers can be sent using two different formats,
6445
<command>one-answer</command> and
6446
<command>many-answers</command>.
6447
The <command>transfer-format</command> option is used
6448
on the master server to determine which format it sends.
6449
<command>one-answer</command> uses one DNS message per
6450
resource record transferred.
6451
<command>many-answers</command> packs as many resource
6452
records as possible into a message.
6453
<command>many-answers</command> is more efficient, but is
6454
only supported by relatively new slave servers,
6455
such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6456
8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6457
The <command>many-answers</command> format is also supported by
6458
recent Microsoft Windows nameservers.
6459
The default is <command>many-answers</command>.
6460
<command>transfer-format</command> may be overridden on a
6461
per-server basis by using the <command>server</command>
6462
statement.
6463
</para>
6464
6465
</listitem>
6466
</varlistentry>
6467
6468
<varlistentry>
6469
<term><command>transfers-in</command></term>
6470
<listitem>
6471
<para>
6472
The maximum number of inbound zone transfers
6473
that can be running concurrently. The default value is <literal>10</literal>.
6474
Increasing <command>transfers-in</command> may
6475
speed up the convergence
6476
of slave zones, but it also may increase the load on the
6477
local system.
6478
</para>
6479
</listitem>
6480
</varlistentry>
6481
6482
<varlistentry>
6483
<term><command>transfers-out</command></term>
6484
<listitem>
6485
<para>
6486
The maximum number of outbound zone transfers
6487
that can be running concurrently. Zone transfer requests in
6488
excess
6489
of the limit will be refused. The default value is <literal>10</literal>.
6490
</para>
6491
</listitem>
6492
</varlistentry>
6493
6494
<varlistentry>
6495
<term><command>transfers-per-ns</command></term>
6496
<listitem>
6497
<para>
6498
The maximum number of inbound zone transfers
6499
that can be concurrently transferring from a given remote
6500
name server.
6501
The default value is <literal>2</literal>.
6502
Increasing <command>transfers-per-ns</command>
6503
may
6504
speed up the convergence of slave zones, but it also may
6505
increase
6506
the load on the remote name server. <command>transfers-per-ns</command> may
6507
be overridden on a per-server basis by using the <command>transfers</command> phrase
6508
of the <command>server</command> statement.
6509
</para>
6510
</listitem>
6511
</varlistentry>
6512
6513
<varlistentry>
6514
<term><command>transfer-source</command></term>
6515
<listitem>
6516
<para><command>transfer-source</command>
6517
determines which local address will be bound to IPv4
6518
TCP connections used to fetch zones transferred
6519
inbound by the server. It also determines the
6520
source IPv4 address, and optionally the UDP port,
6521
used for the refresh queries and forwarded dynamic
6522
updates. If not set, it defaults to a system
6523
controlled value which will usually be the address
6524
of the interface "closest to" the remote end. This
6525
address must appear in the remote end's
6526
<command>allow-transfer</command> option for the
6527
zone being transferred, if one is specified. This
6528
statement sets the
6529
<command>transfer-source</command> for all zones,
6530
but can be overridden on a per-view or per-zone
6531
basis by including a
6532
<command>transfer-source</command> statement within
6533
the <command>view</command> or
6534
<command>zone</command> block in the configuration
6535
file.
6536
</para>
6537
<note>
6538
<para>
6539
Solaris 2.5.1 and earlier does not support setting the
6540
source address for TCP sockets.
6541
</para>
6542
</note>
6543
</listitem>
6544
</varlistentry>
6545
6546
<varlistentry>
6547
<term><command>transfer-source-v6</command></term>
6548
<listitem>
6549
<para>
6550
The same as <command>transfer-source</command>,
6551
except zone transfers are performed using IPv6.
6552
</para>
6553
</listitem>
6554
</varlistentry>
6555
6556
<varlistentry>
6557
<term><command>alt-transfer-source</command></term>
6558
<listitem>
6559
<para>
6560
An alternate transfer source if the one listed in
6561
<command>transfer-source</command> fails and
6562
<command>use-alt-transfer-source</command> is
6563
set.
6564
</para>
3764
6565
<note>
3765
6566
If you do not wish the alternate transfer source
3766
to be used you should set
6567
to be used, you should set
3767
6568
<command>use-alt-transfer-source</command>
3768
6569
appropriately and you should not depend upon
3769
6570
getting a answer back to the first refresh
3770
6571
query.
3771
6572
</note>
3772
6573
</listitem>
3773
</varlistentry>
3774
3775
<varlistentry><term><command>alt-transfer-source-v6</command></term>
3776
<listitem><para>An alternate transfer source if the one listed in
3777
<command>transfer-source-v6</command> fails and
3778
<command>use-alt-transfer-source</command> is set.</para>
3779
</listitem></varlistentry>
3780
3781
<varlistentry><term><command>use-alt-transfer-source</command></term>
3782
<listitem><para>Use the alternate transfer sources or not. If views are
3783
specified this defaults to <command>no</command> otherwise it defaults to
3784
<command>yes</command> (for BIND 8 compatibility).</para>
3785
</listitem></varlistentry>
3786
3787
<varlistentry><term><command>notify-source</command></term>
3788
<listitem><para><command>notify-source</command> determines
3789
which local source address, and optionally UDP port, will be used to
3790
send NOTIFY messages.
3791
This address must appear in the slave server's <command>masters</command>
3792
zone clause or in an <command>allow-notify</command> clause.
3793
This statement sets the <command>notify-source</command> for all zones,
3794
but can be overridden on a per-zone / per-view basis by including a
3795
<command>notify-source</command> statement within the <command>zone</command>
3796
or <command>view</command> block in the configuration file.</para>
3797
</listitem></varlistentry>
3798
3799
<varlistentry><term><command>notify-source-v6</command></term>
3800
<listitem><para>Like <command>notify-source</command>,
3801
but applies to notify messages sent to IPv6 addresses.</para>
3802
</listitem></varlistentry>
3803
3804
</variablelist>
3805
3806
</sect3>
3807
3808
<sect3>
3809
<title>Bad UDP Port Lists</title>
3810
<para>
3811
<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
3812
specify a list of IPv4 and IPv6 UDP ports that will not be used as system
3813
assigned source ports for UDP sockets. These lists prevent named
3814
from choosing as its random source port a port that is blocked by
3815
your firewall. If a query went out with such a source port, the
3816
answer would not get by the firewall and the name server would have
3817
to query again.
3818
</para>
3819
</sect3>
3820
3821
<sect3>
3822
<title>Operating System Resource Limits</title>
3823
3824
<para>The server's usage of many system resources can be limited.
3825
Scaled values are allowed when specifying resource limits. For
3826
example, <command>1G</command> can be used instead of
3827
<command>1073741824</command> to specify a limit of one
3828
gigabyte. <command>unlimited</command> requests unlimited use, or the
3829
maximum available amount. <command>default</command> uses the limit
3830
that was in force when the server was started. See the description of
3831
<command>size_spec</command> in <xref
3832
linkend="configuration_file_elements"/>.</para>
3833
3834
<para>The following options set operating system resource limits for
3835
the name server process. Some operating systems don't support some or
3836
any of the limits. On such systems, a warning will be issued if the
3837
unsupported limit is used.</para>
3838
3839
<variablelist>
3840
3841
<varlistentry><term><command>coresize</command></term>
3842
<listitem><para>The maximum size of a core dump. The default
3843
is <literal>default</literal>.</para>
3844
</listitem></varlistentry>
3845
3846
<varlistentry><term><command>datasize</command></term>
3847
<listitem><para>The maximum amount of data memory the server
3848
may use. The default is <literal>default</literal>.
3849
This is a hard limit on server memory usage.
3850
If the server attempts to allocate memory in excess of this
3851
limit, the allocation will fail, which may in turn leave
3852
the server unable to perform DNS service. Therefore,
3853
this option is rarely useful as a way of limiting the
3854
amount of memory used by the server, but it can be used
3855
to raise an operating system data size limit that is
3856
too small by default. If you wish to limit the amount
3857
of memory used by the server, use the
3858
<command>max-cache-size</command> and
3859
<command>recursive-clients</command>
3860
options instead.
3861
</para></listitem></varlistentry>
3862
3863
<varlistentry><term><command>files</command></term>
3864
<listitem><para>The maximum number of files the server
3865
may have open concurrently. The default is <literal>unlimited</literal>.
3866
</para>
3867
</listitem></varlistentry>
3868
3869
<varlistentry><term><command>stacksize</command></term>
3870
<listitem><para>The maximum amount of stack memory the server
3871
may use. The default is <literal>default</literal>.</para>
3872
</listitem></varlistentry>
3873
3874
</variablelist>
3875
3876
</sect3>
3877
3878
<sect3>
3879
<title>Server Resource Limits</title>
3880
3881
<para>The following options set limits on the server's
3882
resource consumption that are enforced internally by the
3883
server rather than the operating system.</para>
3884
3885
<variablelist>
3886
3887
<varlistentry><term><command>max-ixfr-log-size</command></term>
3888
<listitem><para>This option is obsolete; it is accepted
3889
and ignored for BIND 8 compatibility. The option
3890
<command>max-journal-size</command> performs a similar
3891
function in BIND 8.
3892
</para>
3893
</listitem></varlistentry>
3894
3895
<varlistentry><term><command>max-journal-size</command></term>
3896
<listitem><para>Sets a maximum size for each journal file
3897
(<xref linkend="journal"/>). When the journal file approaches
3898
the specified size, some of the oldest transactions in the journal
3899
will be automatically removed. The default is
3900
<literal>unlimited</literal>.</para>
3901
</listitem></varlistentry>
3902
3903
<varlistentry><term><command>host-statistics-max</command></term>
3904
<listitem><para>In BIND 8, specifies the maximum number of host statistic
3905
entries to be kept.
3906
Not implemented in BIND 9.
3907
</para></listitem></varlistentry>
3908
3909
<varlistentry><term><command>recursive-clients</command></term>
3910
<listitem><para>The maximum number of simultaneous recursive lookups
3911
the server will perform on behalf of clients. The default is
3912
<literal>1000</literal>. Because each recursing client uses a fair
3913
bit of memory, on the order of 20 kilobytes, the value of the
3914
<command>recursive-clients</command> option may have to be decreased
3915
on hosts with limited memory.
3916
</para>
3917
</listitem></varlistentry>
3918
3919
<varlistentry><term><command>tcp-clients</command></term>
3920
<listitem><para>The maximum number of simultaneous client TCP
3921
connections that the server will accept.
3922
The default is <literal>100</literal>.</para>
3923
</listitem></varlistentry>
3924
3925
<varlistentry><term><command>max-cache-size</command></term>
3926
<listitem><para>The maximum amount of memory to use for the
3927
server's cache, in bytes. When the amount of data in the cache
3928
reaches this limit, the server will cause records to expire
3929
prematurely so that the limit is not exceeded. In a server with
3930
multiple views, the limit applies separately to the cache of each
3931
view. The default is <literal>unlimited</literal>, meaning that
3932
records are purged from the cache only when their TTLs expire.
3933
</para>
3934
</listitem></varlistentry>
3935
3936
<varlistentry><term><command>tcp-listen-queue</command></term>
3937
<listitem><para>The listen queue depth. The default and minimum is 3.
3938
If the kernel supports the accept filter "dataready" this also controls how
3939
many TCP connections that will be queued in kernel space waiting for
3940
some data before being passed to accept. Values less than 3 will be
3941
silently raised.
3942
</para>
3943
</listitem></varlistentry>
3944
3945
</variablelist>
3946
3947
</sect3>
3948
3949
<sect3><title>Periodic Task Intervals</title>
3950
3951
<variablelist>
3952
3953
<varlistentry><term><command>cleaning-interval</command></term>
3954
<listitem><para>The server will remove expired resource records
3955
from the cache every <command>cleaning-interval</command> minutes.
3956
The default is 60 minutes. The maximum value is 28 days (40320 minutes).
3957
If set to 0, no periodic cleaning will occur.</para>
3958
</listitem></varlistentry>
3959
3960
<varlistentry><term><command>heartbeat-interval</command></term>
3961
<listitem><para>The server will perform zone maintenance tasks
3962
for all zones marked as <command>dialup</command> whenever this
3963
interval expires. The default is 60 minutes. Reasonable values are up
3964
to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes).
3965
If set to 0, no zone maintenance for these zones will occur.</para>
3966
</listitem></varlistentry>
3967
3968
<varlistentry><term><command>interface-interval</command></term>
3969
<listitem><para>The server will scan the network interface list
3970
every <command>interface-interval</command> minutes. The default
3971
is 60 minutes. The maximum value is 28 days (40320 minutes).
3972
If set to 0, interface scanning will only occur when
3973
the configuration file is loaded. After the scan, the server will
3974
begin listening for queries on any newly discovered
3975
interfaces (provided they are allowed by the
3976
<command>listen-on</command> configuration), and will
3977
stop listening on interfaces that have gone away.</para>
3978
</listitem></varlistentry>
3979
3980
<varlistentry><term><command>statistics-interval</command></term>
3981
<listitem><para>Name server statistics will be logged
3982
every <command>statistics-interval</command> minutes. The default is
3983
60. The maximum value is 28 days (40320 minutes).
3984
If set to 0, no statistics will be logged.</para><note>
3985
<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
3986
</listitem></varlistentry>
3987
3988
</variablelist>
3989
3990
</sect3>
3991
3992
<sect3 id="topology"><title>Topology</title>
3993
3994
<para>All other things being equal, when the server chooses a name server
3995
to query from a list of name servers, it prefers the one that is
3996
topologically closest to itself. The <command>topology</command> statement
3997
takes an <command>address_match_list</command> and interprets it
3998
in a special way. Each top-level list element is assigned a distance.
3999
Non-negated elements get a distance based on their position in the
4000
list, where the closer the match is to the start of the list, the
4001
shorter the distance is between it and the server. A negated match
4002
will be assigned the maximum distance from the server. If there
4003
is no match, the address will get a distance which is further than
4004
any non-negated list element, and closer than any negated element.
4005
For example,</para>
6574
</varlistentry>
6575
6576
<varlistentry>
6577
<term><command>alt-transfer-source-v6</command></term>
6578
<listitem>
6579
<para>
6580
An alternate transfer source if the one listed in
6581
<command>transfer-source-v6</command> fails and
6582
<command>use-alt-transfer-source</command> is
6583
set.
6584
</para>
6585
</listitem>
6586
</varlistentry>
6587
6588
<varlistentry>
6589
<term><command>use-alt-transfer-source</command></term>
6590
<listitem>
6591
<para>
6592
Use the alternate transfer sources or not. If views are
6593
specified this defaults to <command>no</command>
6594
otherwise it defaults to
6595
<command>yes</command> (for BIND 8
6596
compatibility).
6597
</para>
6598
</listitem>
6599
</varlistentry>
6600
6601
<varlistentry>
6602
<term><command>notify-source</command></term>
6603
<listitem>
6604
<para><command>notify-source</command>
6605
determines which local source address, and
6606
optionally UDP port, will be used to send NOTIFY
6607
messages. This address must appear in the slave
6608
server's <command>masters</command> zone clause or
6609
in an <command>allow-notify</command> clause. This
6610
statement sets the <command>notify-source</command>
6611
for all zones, but can be overridden on a per-zone or
6612
per-view basis by including a
6613
<command>notify-source</command> statement within
6614
the <command>zone</command> or
6615
<command>view</command> block in the configuration
6616
file.
6617
</para>
6618
<note>
6619
<para>
6620
Solaris 2.5.1 and earlier does not support setting the
6621
source address for TCP sockets.
6622
</para>
6623
</note>
6624
</listitem>
6625
</varlistentry>
6626
6627
<varlistentry>
6628
<term><command>notify-source-v6</command></term>
6629
<listitem>
6630
<para>
6631
Like <command>notify-source</command>,
6632
but applies to notify messages sent to IPv6 addresses.
6633
</para>
6634
</listitem>
6635
</varlistentry>
6636
6637
</variablelist>
6638
6639
</sect3>
6640
6641
<sect3>
6642
<title>Bad UDP Port Lists</title>
6643
<para><command>avoid-v4-udp-ports</command>
6644
and <command>avoid-v6-udp-ports</command> specify a list
6645
of IPv4 and IPv6 UDP ports that will not be used as system
6646
assigned source ports for UDP sockets. These lists
6647
prevent named from choosing as its random source port a
6648
port that is blocked by your firewall. If a query went
6649
out with such a source port, the answer would not get by
6650
the firewall and the name server would have to query
6651
again.
6652
</para>
6653
</sect3>
6654
6655
<sect3>
6656
<title>Operating System Resource Limits</title>
6657
6658
<para>
6659
The server's usage of many system resources can be limited.
6660
Scaled values are allowed when specifying resource limits. For
6661
example, <command>1G</command> can be used instead of
6662
<command>1073741824</command> to specify a limit of
6663
one
6664
gigabyte. <command>unlimited</command> requests
6665
unlimited use, or the
6666
maximum available amount. <command>default</command>
6667
uses the limit
6668
that was in force when the server was started. See the description
6669
of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
6670
</para>
6671
6672
<para>
6673
The following options set operating system resource limits for
6674
the name server process. Some operating systems don't support
6675
some or
6676
any of the limits. On such systems, a warning will be issued if
6677
the
6678
unsupported limit is used.
6679
</para>
6680
6681
<variablelist>
6682
6683
<varlistentry>
6684
<term><command>coresize</command></term>
6685
<listitem>
6686
<para>
6687
The maximum size of a core dump. The default
6688
is <literal>default</literal>.
6689
</para>
6690
</listitem>
6691
</varlistentry>
6692
6693
<varlistentry>
6694
<term><command>datasize</command></term>
6695
<listitem>
6696
<para>
6697
The maximum amount of data memory the server
6698
may use. The default is <literal>default</literal>.
6699
This is a hard limit on server memory usage.
6700
If the server attempts to allocate memory in excess of this
6701
limit, the allocation will fail, which may in turn leave
6702
the server unable to perform DNS service. Therefore,
6703
this option is rarely useful as a way of limiting the
6704
amount of memory used by the server, but it can be used
6705
to raise an operating system data size limit that is
6706
too small by default. If you wish to limit the amount
6707
of memory used by the server, use the
6708
<command>max-cache-size</command> and
6709
<command>recursive-clients</command>
6710
options instead.
6711
</para>
6712
</listitem>
6713
</varlistentry>
6714
6715
<varlistentry>
6716
<term><command>files</command></term>
6717
<listitem>
6718
<para>
6719
The maximum number of files the server
6720
may have open concurrently. The default is <literal>unlimited</literal>.
6721
</para>
6722
</listitem>
6723
</varlistentry>
6724
6725
<varlistentry>
6726
<term><command>stacksize</command></term>
6727
<listitem>
6728
<para>
6729
The maximum amount of stack memory the server
6730
may use. The default is <literal>default</literal>.
6731
</para>
6732
</listitem>
6733
</varlistentry>
6734
6735
</variablelist>
6736
6737
</sect3>
6738
6739
<sect3>
6740
<title>Server Resource Limits</title>
6741
6742
<para>
6743
The following options set limits on the server's
6744
resource consumption that are enforced internally by the
6745
server rather than the operating system.
6746
</para>
6747
6748
<variablelist>
6749
6750
<varlistentry>
6751
<term><command>max-ixfr-log-size</command></term>
6752
<listitem>
6753
<para>
6754
This option is obsolete; it is accepted
6755
and ignored for BIND 8 compatibility. The option
6756
<command>max-journal-size</command> performs a
6757
similar function in BIND 9.
6758
</para>
6759
</listitem>
6760
</varlistentry>
6761
6762
<varlistentry>
6763
<term><command>max-journal-size</command></term>
6764
<listitem>
6765
<para>
6766
Sets a maximum size for each journal file
6767
(see <xref linkend="journal"/>). When the journal file
6768
approaches
6769
the specified size, some of the oldest transactions in the
6770
journal
6771
will be automatically removed. The default is
6772
<literal>unlimited</literal>.
6773
</para>
6774
</listitem>
6775
</varlistentry>
6776
6777
<varlistentry>
6778
<term><command>host-statistics-max</command></term>
6779
<listitem>
6780
<para>
6781
In BIND 8, specifies the maximum number of host statistics
6782
entries to be kept.
6783
Not implemented in BIND 9.
6784
</para>
6785
</listitem>
6786
</varlistentry>
6787
6788
<varlistentry>
6789
<term><command>recursive-clients</command></term>
6790
<listitem>
6791
<para>
6792
The maximum number of simultaneous recursive lookups
6793
the server will perform on behalf of clients. The default
6794
is
6795
<literal>1000</literal>. Because each recursing
6796
client uses a fair
6797
bit of memory, on the order of 20 kilobytes, the value of
6798
the
6799
<command>recursive-clients</command> option may
6800
have to be decreased
6801
on hosts with limited memory.
6802
</para>
6803
</listitem>
6804
</varlistentry>
6805
6806
<varlistentry>
6807
<term><command>tcp-clients</command></term>
6808
<listitem>
6809
<para>
6810
The maximum number of simultaneous client TCP
6811
connections that the server will accept.
6812
The default is <literal>100</literal>.
6813
</para>
6814
</listitem>
6815
</varlistentry>
6816
6817
<varlistentry>
6818
<term><command>reserved-sockets</command></term>
6819
<listitem>
6820
<para>
6821
The number of file descriptors reserved for TCP, stdio,
6822
etc. This needs to be big enough to cover the number of
6823
interfaces named listens on, tcp-clients as well as
6824
to provide room for outgoing TCP queries and incoming zone
6825
transfers. The default is <literal>512</literal>.
6826
The minimum value is <literal>128</literal> and the
6827
maximum value is <literal>128</literal> less than
6828
'files' or FD_SETSIZE (whichever is smaller). This
6829
option may be removed in the future.
6830
</para>
6831
</listitem>
6832
</varlistentry>
6833
6834
<varlistentry>
6835
<term><command>max-cache-size</command></term>
6836
<listitem>
6837
<para>
6838
The maximum amount of memory to use for the
6839
server's cache, in bytes. When the amount of data in the
6840
cache
6841
reaches this limit, the server will cause records to expire
6842
prematurely so that the limit is not exceeded. In a server
6843
with
6844
multiple views, the limit applies separately to the cache of
6845
each
6846
view. The default is <literal>32M</literal>.
6847
</para>
6848
</listitem>
6849
</varlistentry>
6850
6851
<varlistentry>
6852
<term><command>tcp-listen-queue</command></term>
6853
<listitem>
6854
<para>
6855
The listen queue depth. The default and minimum is 3.
6856
If the kernel supports the accept filter "dataready" this
6857
also controls how
6858
many TCP connections that will be queued in kernel space
6859
waiting for
6860
some data before being passed to accept. Values less than 3
6861
will be
6862
silently raised.
6863
</para>
6864
</listitem>
6865
</varlistentry>
6866
6867
</variablelist>
6868
6869
</sect3>
6870
6871
<sect3>
6872
<title>Periodic Task Intervals</title>
6873
6874
<variablelist>
6875
6876
<varlistentry>
6877
<term><command>cleaning-interval</command></term>
6878
<listitem>
6879
<para>
6880
This interval is effectively obsolete. Previously,
6881
the server would remove expired resource records
6882
from the cache every <command>cleaning-interval</command> minutes.
6883
<acronym>BIND</acronym> 9 now manages cache
6884
memory in a more sophisticated manner and does not
6885
rely on the periodic cleaning any more.
6886
Specifying this option therefore has no effect on
6887
the server's behavior.
6888
</para>
6889
</listitem>
6890
</varlistentry>
6891
6892
<varlistentry>
6893
<term><command>heartbeat-interval</command></term>
6894
<listitem>
6895
<para>
6896
The server will perform zone maintenance tasks
6897
for all zones marked as <command>dialup</command> whenever this
6898
interval expires. The default is 60 minutes. Reasonable
6899
values are up
6900
to 1 day (1440 minutes). The maximum value is 28 days
6901
(40320 minutes).
6902
If set to 0, no zone maintenance for these zones will occur.
6903
</para>
6904
</listitem>
6905
</varlistentry>
6906
6907
<varlistentry>
6908
<term><command>interface-interval</command></term>
6909
<listitem>
6910
<para>
6911
The server will scan the network interface list
6912
every <command>interface-interval</command>
6913
minutes. The default
6914
is 60 minutes. The maximum value is 28 days (40320 minutes).
6915
If set to 0, interface scanning will only occur when
6916
the configuration file is loaded. After the scan, the
6917
server will
6918
begin listening for queries on any newly discovered
6919
interfaces (provided they are allowed by the
6920
<command>listen-on</command> configuration), and
6921
will
6922
stop listening on interfaces that have gone away.
6923
</para>
6924
</listitem>
6925
</varlistentry>
6926
6927
<varlistentry>
6928
<term><command>statistics-interval</command></term>
6929
<listitem>
6930
<para>
6931
Name server statistics will be logged
6932
every <command>statistics-interval</command>
6933
minutes. The default is
6934
60. The maximum value is 28 days (40320 minutes).
6935
If set to 0, no statistics will be logged.
6936
</para><note>
6937
<simpara>
6938
Not yet implemented in
6939
<acronym>BIND</acronym> 9.
6940
</simpara>
6941
</note>
6942
</listitem>
6943
</varlistentry>
6944
6945
</variablelist>
6946
6947
</sect3>
6948
6949
<sect3 id="topology">
6950
<title>Topology</title>
6951
6952
<para>
6953
All other things being equal, when the server chooses a name
6954
server
6955
to query from a list of name servers, it prefers the one that is
6956
topologically closest to itself. The <command>topology</command> statement
6957
takes an <command>address_match_list</command> and
6958
interprets it
6959
in a special way. Each top-level list element is assigned a
6960
distance.
6961
Non-negated elements get a distance based on their position in the
6962
list, where the closer the match is to the start of the list, the
6963
shorter the distance is between it and the server. A negated match
6964
will be assigned the maximum distance from the server. If there
6965
is no match, the address will get a distance which is further than
6966
any non-negated list element, and closer than any negated element.
6967
For example,
6968
</para>
6969
4006
6970
<programlisting>topology {
4007
6971
10/8;
4008
6972
!1.2.3/24;
4009
6973
{ 1.2/16; 3/8; };
4010
6974
};</programlisting>
4011
<para>will prefer servers on network 10 the most, followed by hosts
4012
on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
4013
exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
4014
is preferred least of all.</para>
4015
<para>The default topology is</para>
6975
6976
<para>
6977
will prefer servers on network 10 the most, followed by hosts
6978
on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
6979
exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
6980
is preferred least of all.
6981
</para>
6982
<para>
6983
The default topology is
6984
</para>
6985
4016
6986
<programlisting> topology { localhost; localnets; };
4017
6987
</programlisting>
4018
<note><simpara>The <command>topology</command> option
4019
is not implemented in <acronym>BIND</acronym> 9.
4020
</simpara></note>
4021
</sect3>
4022
4023
<sect3 id="the_sortlist_statement">
4024
4025
<title>The <command>sortlist</command> Statement</title>
4026
4027
<para>The response to a DNS query may consist of multiple resource
4028
records (RRs) forming a resource records set (RRset).
4029
The name server will normally return the
4030
RRs within the RRset in an indeterminate order
4031
(but see the <command>rrset-order</command>
4032
statement in <xref linkend="rrset_ordering"/>).
4033
The client resolver code should rearrange the RRs as appropriate,
4034
that is, using any addresses on the local net in preference to other addresses.
4035
However, not all resolvers can do this or are correctly configured.
4036
When a client is using a local server the sorting can be performed
4037
in the server, based on the client's address. This only requires
4038
configuring the name servers, not all the clients.</para>
4039
4040
<para>The <command>sortlist</command> statement (see below) takes
4041
an <command>address_match_list</command> and interprets it even
4042
more specifically than the <command>topology</command> statement
4043
does (<xref linkend="topology"/>).
4044
Each top level statement in the <command>sortlist</command> must
4045
itself be an explicit <command>address_match_list</command> with
4046
one or two elements. The first element (which may be an IP address,
4047
an IP prefix, an ACL name or a nested <command>address_match_list</command>)
4048
of each top level list is checked against the source address of
4049
the query until a match is found.</para>
4050
<para>Once the source address of the query has been matched, if
4051
the top level statement contains only one element, the actual primitive
4052
element that matched the source address is used to select the address
4053
in the response to move to the beginning of the response. If the
4054
statement is a list of two elements, then the second element is
4055
treated the same as the <command>address_match_list</command> in
4056
a <command>topology</command> statement. Each top level element
4057
is assigned a distance and the address in the response with the minimum
4058
distance is moved to the beginning of the response.</para>
4059
<para>In the following example, any queries received from any of
4060
the addresses of the host itself will get responses preferring addresses
4061
on any of the locally connected networks. Next most preferred are addresses
4062
on the 192.168.1/24 network, and after that either the 192.168.2/24
4063
or
4064
192.168.3/24 network with no preference shown between these two
4065
networks. Queries received from a host on the 192.168.1/24 network
4066
will prefer other addresses on that network to the 192.168.2/24
4067
and
4068
192.168.3/24 networks. Queries received from a host on the 192.168.4/24
4069
or the 192.168.5/24 network will only prefer other addresses on
4070
their directly connected networks.</para>
6988
6989
<note>
6990
<simpara>
6991
The <command>topology</command> option
6992
is not implemented in <acronym>BIND</acronym> 9.
6993
</simpara>
6994
</note>
6995
</sect3>
6996
6997
<sect3 id="the_sortlist_statement">
6998
6999
<title>The <command>sortlist</command> Statement</title>
7000
7001
<para>
7002
The response to a DNS query may consist of multiple resource
7003
records (RRs) forming a resource records set (RRset).
7004
The name server will normally return the
7005
RRs within the RRset in an indeterminate order
7006
(but see the <command>rrset-order</command>
7007
statement in <xref linkend="rrset_ordering"/>).
7008
The client resolver code should rearrange the RRs as appropriate,
7009
that is, using any addresses on the local net in preference to
7010
other addresses.
7011
However, not all resolvers can do this or are correctly
7012
configured.
7013
When a client is using a local server, the sorting can be performed
7014
in the server, based on the client's address. This only requires
7015
configuring the name servers, not all the clients.
7016
</para>
7017
7018
<para>
7019
The <command>sortlist</command> statement (see below)
7020
takes
7021
an <command>address_match_list</command> and
7022
interprets it even
7023
more specifically than the <command>topology</command>
7024
statement
7025
does (<xref linkend="topology"/>).
7026
Each top level statement in the <command>sortlist</command> must
7027
itself be an explicit <command>address_match_list</command> with
7028
one or two elements. The first element (which may be an IP
7029
address,
7030
an IP prefix, an ACL name or a nested <command>address_match_list</command>)
7031
of each top level list is checked against the source address of
7032
the query until a match is found.
7033
</para>
7034
<para>
7035
Once the source address of the query has been matched, if
7036
the top level statement contains only one element, the actual
7037
primitive
7038
element that matched the source address is used to select the
7039
address
7040
in the response to move to the beginning of the response. If the
7041
statement is a list of two elements, then the second element is
7042
treated the same as the <command>address_match_list</command> in
7043
a <command>topology</command> statement. Each top
7044
level element
7045
is assigned a distance and the address in the response with the
7046
minimum
7047
distance is moved to the beginning of the response.
7048
</para>
7049
<para>
7050
In the following example, any queries received from any of
7051
the addresses of the host itself will get responses preferring
7052
addresses
7053
on any of the locally connected networks. Next most preferred are
7054
addresses
7055
on the 192.168.1/24 network, and after that either the
7056
192.168.2/24
7057
or
7058
192.168.3/24 network with no preference shown between these two
7059
networks. Queries received from a host on the 192.168.1/24 network
7060
will prefer other addresses on that network to the 192.168.2/24
7061
and
7062
192.168.3/24 networks. Queries received from a host on the
7063
192.168.4/24
7064
or the 192.168.5/24 network will only prefer other addresses on
7065
their directly connected networks.
7066
</para>
7067
4071
7068
<programlisting>sortlist {
4072
7069
{ localhost; // IF the local host
4073
7070
{ localnets; // THEN first fit on the
4085
7082
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
4086
7083
};
4087
7084
};</programlisting>
4088
<para>The following example will give reasonable behavior for the
4089
local host and hosts on directly connected networks. It is similar
4090
to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
4091
to queries from the local host will favor any of the directly connected
4092
networks. Responses sent to queries from any other hosts on a directly
4093
connected network will prefer addresses on that same network. Responses
4094
to other queries will not be sorted.</para>
7085
7086
<para>
7087
The following example will give reasonable behavior for the
7088
local host and hosts on directly connected networks. It is similar
7089
to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
7090
to queries from the local host will favor any of the directly
7091
connected
7092
networks. Responses sent to queries from any other hosts on a
7093
directly
7094
connected network will prefer addresses on that same network.
7095
Responses
7096
to other queries will not be sorted.
7097
</para>
7098
4095
7099
<programlisting>sortlist {
4096
7100
{ localhost; localnets; };
4097
7101
{ localnets; };
4098
7102
};
4099
7103
</programlisting>
4100
</sect3>
4101
<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
4102
<para>When multiple records are returned in an answer it may be
4103
useful to configure the order of the records placed into the response.
4104
The <command>rrset-order</command> statement permits configuration
4105
of the ordering of the records in a multiple record response.
4106
See also the <command>sortlist</command> statement,
4107
<xref linkend="the_sortlist_statement"/>.
4108
</para>
4109
4110
<para>An <command>order_spec</command> is defined as follows:</para>
4111
<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
4112
order <replaceable>ordering</replaceable>
4113
</programlisting>
4114
<para>If no class is specified, the default is <command>ANY</command>.
4115
If no type is specified, the default is <command>ANY</command>.
4116
If no name is specified, the default is "<command>*</command>".</para>
4117
<para>The legal values for <command>ordering</command> are:</para>
4118
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
4119
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
4120
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
4121
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
4122
<tbody>
4123
<row rowsep = "0">
4124
<entry colname = "1"><para><command>fixed</command></para></entry>
4125
<entry colname = "2"><para>Records are returned in the order they
4126
are defined in the zone file.</para></entry>
4127
</row>
4128
<row rowsep = "0">
4129
<entry colname = "1"><para><command>random</command></para></entry>
4130
<entry colname = "2"><para>Records are returned in some random order.</para></entry>
4131
</row>
4132
<row rowsep = "0">
4133
<entry colname = "1"><para><command>cyclic</command></para></entry>
4134
<entry colname = "2"><para>Records are returned in a round-robin
4135
order.</para></entry>
4136
</row>
4137
</tbody>
4138
</tgroup></informaltable>
4139
<para>For example:</para>
7104
7105
</sect3>
7106
<sect3 id="rrset_ordering">
7107
<title id="rrset_ordering_title">RRset Ordering</title>
7108
<para>
7109
When multiple records are returned in an answer it may be
7110
useful to configure the order of the records placed into the
7111
response.
7112
The <command>rrset-order</command> statement permits
7113
configuration
7114
of the ordering of the records in a multiple record response.
7115
See also the <command>sortlist</command> statement,
7116
<xref linkend="the_sortlist_statement"/>.
7117
</para>
7118
7119
<para>
7120
An <command>order_spec</command> is defined as
7121
follows:
7122
</para>
7123
<para>
7124
<optional>class <replaceable>class_name</replaceable></optional>
7125
<optional>type <replaceable>type_name</replaceable></optional>
7126
<optional>name <replaceable>"domain_name"</replaceable></optional>
7127
order <replaceable>ordering</replaceable>
7128
</para>
7129
<para>
7130
If no class is specified, the default is <command>ANY</command>.
7131
If no type is specified, the default is <command>ANY</command>.
7132
If no name is specified, the default is "<command>*</command>" (asterisk).
7133
</para>
7134
<para>
7135
The legal values for <command>ordering</command> are:
7136
</para>
7137
<informaltable colsep="0" rowsep="0">
7138
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7139
<colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
7140
<colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
7141
<tbody>
7142
<row rowsep="0">
7143
<entry colname="1">
7144
<para><command>fixed</command></para>
7145
</entry>
7146
<entry colname="2">
7147
<para>
7148
Records are returned in the order they
7149
are defined in the zone file.
7150
</para>
7151
</entry>
7152
</row>
7153
<row rowsep="0">
7154
<entry colname="1">
7155
<para><command>random</command></para>
7156
</entry>
7157
<entry colname="2">
7158
<para>
7159
Records are returned in some random order.
7160
</para>
7161
</entry>
7162
</row>
7163
<row rowsep="0">
7164
<entry colname="1">
7165
<para><command>cyclic</command></para>
7166
</entry>
7167
<entry colname="2">
7168
<para>
7169
Records are returned in a cyclic round-robin order.
7170
</para>
7171
<para>
7172
If <acronym>BIND</acronym> is configured with the
7173
"--enable-fixed-rrset" option at compile time, then
7174
the initial ordering of the RRset will match the
7175
one specified in the zone file.
7176
</para>
7177
</entry>
7178
</row>
7179
</tbody>
7180
</tgroup>
7181
</informaltable>
7182
<para>
7183
For example:
7184
</para>
7185
4140
7186
<programlisting>rrset-order {
4141
7187
class IN type A name "host.example.com" order random;
4142
7188
order cyclic;
4143
7189
};
4144
7190
</programlisting>
4145
<para>will cause any responses for type A records in class IN that
4146
have "<literal>host.example.com</literal>" as a suffix, to always be returned
4147
in random order. All other records are returned in cyclic order.</para>
4148
<para>If multiple <command>rrset-order</command> statements appear,
4149
they are not combined — the last one applies.</para>
4150
4151
<note>
4152
<simpara>The <command>rrset-order</command> statement
4153
is not yet fully implemented in <acronym>BIND</acronym> 9.
4154
BIND 9 currently does not support "fixed" ordering.
4155
</simpara></note>
4156
</sect3>
4157
4158
<sect3 id="tuning"><title>Tuning</title>
4159
4160
<variablelist>
4161
4162
<varlistentry><term><command>lame-ttl</command></term>
4163
<listitem><para>Sets the number of seconds to cache a
4164
lame server indication. 0 disables caching. (This is
4165
<emphasis role="bold">NOT</emphasis> recommended.)
4166
Default is <literal>600</literal> (10 minutes). Maximum value is
4167
<literal>1800</literal> (30 minutes).</para>
4168
4169
</listitem></varlistentry>
4170
4171
<varlistentry><term><command>max-ncache-ttl</command></term>
4172
<listitem><para>To reduce network traffic and increase performance
4173
the server stores negative answers. <command>max-ncache-ttl</command> is
4174
used to set a maximum retention time for these answers in the server
4175
in seconds. The default
4176
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
4177
<command>max-ncache-ttl</command> cannot exceed 7 days and will
4178
be silently truncated to 7 days if set to a greater value.</para>
4179
</listitem></varlistentry>
4180
4181
<varlistentry><term><command>max-cache-ttl</command></term>
4182
<listitem><para><command>max-cache-ttl</command> sets
4183
the maximum time for which the server will cache ordinary (positive)
4184
answers. The default is one week (7 days).</para>
4185
</listitem></varlistentry>
4186
4187
<varlistentry><term><command>min-roots</command></term>
4188
<listitem><para>The minimum number of root servers that
4189
is required for a request for the root servers to be accepted. Default
4190
is <userinput>2</userinput>.</para>
4191
<note>
4192
<simpara>Not implemented in <acronym>BIND</acronym>9.</simpara></note>
4193
</listitem></varlistentry>
4194
4195
<varlistentry><term><command>sig-validity-interval</command></term>
4196
<listitem><para>Specifies the number of days into the
4197
future when DNSSEC signatures automatically generated as a result
4198
of dynamic updates (<xref linkend="dynamic_update"/>)
4199
will expire. The default is <literal>30</literal> days.
4200
The maximum value is 10 years (3660 days). The signature
4201
inception time is unconditionally set to one hour before the current time
4202
to allow for a limited amount of clock skew.</para>
4203
</listitem></varlistentry>
4204
4205
<varlistentry>
4206
<term><command>min-refresh-time</command></term>
4207
<term><command>max-refresh-time</command></term>
4208
<term><command>min-retry-time</command></term>
4209
<term><command>max-retry-time</command></term>
4210
<listitem><para>
4211
These options control the server's behavior on refreshing a zone
4212
(querying for SOA changes) or retrying failed transfers.
4213
Usually the SOA values for the zone are used, but these values
4214
are set by the master, giving slave server administrators little
4215
control over their contents.
4216
</para><para>
4217
These options allow the administrator to set a minimum and maximum
4218
refresh and retry time either per-zone, per-view, or globally.
4219
These options are valid for slave and stub zones,
4220
and clamp the SOA refresh and retry times to the specified values.
4221
</para></listitem></varlistentry>
4222
4223
<varlistentry>
4224
<term><command>edns-udp-size</command></term>
4225
<listitem><para>
4226
<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
4227
size. Valid values are 512 to 4096 (values outside this range will be
4228
silently adjusted). The default value is 4096. The usual reason for
4229
setting edns-udp-size to a non default value it to get UDP answers to
4230
pass through broken firewalls that block fragmented packets and/or
4231
block UDP packets that are greater than 512 bytes.
4232
</para></listitem></varlistentry>
4233
</variablelist>
4234
4235
</sect3>
4236
4237
<sect3 id="builtin">
4238
<title>Built-in server information zones</title>
4239
4240
<para>The server provides some helpful diagnostic information
4241
through a number of built-in zones under the
4242
pseudo-top-level-domain <literal>bind</literal> in the
4243
<command>CHAOS</command> class. These zones are part of a
4244
built-in view (see <xref linkend="view_statement_grammar"/>) of class
4245
<command>CHAOS</command> which is separate from the default view of
4246
class <command>IN</command>; therefore, any global server options
4247
such as <command>allow-query</command> do not apply the these zones.
4248
If you feel the need to disable these zones, use the options
4249
below, or hide the built-in <command>CHAOS</command> view by
4250
defining an explicit view of class <command>CHAOS</command>
4251
that matches all clients.</para>
4252
4253
<variablelist>
4254
4255
<varlistentry><term><command>version</command></term>
4256
<listitem><para>The version the server should report
4257
via a query of the name <literal>version.bind</literal>
4258
with type <command>TXT</command>, class <command>CHAOS</command>.
4259
The default is the real version number of this server.
4260
Specifying <command>version none</command>
4261
disables processing of the queries.</para>
4262
</listitem></varlistentry>
4263
4264
<varlistentry><term><command>hostname</command></term>
4265
<listitem><para>The hostname the server should report via a query of
4266
the name <filename>hostname.bind</filename>
4267
with type <command>TXT</command>, class <command>CHAOS</command>.
4268
This defaults to the hostname of the machine hosting the name server as
4269
found by gethostname(). The primary purpose of such queries is to
4270
identify which of a group of anycast servers is actually
4271
answering your queries. Specifying <command>hostname none;</command>
4272
disables processing of the queries.</para>
4273
</listitem></varlistentry>
4274
4275
<varlistentry><term><command>server-id</command></term>
4276
<listitem><para>The ID of the server should report via a query of
4277
the name <filename>ID.SERVER</filename>
4278
with type <command>TXT</command>, class <command>CHAOS</command>.
4279
The primary purpose of such queries is to
4280
identify which of a group of anycast servers is actually
4281
answering your queries. Specifying <command>server-id none;</command>
4282
disables processing of the queries.
4283
Specifying <command>server-id hostname;</command> will cause named to
4284
use the hostname as found by gethostname().
4285
The default <command>server-id</command> is <command>none</command>.
4286
</para>
4287
</listitem></varlistentry>
4288
4289
</variablelist>
4290
4291
</sect3>
4292
4293
<sect3 id="statsfile">
4294
<title>The Statistics File</title>
4295
4296
<para>The statistics file generated by <acronym>BIND</acronym> 9
4297
is similar, but not identical, to that
4298
generated by <acronym>BIND</acronym> 8.
4299
</para>
4300
<para>The statistics dump begins with the line <command>+++ Statistics Dump
4301
+++ (973798949)</command>, where the number in parentheses is a standard
4302
Unix-style timestamp, measured as seconds since January 1, 1970. Following
4303
that line are a series of lines containing a counter type, the value of the
4304
counter, optionally a zone name, and optionally a view name.
4305
The lines without view and zone listed are global statistics for the entire server.
4306
Lines with a zone and view name for the given view and zone (the view name is
4307
omitted for the default view). The statistics dump ends
4308
with the line <command>--- Statistics Dump --- (973798949)</command>, where the
4309
number is identical to the number in the beginning line.</para>
4310
<para>The following statistics counters are maintained:</para>
4311
<informaltable
4312
colsep = "0" rowsep = "0"><tgroup cols = "2"
4313
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
4314
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
4315
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
4316
<tbody>
4317
<row rowsep = "0">
4318
<entry colname = "1"><para><command>success</command></para></entry>
4319
<entry colname = "2"><para>The number of
4320
successful queries made to the server or zone. A successful query
4321
is defined as query which returns a NOERROR response with at least
4322
one answer RR.</para></entry>
4323
</row>
4324
<row rowsep = "0">
4325
<entry colname = "1"><para><command>referral</command></para></entry>
4326
<entry colname = "2"><para>The number of queries which resulted
4327
in referral responses.</para></entry>
4328
</row>
4329
<row rowsep = "0">
4330
<entry colname = "1"><para><command>nxrrset</command></para></entry>
4331
<entry colname = "2"><para>The number of queries which resulted in
4332
NOERROR responses with no data.</para></entry>
4333
</row>
4334
<row rowsep = "0">
4335
<entry colname = "1"><para><command>nxdomain</command></para></entry>
4336
<entry colname = "2"><para>The number
4337
of queries which resulted in NXDOMAIN responses.</para></entry>
4338
</row>
4339
<row rowsep = "0">
4340
<entry colname = "1"><para><command>failure</command></para></entry>
4341
<entry colname = "2"><para>The number of queries which resulted in a
4342
failure response other than those above.</para></entry>
4343
</row>
4344
<row rowsep = "0">
4345
<entry colname = "1"><para><command>recursion</command></para></entry>
4346
<entry colname = "2"><para>The number of queries which caused the server
4347
to perform recursion in order to find the final answer.</para></entry>
4348
</row>
4349
</tbody>
4350
</tgroup></informaltable>
4351
4352
<para>
4353
Each query received by the server will cause exactly one of
4354
<command>success</command>,
4355
<command>referral</command>,
4356
<command>nxrrset</command>,
4357
<command>nxdomain</command>, or
4358
<command>failure</command>
4359
to be incremented, and may additionally cause the
4360
<command>recursion</command> counter to be incremented.
4361
</para>
4362
4363
</sect3>
4364
4365
</sect2>
4366
4367
<sect2 id="server_statement_grammar">
4368
<title><command>server</command> Statement Grammar</title>
4369
4370
<programlisting>server <replaceable>ip_addr</replaceable> {
7191
7192
<para>
7193
will cause any responses for type A records in class IN that
7194
have "<literal>host.example.com</literal>" as a
7195
suffix, to always be returned
7196
in random order. All other records are returned in cyclic order.
7197
</para>
7198
<para>
7199
If multiple <command>rrset-order</command> statements
7200
appear,
7201
they are not combined — the last one applies.
7202
</para>
7203
7204
<note>
7205
<simpara>
7206
In this release of <acronym>BIND</acronym> 9, the
7207
<command>rrset-order</command> statement does not support
7208
"fixed" ordering by default. Fixed ordering can be enabled
7209
at compile time by specifying "--enable-fixed-rrset" on
7210
the "configure" command line.
7211
</simpara>
7212
</note>
7213
</sect3>
7214
7215
<sect3 id="tuning">
7216
<title>Tuning</title>
7217
7218
<variablelist>
7219
7220
<varlistentry>
7221
<term><command>lame-ttl</command></term>
7222
<listitem>
7223
<para>
7224
Sets the number of seconds to cache a
7225
lame server indication. 0 disables caching. (This is
7226
<emphasis role="bold">NOT</emphasis> recommended.)
7227
The default is <literal>600</literal> (10 minutes) and the
7228
maximum value is
7229
<literal>1800</literal> (30 minutes).
7230
</para>
7231
7232
</listitem>
7233
</varlistentry>
7234
7235
<varlistentry>
7236
<term><command>max-ncache-ttl</command></term>
7237
<listitem>
7238
<para>
7239
To reduce network traffic and increase performance,
7240
the server stores negative answers. <command>max-ncache-ttl</command> is
7241
used to set a maximum retention time for these answers in
7242
the server
7243
in seconds. The default
7244
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7245
<command>max-ncache-ttl</command> cannot exceed
7246
7 days and will
7247
be silently truncated to 7 days if set to a greater value.
7248
</para>
7249
</listitem>
7250
</varlistentry>
7251
7252
<varlistentry>
7253
<term><command>max-cache-ttl</command></term>
7254
<listitem>
7255
<para>
7256
Sets the maximum time for which the server will
7257
cache ordinary (positive) answers. The default is
7258
one week (7 days).
7259
</para>
7260
</listitem>
7261
</varlistentry>
7262
7263
<varlistentry>
7264
<term><command>min-roots</command></term>
7265
<listitem>
7266
<para>
7267
The minimum number of root servers that
7268
is required for a request for the root servers to be
7269
accepted. The default
7270
is <userinput>2</userinput>.
7271
</para>
7272
<note>
7273
<simpara>
7274
Not implemented in <acronym>BIND</acronym> 9.
7275
</simpara>
7276
</note>
7277
</listitem>
7278
</varlistentry>
7279
7280
<varlistentry>
7281
<term><command>sig-validity-interval</command></term>
7282
<listitem>
7283
<para>
7284
Specifies the number of days into the
7285
future when DNSSEC signatures automatically generated as a
7286
result
7287
of dynamic updates (<xref linkend="dynamic_update"/>)
7288
will expire. The default is <literal>30</literal> days.
7289
The maximum value is 10 years (3660 days). The signature
7290
inception time is unconditionally set to one hour before the
7291
current time
7292
to allow for a limited amount of clock skew.
7293
</para>
7294
</listitem>
7295
</varlistentry>
7296
7297
<varlistentry>
7298
<term><command>min-refresh-time</command></term>
7299
<term><command>max-refresh-time</command></term>
7300
<term><command>min-retry-time</command></term>
7301
<term><command>max-retry-time</command></term>
7302
<listitem>
7303
<para>
7304
These options control the server's behavior on refreshing a
7305
zone
7306
(querying for SOA changes) or retrying failed transfers.
7307
Usually the SOA values for the zone are used, but these
7308
values
7309
are set by the master, giving slave server administrators
7310
little
7311
control over their contents.
7312
</para>
7313
<para>
7314
These options allow the administrator to set a minimum and
7315
maximum
7316
refresh and retry time either per-zone, per-view, or
7317
globally.
7318
These options are valid for slave and stub zones,
7319
and clamp the SOA refresh and retry times to the specified
7320
values.
7321
</para>
7322
</listitem>
7323
</varlistentry>
7324
7325
<varlistentry>
7326
<term><command>edns-udp-size</command></term>
7327
<listitem>
7328
<para>
7329
Sets the advertised EDNS UDP buffer size in bytes. Valid
7330
values are 512 to 4096 (values outside this range
7331
will be silently adjusted). The default value is
7332
4096. The usual reason for setting edns-udp-size to
7333
a non-default value is to get UDP answers to pass
7334
through broken firewalls that block fragmented
7335
packets and/or block UDP packets that are greater
7336
than 512 bytes.
7337
</para>
7338
</listitem>
7339
</varlistentry>
7340
7341
<varlistentry>
7342
<term><command>max-udp-size</command></term>
7343
<listitem>
7344
<para>
7345
Sets the maximum EDNS UDP message size named will
7346
send in bytes. Valid values are 512 to 4096 (values outside
7347
this range will be silently adjusted). The default
7348
value is 4096. The usual reason for setting
7349
max-udp-size to a non-default value is to get UDP
7350
answers to pass through broken firewalls that
7351
block fragmented packets and/or block UDP packets
7352
that are greater than 512 bytes.
7353
This is independent of the advertised receive
7354
buffer (<command>edns-udp-size</command>).
7355
</para>
7356
</listitem>
7357
</varlistentry>
7358
7359
<varlistentry>
7360
<term><command>masterfile-format</command></term>
7361
<listitem>
7362
<para>Specifies
7363
the file format of zone files (see
7364
<xref linkend="zonefile_format"/>).
7365
The default value is <constant>text</constant>, which is the
7366
standard textual representation. Files in other formats
7367
than <constant>text</constant> are typically expected
7368
to be generated by the <command>named-compilezone</command> tool.
7369
Note that when a zone file in a different format than
7370
<constant>text</constant> is loaded, <command>named</command>
7371
may omit some of the checks which would be performed for a
7372
file in the <constant>text</constant> format. In particular,
7373
<command>check-names</command> checks do not apply
7374
for the <constant>raw</constant> format. This means
7375
a zone file in the <constant>raw</constant> format
7376
must be generated with the same check level as that
7377
specified in the <command>named</command> configuration
7378
file. This statement sets the
7379
<command>masterfile-format</command> for all zones,
7380
but can be overridden on a per-zone or per-view basis
7381
by including a <command>masterfile-format</command>
7382
statement within the <command>zone</command> or
7383
<command>view</command> block in the configuration
7384
file.
7385
</para>
7386
</listitem>
7387
</varlistentry>
7388
7389
<varlistentry>
7390
<term><command>clients-per-query</command></term>
7391
<term><command>max-clients-per-query</command></term>
7392
<listitem>
7393
<para>These set the
7394
initial value (minimum) and maximum number of recursive
7395
simultanious clients for any given query
7396
(<qname,qtype,qclass>) that the server will accept
7397
before dropping additional clients. named will attempt to
7398
self tune this value and changes will be logged. The
7399
default values are 10 and 100.
7400
</para>
7401
<para>
7402
This value should reflect how many queries come in for
7403
a given name in the time it takes to resolve that name.
7404
If the number of queries exceed this value, named will
7405
assume that it is dealing with a non-responsive zone
7406
and will drop additional queries. If it gets a response
7407
after dropping queries, it will raise the estimate. The
7408
estimate will then be lowered in 20 minutes if it has
7409
remained unchanged.
7410
</para>
7411
<para>
7412
If <command>clients-per-query</command> is set to zero,
7413
then there is no limit on the number of clients per query
7414
and no queries will be dropped.
7415
</para>
7416
<para>
7417
If <command>max-clients-per-query</command> is set to zero,
7418
then there is no upper bound other than imposed by
7419
<command>recursive-clients</command>.
7420
</para>
7421
</listitem>
7422
</varlistentry>
7423
7424
<varlistentry>
7425
<term><command>notify-delay</command></term>
7426
<listitem>
7427
<para>
7428
The delay, in seconds, between sending sets of notify
7429
messages for a zone. The default is zero.
7430
</para>
7431
</listitem>
7432
</varlistentry>
7433
</variablelist>
7434
7435
</sect3>
7436
7437
<sect3 id="builtin">
7438
<title>Built-in server information zones</title>
7439
7440
<para>
7441
The server provides some helpful diagnostic information
7442
through a number of built-in zones under the
7443
pseudo-top-level-domain <literal>bind</literal> in the
7444
<command>CHAOS</command> class. These zones are part
7445
of a
7446
built-in view (see <xref linkend="view_statement_grammar"/>) of
7447
class
7448
<command>CHAOS</command> which is separate from the
7449
default view of
7450
class <command>IN</command>; therefore, any global
7451
server options
7452
such as <command>allow-query</command> do not apply
7453
the these zones.
7454
If you feel the need to disable these zones, use the options
7455
below, or hide the built-in <command>CHAOS</command>
7456
view by
7457
defining an explicit view of class <command>CHAOS</command>
7458
that matches all clients.
7459
</para>
7460
7461
<variablelist>
7462
7463
<varlistentry>
7464
<term><command>version</command></term>
7465
<listitem>
7466
<para>
7467
The version the server should report
7468
via a query of the name <literal>version.bind</literal>
7469
with type <command>TXT</command>, class <command>CHAOS</command>.
7470
The default is the real version number of this server.
7471
Specifying <command>version none</command>
7472
disables processing of the queries.
7473
</para>
7474
</listitem>
7475
</varlistentry>
7476
7477
<varlistentry>
7478
<term><command>hostname</command></term>
7479
<listitem>
7480
<para>
7481
The hostname the server should report via a query of
7482
the name <filename>hostname.bind</filename>
7483
with type <command>TXT</command>, class <command>CHAOS</command>.
7484
This defaults to the hostname of the machine hosting the
7485
name server as
7486
found by the gethostname() function. The primary purpose of such queries
7487
is to
7488
identify which of a group of anycast servers is actually
7489
answering your queries. Specifying <command>hostname none;</command>
7490
disables processing of the queries.
7491
</para>
7492
</listitem>
7493
</varlistentry>
7494
7495
<varlistentry>
7496
<term><command>server-id</command></term>
7497
<listitem>
7498
<para>
7499
The ID the server should report when receiving a Name
7500
Server Identifier (NSID) query, or a query of the name
7501
<filename>ID.SERVER</filename> with type
7502
<command>TXT</command>, class <command>CHAOS</command>.
7503
The primary purpose of such queries is to
7504
identify which of a group of anycast servers is actually
7505
answering your queries. Specifying <command>server-id none;</command>
7506
disables processing of the queries.
7507
Specifying <command>server-id hostname;</command> will cause named to
7508
use the hostname as found by the gethostname() function.
7509
The default <command>server-id</command> is <command>none</command>.
7510
</para>
7511
</listitem>
7512
</varlistentry>
7513
7514
</variablelist>
7515
7516
</sect3>
7517
7518
<sect3 id="empty">
7519
<title>Built-in Empty Zones</title>
7520
<para>
7521
Named has some built-in empty zones (SOA and NS records only).
7522
These are for zones that should normally be answered locally
7523
and which queries should not be sent to the Internet's root
7524
servers. The official servers which cover these namespaces
7525
return NXDOMAIN responses to these queries. In particular,
7526
these cover the reverse namespace for addresses from RFC 1918 and
7527
RFC 3330. They also include the reverse namespace for IPv6 local
7528
address (locally assigned), IPv6 link local addresses, the IPv6
7529
loopback address and the IPv6 unknown addresss.
7530
</para>
7531
<para>
7532
Named will attempt to determine if a built in zone already exists
7533
or is active (covered by a forward-only forwarding declaration)
7534
and will not not create a empty zone in that case.
7535
</para>
7536
<para>
7537
The current list of empty zones is:
7538
<itemizedlist>
7539
<listitem>10.IN-ADDR.ARPA</listitem>
7540
<listitem>127.IN-ADDR.ARPA</listitem>
7541
<listitem>254.169.IN-ADDR.ARPA</listitem>
7542
<listitem>16.172.IN-ADDR.ARPA</listitem>
7543
<listitem>17.172.IN-ADDR.ARPA</listitem>
7544
<listitem>18.172.IN-ADDR.ARPA</listitem>
7545
<listitem>19.172.IN-ADDR.ARPA</listitem>
7546
<listitem>20.172.IN-ADDR.ARPA</listitem>
7547
<listitem>21.172.IN-ADDR.ARPA</listitem>
7548
<listitem>22.172.IN-ADDR.ARPA</listitem>
7549
<listitem>23.172.IN-ADDR.ARPA</listitem>
7550
<listitem>24.172.IN-ADDR.ARPA</listitem>
7551
<listitem>25.172.IN-ADDR.ARPA</listitem>
7552
<listitem>26.172.IN-ADDR.ARPA</listitem>
7553
<listitem>27.172.IN-ADDR.ARPA</listitem>
7554
<listitem>28.172.IN-ADDR.ARPA</listitem>
7555
<listitem>29.172.IN-ADDR.ARPA</listitem>
7556
<listitem>30.172.IN-ADDR.ARPA</listitem>
7557
<listitem>31.172.IN-ADDR.ARPA</listitem>
7558
<listitem>168.192.IN-ADDR.ARPA</listitem>
7559
<listitem>2.0.192.IN-ADDR.ARPA</listitem>
7560
<listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7561
<listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7562
<listitem>D.F.IP6.ARPA</listitem>
7563
<listitem>8.E.F.IP6.ARPA</listitem>
7564
<listitem>9.E.F.IP6.ARPA</listitem>
7565
<listitem>A.E.F.IP6.ARPA</listitem>
7566
<listitem>B.E.F.IP6.ARPA</listitem>
7567
</itemizedlist>
7568
</para>
7569
<para>
7570
Empty zones are settable at the view level and only apply to
7571
views of class IN. Disabled empty zones are only inherited
7572
from options if there are no disabled empty zones specified
7573
at the view level. To override the options list of disabled
7574
zones, you can disable the root zone at the view level, for example:
7575
<programlisting>
7576
disable-empty-zone ".";
7577
</programlisting>
7578
</para>
7579
<para>
7580
If you are using the address ranges covered here, you should
7581
already have reverse zones covering the addresses you use.
7582
In practice this appears to not be the case with many queries
7583
being made to the infrastructure servers for names in these
7584
spaces. So many in fact that sacrificial servers were needed
7585
to be deployed to channel the query load away from the
7586
infrastructure servers.
7587
</para>
7588
<note>
7589
The real parent servers for these zones should disable all
7590
empty zone under the parent zone they serve. For the real
7591
root servers, this is all built in empty zones. This will
7592
enable them to return referrals to deeper in the tree.
7593
</note>
7594
<variablelist>
7595
<varlistentry>
7596
<term><command>empty-server</command></term>
7597
<listitem>
7598
<para>
7599
Specify what server name will appear in the returned
7600
SOA record for empty zones. If none is specified, then
7601
the zone's name will be used.
7602
</para>
7603
</listitem>
7604
</varlistentry>
7605
7606
<varlistentry>
7607
<term><command>empty-contact</command></term>
7608
<listitem>
7609
<para>
7610
Specify what contact name will appear in the returned
7611
SOA record for empty zones. If none is specified, then
7612
"." will be used.
7613
</para>
7614
</listitem>
7615
</varlistentry>
7616
7617
<varlistentry>
7618
<term><command>empty-zones-enable</command></term>
7619
<listitem>
7620
<para>
7621
Enable or disable all empty zones. By default they
7622
are enabled.
7623
</para>
7624
</listitem>
7625
</varlistentry>
7626
7627
<varlistentry>
7628
<term><command>disable-empty-zone</command></term>
7629
<listitem>
7630
<para>
7631
Disable individual empty zones. By default none are
7632
disabled. This option can be specified multiple times.
7633
</para>
7634
</listitem>
7635
</varlistentry>
7636
</variablelist>
7637
</sect3>
7638
7639
<sect3 id="acache">
7640
<title>Additional Section Caching</title>
7641
7642
<para>
7643
The additional section cache, also called <command>acache</command>,
7644
is an internal cache to improve the response performance of BIND 9.
7645
When additional section caching is enabled, BIND 9 will
7646
cache an internal short-cut to the additional section content for
7647
each answer RR.
7648
Note that <command>acache</command> is an internal caching
7649
mechanism of BIND 9, and is not related to the DNS caching
7650
server function.
7651
</para>
7652
7653
<para>
7654
Additional section caching does not change the
7655
response content (except the RRsets ordering of the additional
7656
section, see below), but can improve the response performance
7657
significantly.
7658
It is particularly effective when BIND 9 acts as an authoritative
7659
server for a zone that has many delegations with many glue RRs.
7660
</para>
7661
7662
<para>
7663
In order to obtain the maximum performance improvement
7664
from additional section caching, setting
7665
<command>additional-from-cache</command>
7666
to <command>no</command> is recommended, since the current
7667
implementation of <command>acache</command>
7668
does not short-cut of additional section information from the
7669
DNS cache data.
7670
</para>
7671
7672
<para>
7673
One obvious disadvantage of <command>acache</command> is
7674
that it requires much more
7675
memory for the internal cached data.
7676
Thus, if the response performance does not matter and memory
7677
consumption is much more critical, the
7678
<command>acache</command> mechanism can be
7679
disabled by setting <command>acache-enable</command> to
7680
<command>no</command>.
7681
It is also possible to specify the upper limit of memory
7682
consumption
7683
for acache by using <command>max-acache-size</command>.
7684
</para>
7685
7686
<para>
7687
Additional section caching also has a minor effect on the
7688
RRset ordering in the additional section.
7689
Without <command>acache</command>,
7690
<command>cyclic</command> order is effective for the additional
7691
section as well as the answer and authority sections.
7692
However, additional section caching fixes the ordering when it
7693
first caches an RRset for the additional section, and the same
7694
ordering will be kept in succeeding responses, regardless of the
7695
setting of <command>rrset-order</command>.
7696
The effect of this should be minor, however, since an
7697
RRset in the additional section
7698
typically only contains a small number of RRs (and in many cases
7699
it only contains a single RR), in which case the
7700
ordering does not matter much.
7701
</para>
7702
7703
<para>
7704
The following is a summary of options related to
7705
<command>acache</command>.
7706
</para>
7707
7708
<variablelist>
7709
7710
<varlistentry>
7711
<term><command>acache-enable</command></term>
7712
<listitem>
7713
<para>
7714
If <command>yes</command>, additional section caching is
7715
enabled. The default value is <command>no</command>.
7716
</para>
7717
</listitem>
7718
</varlistentry>
7719
7720
<varlistentry>
7721
<term><command>acache-cleaning-interval</command></term>
7722
<listitem>
7723
<para>
7724
The server will remove stale cache entries, based on an LRU
7725
based
7726
algorithm, every <command>acache-cleaning-interval</command> minutes.
7727
The default is 60 minutes.
7728
If set to 0, no periodic cleaning will occur.
7729
</para>
7730
</listitem>
7731
</varlistentry>
7732
7733
<varlistentry>
7734
<term><command>max-acache-size</command></term>
7735
<listitem>
7736
<para>
7737
The maximum amount of memory in bytes to use for the server's acache.
7738
When the amount of data in the acache reaches this limit,
7739
the server
7740
will clean more aggressively so that the limit is not
7741
exceeded.
7742
In a server with multiple views, the limit applies
7743
separately to the
7744
acache of each view.
7745
The default is <literal>16M</literal>.
7746
</para>
7747
</listitem>
7748
</varlistentry>
7749
7750
</variablelist>
7751
7752
</sect3>
7753
7754
</sect2>
7755
7756
<sect2 id="statschannels">
7757
<title><command>statistics-channels</command> Statement Grammar</title>
7758
7759
<programlisting><command>statistics-channels</command> {
7760
[ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
7761
[ inet ...; ]
7762
};
7763
</programlisting>
7764
</sect2>
7765
7766
<sect2>
7767
<title><command>statistics-channels</command> Statement Definition and
7768
Usage</title>
7769
7770
<para>
7771
The <command>statistics-channels</command> statement
7772
declares communication channels to be used by system
7773
administrators to get access to statistics information of
7774
the name server.
7775
</para>
7776
7777
<para>
7778
This statement intends to be flexible to support multiple
7779
communication protocols in the future, but currently only
7780
HTTP access is supported.
7781
It requires that BIND 9 be compiled with libxml2;
7782
the <command>statistics-channels</command> statement is
7783
still accepted even if it is built without the library,
7784
but any HTTP access will fail with an error.
7785
</para>
7786
7787
<para>
7788
An <command>inet</command> control channel is a TCP socket
7789
listening at the specified <command>ip_port</command> on the
7790
specified <command>ip_addr</command>, which can be an IPv4 or IPv6
7791
address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
7792
interpreted as the IPv4 wildcard address; connections will be
7793
accepted on any of the system's IPv4 addresses.
7794
To listen on the IPv6 wildcard address,
7795
use an <command>ip_addr</command> of <literal>::</literal>.
7796
</para>
7797
7798
<para>
7799
If no port is specified, port 80 is used for HTTP channels.
7800
The asterisk "<literal>*</literal>" cannot be used for
7801
<command>ip_port</command>.
7802
</para>
7803
7804
<para>
7805
The attempt of opening a statistics channel is
7806
restricted by the optional <command>allow</command> clause.
7807
Connections to the statistics channel are permitted based on the
7808
<command>address_match_list</command>.
7809
If no <command>allow</command> clause is present,
7810
<command>named</command> accepts connection
7811
attempts from any address; since the statistics may
7812
contain sensitive internal information, it is highly
7813
recommended to restrict the source of connection requests
7814
appropriately.
7815
</para>
7816
7817
<para>
7818
If no <command>statistics-channels</command> statement is present,
7819
<command>named</command> will not open any communication channels.
7820
</para>
7821
7822
</sect2>
7823
7824
<sect2 id="server_statement_grammar">
7825
<title><command>server</command> Statement Grammar</title>
7826
7827
<programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
4371
7828
<optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
4372
7829
<optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4373
7830
<optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4374
7831
<optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
7832
<optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
7833
<optional> max-udp-size <replaceable>number</replaceable> ; </optional>
4375
7834
<optional> transfers <replaceable>number</replaceable> ; </optional>
4376
7835
<optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
4377
7836
<optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
4378
7837
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4379
7838
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7839
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7840
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7841
<optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7842
<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7843
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
7844
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
7845
<optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
4380
7846
};
4381
7847
</programlisting>
4382
7848
4383
</sect2>
4384
4385
<sect2 id="server_statement_definition_and_usage">
4386
<title><command>server</command> Statement Definition and Usage</title>
4387
4388
<para>The <command>server</command> statement defines characteristics
4389
to be associated with a remote name server.</para>
4390
4391
<para>
4392
The <command>server</command> statement can occur at the top level of the
4393
configuration file or inside a <command>view</command> statement.
4394
If a <command>view</command> statement contains
4395
one or more <command>server</command> statements, only those
4396
apply to the view and any top-level ones are ignored.
4397
If a view contains no <command>server</command> statements,
4398
any top-level <command>server</command> statements are used as
4399
defaults.
4400
</para>
4401
4402
<para>If you discover that a remote server is giving out bad data,
4403
marking it as bogus will prevent further queries to it. The default
4404
value of <command>bogus</command> is <command>no</command>.</para>
4405
<para>The <command>provide-ixfr</command> clause determines whether
4406
the local server, acting as master, will respond with an incremental
4407
zone transfer when the given remote server, a slave, requests it.
4408
If set to <command>yes</command>, incremental transfer will be provided
4409
whenever possible. If set to <command>no</command>, all transfers
4410
to the remote server will be non-incremental. If not set, the value
4411
of the <command>provide-ixfr</command> option in the view or
4412
global options block is used as a default.</para>
4413
4414
<para>The <command>request-ixfr</command> clause determines whether
4415
the local server, acting as a slave, will request incremental zone
4416
transfers from the given remote server, a master. If not set, the
4417
value of the <command>request-ixfr</command> option in the view or
4418
global options block is used as a default.</para>
4419
4420
<para>IXFR requests to servers that do not support IXFR will automatically
4421
fall back to AXFR. Therefore, there is no need to manually list
4422
which servers support IXFR and which ones do not; the global default
4423
of <command>yes</command> should always work.
4424
The purpose of the <command>provide-ixfr</command> and
4425
<command>request-ixfr</command> clauses is
4426
to make it possible to disable the use of IXFR even when both master
4427
and slave claim to support it, for example if one of the servers
4428
is buggy and crashes or corrupts data when IXFR is used.</para>
4429
4430
<para>The <command>edns</command> clause determines whether the local server
4431
will attempt to use EDNS when communicating with the remote server. The
4432
default is <command>yes</command>.</para>
4433
4434
<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
4435
uses one DNS message per resource record transferred. <command>many-answers</command> packs
4436
as many resource records as possible into a message. <command>many-answers</command> is
4437
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
4438
8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
4439
to use for a server with the <command>transfer-format</command> option.
4440
If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
4441
by the <command>options</command> statement will be used.</para>
4442
4443
<para><command>transfers</command> is used to limit the number of
4444
concurrent inbound zone transfers from the specified server. If
4445
no <command>transfers</command> clause is specified, the limit is
4446
set according to the <command>transfers-per-ns</command> option.</para>
4447
4448
<para>The <command>keys</command> clause identifies a
4449
<command>key_id</command> defined by the <command>key</command> statement,
4450
to be used for transaction security (TSIG, <xref linkend="tsig"/>)
4451
when talking to the remote server.
4452
When a request is sent to the remote server, a request signature
4453
will be generated using the key specified here and appended to the
4454
message. A request originating from the remote server is not required
4455
to be signed by this key.</para>
4456
4457
<para>Although the grammar of the <command>keys</command> clause
4458
allows for multiple keys, only a single key per server is currently
4459
supported.</para>
4460
4461
<para>The <command>transfer-source</command> and
4462
<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
4463
address to be used for zone transfer with the remote server, respectively.
4464
For an IPv4 remote server, only <command>transfer-source</command> can
4465
be specified.
4466
Similarly, for an IPv6 remote server, only
4467
<command>transfer-source-v6</command> can be specified.
4468
Form more details, see the description of
4469
<command>transfer-source</command> and
4470
<command>transfer-source-v6</command> in
4471
<xref linkend="zone_transfers"/>.</para>
4472
4473
</sect2>
4474
4475
<sect2><title><command>trusted-keys</command> Statement Grammar</title>
4476
<programlisting>trusted-keys {
7849
</sect2>
7850
7851
<sect2 id="server_statement_definition_and_usage">
7852
<title><command>server</command> Statement Definition and
7853
Usage</title>
7854
7855
<para>
7856
The <command>server</command> statement defines
7857
characteristics
7858
to be associated with a remote name server. If a prefix length is
7859
specified, then a range of servers is covered. Only the most
7860
specific
7861
server clause applies regardless of the order in
7862
<filename>named.conf</filename>.
7863
</para>
7864
7865
<para>
7866
The <command>server</command> statement can occur at
7867
the top level of the
7868
configuration file or inside a <command>view</command>
7869
statement.
7870
If a <command>view</command> statement contains
7871
one or more <command>server</command> statements, only
7872
those
7873
apply to the view and any top-level ones are ignored.
7874
If a view contains no <command>server</command>
7875
statements,
7876
any top-level <command>server</command> statements are
7877
used as
7878
defaults.
7879
</para>
7880
7881
<para>
7882
If you discover that a remote server is giving out bad data,
7883
marking it as bogus will prevent further queries to it. The
7884
default
7885
value of <command>bogus</command> is <command>no</command>.
7886
</para>
7887
<para>
7888
The <command>provide-ixfr</command> clause determines
7889
whether
7890
the local server, acting as master, will respond with an
7891
incremental
7892
zone transfer when the given remote server, a slave, requests it.
7893
If set to <command>yes</command>, incremental transfer
7894
will be provided
7895
whenever possible. If set to <command>no</command>,
7896
all transfers
7897
to the remote server will be non-incremental. If not set, the
7898
value
7899
of the <command>provide-ixfr</command> option in the
7900
view or
7901
global options block is used as a default.
7902
</para>
7903
7904
<para>
7905
The <command>request-ixfr</command> clause determines
7906
whether
7907
the local server, acting as a slave, will request incremental zone
7908
transfers from the given remote server, a master. If not set, the
7909
value of the <command>request-ixfr</command> option in
7910
the view or
7911
global options block is used as a default.
7912
</para>
7913
7914
<para>
7915
IXFR requests to servers that do not support IXFR will
7916
automatically
7917
fall back to AXFR. Therefore, there is no need to manually list
7918
which servers support IXFR and which ones do not; the global
7919
default
7920
of <command>yes</command> should always work.
7921
The purpose of the <command>provide-ixfr</command> and
7922
<command>request-ixfr</command> clauses is
7923
to make it possible to disable the use of IXFR even when both
7924
master
7925
and slave claim to support it, for example if one of the servers
7926
is buggy and crashes or corrupts data when IXFR is used.
7927
</para>
7928
7929
<para>
7930
The <command>edns</command> clause determines whether
7931
the local server will attempt to use EDNS when communicating
7932
with the remote server. The default is <command>yes</command>.
7933
</para>
7934
7935
<para>
7936
The <command>edns-udp-size</command> option sets the EDNS UDP size
7937
that is advertised by named when querying the remote server.
7938
Valid values are 512 to 4096 bytes (values outside this range will be
7939
silently adjusted). This option is useful when you wish to
7940
advertises a different value to this server than the value you
7941
advertise globally, for example, when there is a firewall at the
7942
remote site that is blocking large replies.
7943
</para>
7944
7945
<para>
7946
The <command>max-udp-size</command> option sets the
7947
maximum EDNS UDP message size named will send. Valid
7948
values are 512 to 4096 bytes (values outside this range will
7949
be silently adjusted). This option is useful when you
7950
know that there is a firewall that is blocking large
7951
replies from named.
7952
</para>
7953
7954
<para>
7955
The server supports two zone transfer methods. The first, <command>one-answer</command>,
7956
uses one DNS message per resource record transferred. <command>many-answers</command> packs
7957
as many resource records as possible into a message. <command>many-answers</command> is
7958
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7959
8.x, and patched versions of <acronym>BIND</acronym>
7960
4.9.5. You can specify which method
7961
to use for a server with the <command>transfer-format</command> option.
7962
If <command>transfer-format</command> is not
7963
specified, the <command>transfer-format</command>
7964
specified
7965
by the <command>options</command> statement will be
7966
used.
7967
</para>
7968
7969
<para><command>transfers</command>
7970
is used to limit the number of concurrent inbound zone
7971
transfers from the specified server. If no
7972
<command>transfers</command> clause is specified, the
7973
limit is set according to the
7974
<command>transfers-per-ns</command> option.
7975
</para>
7976
7977
<para>
7978
The <command>keys</command> clause identifies a
7979
<command>key_id</command> defined by the <command>key</command> statement,
7980
to be used for transaction security (TSIG, <xref linkend="tsig"/>)
7981
when talking to the remote server.
7982
When a request is sent to the remote server, a request signature
7983
will be generated using the key specified here and appended to the
7984
message. A request originating from the remote server is not
7985
required
7986
to be signed by this key.
7987
</para>
7988
7989
<para>
7990
Although the grammar of the <command>keys</command>
7991
clause
7992
allows for multiple keys, only a single key per server is
7993
currently
7994
supported.
7995
</para>
7996
7997
<para>
7998
The <command>transfer-source</command> and
7999
<command>transfer-source-v6</command> clauses specify
8000
the IPv4 and IPv6 source
8001
address to be used for zone transfer with the remote server,
8002
respectively.
8003
For an IPv4 remote server, only <command>transfer-source</command> can
8004
be specified.
8005
Similarly, for an IPv6 remote server, only
8006
<command>transfer-source-v6</command> can be
8007
specified.
8008
For more details, see the description of
8009
<command>transfer-source</command> and
8010
<command>transfer-source-v6</command> in
8011
<xref linkend="zone_transfers"/>.
8012
</para>
8013
8014
<para>
8015
The <command>notify-source</command> and
8016
<command>notify-source-v6</command> clauses specify the
8017
IPv4 and IPv6 source address to be used for notify
8018
messages sent to remote servers, respectively. For an
8019
IPv4 remote server, only <command>notify-source</command>
8020
can be specified. Similarly, for an IPv6 remote server,
8021
only <command>notify-source-v6</command> can be specified.
8022
</para>
8023
8024
<para>
8025
The <command>query-source</command> and
8026
<command>query-source-v6</command> clauses specify the
8027
IPv4 and IPv6 source address to be used for queries
8028
sent to remote servers, respectively. For an IPv4
8029
remote server, only <command>query-source</command> can
8030
be specified. Similarly, for an IPv6 remote server,
8031
only <command>query-source-v6</command> can be specified.
8032
</para>
8033
8034
</sect2>
8035
8036
<sect2>
8037
<title><command>trusted-keys</command> Statement Grammar</title>
8038
8039
<programlisting><command>trusted-keys</command> {
4477
8040
<replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
4478
8041
<optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
4479
8042
};
4480
8043
</programlisting>
4481
</sect2>
4482
<sect2><title><command>trusted-keys</command> Statement Definition
4483
and Usage</title>
4484
<para>The <command>trusted-keys</command> statement defines DNSSEC
4485
security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
4486
zone is known, but cannot be securely obtained through DNS, either
4487
because it is the DNS root zone or because its parent zone is unsigned.
4488
Once a key has been configured as a trusted key, it is treated as
4489
if it had been validated and proven secure. The resolver attempts
4490
DNSSEC validation on all DNS data in subdomains of a security root.</para>
4491
<para>The <command>trusted-keys</command> statement can contain
4492
multiple key entries, each consisting of the key's domain name,
4493
flags, protocol, algorithm, and the base-64 representation of the
4494
key data.</para></sect2>
4495
4496
<sect2 id="view_statement_grammar">
4497
<title><command>view</command> Statement Grammar</title>
4498
<programlisting>view <replaceable>view_name</replaceable>
8044
8045
</sect2>
8046
<sect2>
8047
<title><command>trusted-keys</command> Statement Definition
8048
and Usage</title>
8049
<para>
8050
The <command>trusted-keys</command> statement defines
8051
DNSSEC security roots. DNSSEC is described in <xref
8052
linkend="DNSSEC"/>. A security root is defined when the
8053
public key for a non-authoritative zone is known, but
8054
cannot be securely obtained through DNS, either because
8055
it is the DNS root zone or because its parent zone is
8056
unsigned. Once a key has been configured as a trusted
8057
key, it is treated as if it had been validated and
8058
proven secure. The resolver attempts DNSSEC validation
8059
on all DNS data in subdomains of a security root.
8060
</para>
8061
<para>
8062
All keys (and corresponding zones) listed in
8063
<command>trusted-keys</command> are deemed to exist regardless
8064
of what parent zones say. Similarly for all keys listed in
8065
<command>trusted-keys</command> only those keys are
8066
used to validate the DNSKEY RRset. The parent's DS RRset
8067
will not be used.
8068
</para>
8069
<para>
8070
The <command>trusted-keys</command> statement can contain
8071
multiple key entries, each consisting of the key's
8072
domain name, flags, protocol, algorithm, and the Base-64
8073
representation of the key data.
8074
</para>
8075
</sect2>
8076
8077
<sect2 id="view_statement_grammar">
8078
<title><command>view</command> Statement Grammar</title>
8079
8080
<programlisting><command>view</command> <replaceable>view_name</replaceable>
4499
8081
<optional><replaceable>class</replaceable></optional> {
4500
match-clients { <replaceable>address_match_list</replaceable> } ;
4501
match-destinations { <replaceable>address_match_list</replaceable> } ;
8082
match-clients { <replaceable>address_match_list</replaceable> };
8083
match-destinations { <replaceable>address_match_list</replaceable> };
4502
8084
match-recursive-only <replaceable>yes_or_no</replaceable> ;
4503
8085
<optional> <replaceable>view_option</replaceable>; ...</optional>
4504
8086
<optional> <replaceable>zone_statement</replaceable>; ...</optional>
4505
8087
};
4506
</programlisting></sect2>
4507
<sect2><title><command>view</command> Statement Definition and Usage</title>
4508
4509
<para>The <command>view</command> statement is a powerful new feature
4510
of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
4511
depending on who is asking. It is particularly useful for implementing
4512
split DNS setups without having to run multiple servers.</para>
4513
4514
<para>Each <command>view</command> statement defines a view of the
4515
DNS namespace that will be seen by a subset of clients. A client matches
4516
a view if its source IP address matches the
4517
<varname>address_match_list</varname> of the view's
4518
<command>match-clients</command> clause and its destination IP address matches
4519
the <varname>address_match_list</varname> of the view's
4520
<command>match-destinations</command> clause. If not specified, both
4521
<command>match-clients</command> and <command>match-destinations</command>
4522
default to matching all addresses. In addition to checking IP addresses
4523
<command>match-clients</command> and <command>match-destinations</command>
4524
can also take <command>keys</command> which provide an mechanism for the
4525
client to select the view. A view can also be specified
4526
as <command>match-recursive-only</command>, which means that only recursive
4527
requests from matching clients will match that view.
4528
The order of the <command>view</command> statements is significant —
4529
a client request will be resolved in the context of the first
4530
<command>view</command> that it matches.</para>
4531
4532
<para>Zones defined within a <command>view</command> statement will
4533
be only be accessible to clients that match the <command>view</command>.
4534
By defining a zone of the same name in multiple views, different
4535
zone data can be given to different clients, for example, "internal"
4536
and "external" clients in a split DNS setup.</para>
4537
4538
<para>Many of the options given in the <command>options</command> statement
4539
can also be used within a <command>view</command> statement, and then
4540
apply only when resolving queries with that view. When no view-specific
4541
value is given, the value in the <command>options</command> statement
4542
is used as a default. Also, zone options can have default values specified
4543
in the <command>view</command> statement; these view-specific defaults
4544
take precedence over those in the <command>options</command> statement.</para>
4545
4546
<para>Views are class specific. If no class is given, class IN
4547
is assumed. Note that all non-IN views must contain a hint zone,
4548
since only the IN class has compiled-in default hints.</para>
4549
4550
<para>If there are no <command>view</command> statements in the config
4551
file, a default view that matches any client is automatically created
4552
in class IN. Any <command>zone</command> statements specified on
4553
the top level of the configuration file are considered to be part of
4554
this default view, and the <command>options</command> statement will
4555
apply to the default view. If any explicit <command>view</command>
4556
statements are present, all <command>zone</command> statements must
4557
occur inside <command>view</command> statements.</para>
4558
4559
<para>Here is an example of a typical split DNS setup implemented
4560
using <command>view</command> statements.</para>
8088
</programlisting>
8089
8090
</sect2>
8091
<sect2>
8092
<title><command>view</command> Statement Definition and Usage</title>
8093
8094
<para>
8095
The <command>view</command> statement is a powerful
8096
feature
8097
of <acronym>BIND</acronym> 9 that lets a name server
8098
answer a DNS query differently
8099
depending on who is asking. It is particularly useful for
8100
implementing
8101
split DNS setups without having to run multiple servers.
8102
</para>
8103
8104
<para>
8105
Each <command>view</command> statement defines a view
8106
of the
8107
DNS namespace that will be seen by a subset of clients. A client
8108
matches
8109
a view if its source IP address matches the
8110
<varname>address_match_list</varname> of the view's
8111
<command>match-clients</command> clause and its
8112
destination IP address matches
8113
the <varname>address_match_list</varname> of the
8114
view's
8115
<command>match-destinations</command> clause. If not
8116
specified, both
8117
<command>match-clients</command> and <command>match-destinations</command>
8118
default to matching all addresses. In addition to checking IP
8119
addresses
8120
<command>match-clients</command> and <command>match-destinations</command>
8121
can also take <command>keys</command> which provide an
8122
mechanism for the
8123
client to select the view. A view can also be specified
8124
as <command>match-recursive-only</command>, which
8125
means that only recursive
8126
requests from matching clients will match that view.
8127
The order of the <command>view</command> statements is
8128
significant —
8129
a client request will be resolved in the context of the first
8130
<command>view</command> that it matches.
8131
</para>
8132
8133
<para>
8134
Zones defined within a <command>view</command>
8135
statement will
8136
be only be accessible to clients that match the <command>view</command>.
8137
By defining a zone of the same name in multiple views, different
8138
zone data can be given to different clients, for example,
8139
"internal"
8140
and "external" clients in a split DNS setup.
8141
</para>
8142
8143
<para>
8144
Many of the options given in the <command>options</command> statement
8145
can also be used within a <command>view</command>
8146
statement, and then
8147
apply only when resolving queries with that view. When no
8148
view-specific
8149
value is given, the value in the <command>options</command> statement
8150
is used as a default. Also, zone options can have default values
8151
specified
8152
in the <command>view</command> statement; these
8153
view-specific defaults
8154
take precedence over those in the <command>options</command> statement.
8155
</para>
8156
8157
<para>
8158
Views are class specific. If no class is given, class IN
8159
is assumed. Note that all non-IN views must contain a hint zone,
8160
since only the IN class has compiled-in default hints.
8161
</para>
8162
8163
<para>
8164
If there are no <command>view</command> statements in
8165
the config
8166
file, a default view that matches any client is automatically
8167
created
8168
in class IN. Any <command>zone</command> statements
8169
specified on
8170
the top level of the configuration file are considered to be part
8171
of
8172
this default view, and the <command>options</command>
8173
statement will
8174
apply to the default view. If any explicit <command>view</command>
8175
statements are present, all <command>zone</command>
8176
statements must
8177
occur inside <command>view</command> statements.
8178
</para>
8179
8180
<para>
8181
Here is an example of a typical split DNS setup implemented
8182
using <command>view</command> statements:
8183
</para>
8184
4561
8185
<programlisting>view "internal" {
4562
8186
// This should match our internal networks.
4563
8187
match-clients { 10.0.0.0/8; };
4588
8212
};
4589
8213
};
4590
8214
</programlisting>
4591
</sect2>
4592
<sect2 id="zone_statement_grammar"><title><command>zone</command>
4593
Statement Grammar</title>
4594
<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{
4595
type ( master | slave | hint | stub | forward | delegation-only ) ;
4596
<optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
4597
<optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
4598
<optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
4599
<optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
4600
<optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
4601
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
8215
8216
</sect2>
8217
<sect2 id="zone_statement_grammar">
8218
<title><command>zone</command>
8219
Statement Grammar</title>
8220
8221
<programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8222
type master;
8223
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8224
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8225
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8226
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8227
<optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
4602
8228
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4603
8229
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8230
<optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8231
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8232
<optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
4604
8233
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
4605
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
4606
8234
<optional> file <replaceable>string</replaceable> ; </optional>
8235
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8236
<optional> journal <replaceable>string</replaceable> ; </optional>
4607
8237
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
4608
8238
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4609
8239
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
4610
8240
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
4611
8241
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
4612
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
4613
8242
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
4614
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
4615
8243
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
4616
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
4617
8244
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
4618
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
8245
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8246
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8247
<optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
4619
8248
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
4620
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4621
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4622
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4623
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4624
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4625
8249
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4626
8250
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4627
8251
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
4631
8255
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4632
8256
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4633
8257
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4634
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
4635
8258
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
4636
4637
}</optional>;
8259
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8260
};
8261
8262
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8263
type slave;
8264
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8265
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8266
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8267
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8268
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8269
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8270
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
8271
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8272
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8273
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8274
<optional> file <replaceable>string</replaceable> ; </optional>
8275
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8276
<optional> journal <replaceable>string</replaceable> ; </optional>
8277
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8278
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8279
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8280
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8281
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8282
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8283
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8284
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8285
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8286
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8287
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8288
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8289
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8290
<optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8291
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8292
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8293
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8294
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8295
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8296
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8297
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8298
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8299
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8300
<optional> database <replaceable>string</replaceable> ; </optional>
8301
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8302
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8303
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8304
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8305
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8306
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8307
};
8308
8309
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8310
type hint;
8311
file <replaceable>string</replaceable> ;
8312
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8313
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8314
};
8315
8316
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8317
type stub;
8318
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8319
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8320
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8321
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8322
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8323
<optional> file <replaceable>string</replaceable> ; </optional>
8324
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8325
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8326
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8327
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8328
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8329
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8330
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8331
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8332
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8333
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8334
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8335
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8336
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8337
<optional> database <replaceable>string</replaceable> ; </optional>
8338
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8339
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8340
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8341
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8342
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8343
};
8344
8345
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8346
type forward;
8347
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8348
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8349
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8350
};
8351
8352
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8353
type delegation-only;
8354
};
8355
4638
8356
</programlisting>
4639
</sect2>
4640
<sect2><title><command>zone</command> Statement Definition and Usage</title>
4641
<sect3><title>Zone Types</title>
4642
<informaltable colsep = "0" rowsep = "0">
4643
<tgroup cols = "2" colsep = "0" rowsep = "0"
4644
tgroupstyle = "3Level-table">
4645
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
4646
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
4647
<tbody>
4648
<row rowsep = "0">
4649
<entry colname = "1"><para><varname>master</varname></para></entry>
4650
<entry colname = "2"><para>The server has a master copy of the data
4651
for the zone and will be able to provide authoritative answers for
4652
it.</para></entry>
4653
</row>
4654
<row rowsep = "0">
4655
<entry colname = "1"><para><varname>slave</varname></para></entry>
4656
<entry colname = "2"><para>A slave zone is a replica of a master
4657
zone. The <command>masters</command> list specifies one or more IP addresses
4658
of master servers that the slave contacts to update its copy of the zone.
4659
Masters list elements can also be names of other masters lists.
4660
By default, transfers are made from port 53 on the servers; this can
4661
be changed for all servers by specifying a port number before the
4662
list of IP addresses, or on a per-server basis after the IP address.
4663
Authentication to the master can also be done with per-server TSIG keys.
4664
If a file is specified, then the
4665
replica will be written to this file whenever the zone is changed,
4666
and reloaded from this file on a server restart. Use of a file is
4667
recommended, since it often speeds server start-up and eliminates
4668
a needless waste of bandwidth. Note that for large numbers (in the
4669
tens or hundreds of thousands) of zones per server, it is best to
4670
use a two level naming scheme for zone file names. For example,
4671
a slave server for the zone <literal>example.com</literal> might place
4672
the zone contents into a file called
4673
<filename>ex/example.com</filename> where <filename>ex/</filename> is
4674
just the first two letters of the zone name. (Most operating systems
4675
behave very slowly if you put 100 000 files into
4676
a single directory.)</para></entry>
4677
</row>
4678
<row rowsep = "0">
4679
<entry colname = "1"><para><varname>stub</varname></para></entry>
4680
<entry colname = "2"><para>A stub zone is similar to a slave zone,
4681
except that it replicates only the NS records of a master zone instead
4682
of the entire zone. Stub zones are not a standard part of the DNS;
4683
they are a feature specific to the <acronym>BIND</acronym> implementation.
4684
</para>
4685
4686
<para>Stub zones can be used to eliminate the need for glue NS record
4687
in a parent zone at the expense of maintaining a stub zone entry and
4688
a set of name server addresses in <filename>named.conf</filename>.
4689
This usage is not recommended for new configurations, and BIND 9
4690
supports it only in a limited way.
4691
In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
4692
included the NS records from stub children of that zone. This meant
4693
that, in some cases, users could get away with configuring child stubs
4694
only in the master server for the parent zone. <acronym>BIND</acronym>
4695
9 never mixes together zone data from different zones in this
4696
way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
4697
zone has child stub zones configured, all the slave servers for the
4698
parent zone also need to have the same child stub zones
4699
configured.</para>
4700
4701
<para>Stub zones can also be used as a way of forcing the resolution
4702
of a given domain to use a particular set of authoritative servers.
4703
For example, the caching name servers on a private network using
4704
RFC1981 addressing may be configured with stub zones for
4705
<literal>10.in-addr.arpa</literal>
4706
to use a set of internal name servers as the authoritative
4707
servers for that domain.</para>
4708
</entry>
4709
</row>
4710
<row rowsep = "0">
4711
<entry colname = "1"><para><varname>forward</varname></para></entry>
4712
<entry colname = "2"><para>A "forward zone" is a way to configure
4713
forwarding on a per-domain basis. A <command>zone</command> statement
4714
of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
4715
which will apply to queries within the domain given by the zone
4716
name. If no <command>forwarders</command> statement is present or
4717
an empty list for <command>forwarders</command> is given, then no
4718
forwarding will be done for the domain, canceling the effects of
4719
any forwarders in the <command>options</command> statement. Thus
4720
if you want to use this type of zone to change the behavior of the
4721
global <command>forward</command> option (that is, "forward first
4722
to", then "forward only", or vice versa, but want to use the same
4723
servers as set globally) you need to re-specify the global forwarders.</para>
4724
</entry>
4725
</row>
4726
<row rowsep = "0">
4727
<entry colname = "1"><para><varname>hint</varname></para></entry>
4728
<entry colname = "2"><para>The initial set of root name servers is
4729
specified using a "hint zone". When the server starts up, it uses
4730
the root hints to find a root name server and get the most recent
4731
list of root name servers. If no hint zone is specified for class
4732
IN, the server uses a compiled-in default set of root servers hints.
4733
Classes other than IN have no built-in defaults hints.</para></entry>
4734
</row>
4735
<row rowsep = "0">
4736
<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
4737
<entry colname = "2"><para>This is used to enforce the delegation only
4738
status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
4739
is received without a explicit or implicit delegation in the authority
4740
section will be treated as NXDOMAIN. This does not apply to the zone
4741
apex. This SHOULD NOT be applied to leaf zones.</para>
4742
<para><varname>delegation-only</varname> has no effect on answers received
4743
from forwarders.</para></entry>
4744
</row>
4745
</tbody>
4746
</tgroup></informaltable></sect3>
4747
4748
<sect3><title>Class</title>
4749
<para>The zone's name may optionally be followed by a class. If
4750
a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
4751
is assumed. This is correct for the vast majority of cases.</para>
4752
<para>The <literal>hesiod</literal> class is
4753
named for an information service from MIT's Project Athena. It is
4754
used to share information about various systems databases, such
4755
as users, groups, printers and so on. The keyword
4756
<literal>HS</literal> is
4757
a synonym for hesiod.</para>
4758
<para>Another MIT development is CHAOSnet, a LAN protocol created
4759
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
4760
<sect3>
4761
4762
<title>Zone Options</title>
4763
4764
<variablelist>
4765
4766
<varlistentry><term><command>allow-notify</command></term>
4767
<listitem><para>See the description of
4768
<command>allow-notify</command> in <xref linkend="access_control"/></para>
4769
</listitem></varlistentry>
4770
4771
<varlistentry><term><command>allow-query</command></term>
4772
<listitem><para>See the description of
4773
<command>allow-query</command> in <xref linkend="access_control"/></para>
4774
</listitem></varlistentry>
4775
4776
<varlistentry><term><command>allow-transfer</command></term>
4777
<listitem><para>See the description of <command>allow-transfer</command>
4778
in <xref linkend="access_control"/>.</para>
4779
</listitem></varlistentry>
4780
4781
<varlistentry><term><command>allow-update</command></term>
4782
<listitem><para>Specifies which hosts are allowed to
4783
submit Dynamic DNS updates for master zones. The default is to deny
4784
updates from all hosts. Note that allowing updates based
4785
on the requestor's IP address is insecure; see
4786
<xref linkend="dynamic_update_security"/> for details.
4787
</para>
4788
</listitem></varlistentry>
4789
4790
<varlistentry><term><command>update-policy</command></term>
4791
<listitem><para>Specifies a "Simple Secure Update" policy. See
4792
<xref linkend="dynamic_update_policies"/>.</para>
4793
</listitem></varlistentry>
4794
4795
<varlistentry><term><command>allow-update-forwarding</command></term>
4796
<listitem><para>See the description of <command>allow-update-forwarding</command>
4797
in <xref linkend="access_control"/>.</para>
4798
</listitem></varlistentry>
4799
4800
<varlistentry><term><command>also-notify</command></term>
4801
<listitem><para>Only meaningful if <command>notify</command> is
4802
active for this zone. The set of machines that will receive a
4803
<literal>DNS NOTIFY</literal> message
4804
for this zone is made up of all the listed name servers (other than
4805
the primary master) for the zone plus any IP addresses specified
4806
with <command>also-notify</command>. A port may be specified
4807
with each <command>also-notify</command> address to send the notify
4808
messages to a port other than the default of 53.
4809
<command>also-notify</command> is not meaningful for stub zones.
4810
The default is the empty list.</para>
4811
</listitem></varlistentry>
4812
4813
<varlistentry><term><command>check-names</command></term>
4814
<listitem><para>
4815
This option is used to restrict the character set and syntax of
4816
certain domain names in master files and/or DNS responses received from the
4817
network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
4818
zones the default is <command>warn</command>.
4819
</para>
4820
</listitem></varlistentry>
4821
4822
<varlistentry><term><command>database</command></term>
4823
<listitem><para>Specify the type of database to be used for storing the
4824
zone data. The string following the <command>database</command> keyword
4825
is interpreted as a list of whitespace-delimited words. The first word
4826
identifies the database type, and any subsequent words are passed
4827
as arguments to the database to be interpreted in a way specific
4828
to the database type.</para>
4829
<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
4830
red-black-tree database. This database does not take arguments.</para>
4831
<para>Other values are possible if additional database drivers
4832
have been linked into the server. Some sample drivers are included
4833
with the distribution but none are linked in by default.</para>
4834
</listitem></varlistentry>
4835
4836
<varlistentry><term><command>dialup</command></term>
4837
<listitem><para>See the description of
4838
<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
4839
</listitem></varlistentry>
4840
4841
<varlistentry><term><command>delegation-only</command></term>
4842
<listitem><para>The flag only applies to hint and stub zones. If set
4843
to <userinput>yes</userinput> then the zone will also be treated as if it
4844
is also a delegation-only type zone.
4845
</para>
4846
</listitem></varlistentry>
4847
4848
<varlistentry><term><command>forward</command></term>
4849
<listitem><para>Only meaningful if the zone has a forwarders
4850
list. The <command>only</command> value causes the lookup to fail
4851
after trying the forwarders and getting no answer, while <command>first</command> would
4852
allow a normal lookup to be tried.</para>
4853
</listitem></varlistentry>
4854
4855
<varlistentry><term><command>forwarders</command></term>
4856
<listitem><para>Used to override the list of global forwarders.
4857
If it is not specified in a zone of type <command>forward</command>,
4858
no forwarding is done for the zone; the global options are not used.</para>
4859
</listitem></varlistentry>
4860
4861
<varlistentry><term><command>ixfr-base</command></term>
4862
<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
4863
of the transaction log (journal) file for dynamic update and IXFR.
4864
<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
4865
file by appending "<filename>.jnl</filename>" to the name of the
4866
zone file.</para>
4867
</listitem></varlistentry>
4868
4869
<varlistentry><term><command>ixfr-tmp-file</command></term>
4870
<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
4871
Ignored in <acronym>BIND</acronym> 9.</para>
4872
</listitem></varlistentry>
4873
4874
<varlistentry><term><command>max-transfer-time-in</command></term>
4875
<listitem><para>See the description of
4876
<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
4877
</listitem></varlistentry>
4878
4879
<varlistentry><term><command>max-transfer-idle-in</command></term>
4880
<listitem><para>See the description of
4881
<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
4882
</listitem></varlistentry>
4883
4884
<varlistentry><term><command>max-transfer-time-out</command></term>
4885
<listitem><para>See the description of
4886
<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
4887
</listitem></varlistentry>
4888
4889
<varlistentry><term><command>max-transfer-idle-out</command></term>
4890
<listitem><para>See the description of
4891
<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
4892
</listitem></varlistentry>
4893
4894
<varlistentry><term><command>notify</command></term>
4895
<listitem><para>See the description of
4896
<command>notify</command> in <xref linkend="boolean_options"/>.</para>
4897
</listitem></varlistentry>
4898
4899
<varlistentry><term><command>pubkey</command></term>
4900
<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
4901
a public zone key for verification of signatures in DNSSEC signed
4902
zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
4903
on load and ignores the option.</para>
4904
</listitem></varlistentry>
4905
4906
<varlistentry><term><command>zone-statistics</command></term>
4907
<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
4908
information for this zone, which can be dumped to the
4909
<command>statistics-file</command> defined in the server options.</para>
4910
</listitem></varlistentry>
4911
4912
<varlistentry><term><command>sig-validity-interval</command></term>
4913
<listitem><para>See the description of
4914
<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
4915
</listitem></varlistentry>
4916
4917
<varlistentry><term><command>transfer-source</command></term>
4918
<listitem><para>See the description of
4919
<command>transfer-source</command> in <xref linkend="zone_transfers"/>
4920
</para>
4921
</listitem></varlistentry>
4922
4923
<varlistentry><term><command>transfer-source-v6</command></term>
4924
<listitem><para>See the description of
4925
<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
4926
</para>
4927
</listitem></varlistentry>
4928
4929
<varlistentry><term><command>alt-transfer-source</command></term>
4930
<listitem><para>See the description of
4931
<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>
4932
</para>
4933
</listitem></varlistentry>
4934
4935
<varlistentry><term><command>alt-transfer-source-v6</command></term>
4936
<listitem><para>See the description of
4937
<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>
4938
</para>
4939
</listitem></varlistentry>
4940
4941
<varlistentry><term><command>use-alt-transfer-source</command></term>
4942
<listitem><para>See the description of
4943
<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>
4944
</para>
4945
</listitem></varlistentry>
4946
4947
4948
<varlistentry><term><command>notify-source</command></term>
4949
<listitem><para>See the description of
4950
<command>notify-source</command> in <xref linkend="zone_transfers"/>
4951
</para>
4952
</listitem></varlistentry>
4953
4954
<varlistentry><term><command>notify-source-v6</command></term>
4955
<listitem><para>See the description of
4956
<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
4957
</para>
4958
</listitem></varlistentry>
4959
4960
<varlistentry>
4961
<term><command>min-refresh-time</command></term>
4962
<term><command>max-refresh-time</command></term>
4963
<term><command>min-retry-time</command></term>
4964
<term><command>max-retry-time</command></term>
4965
<listitem><para>
4966
See the description in <xref linkend="tuning"/>.
4967
</para></listitem></varlistentry>
4968
4969
<varlistentry><term><command>ixfr-from-differences</command></term>
4970
<listitem><para>See the description of
4971
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
4972
</listitem></varlistentry>
4973
4974
<varlistentry><term><command>key-directory</command></term>
4975
<listitem><para>See the description of
4976
<command>key-directory</command> in <xref linkend="options"/></para>
4977
</listitem></varlistentry>
4978
4979
<varlistentry><term><command>multi-master</command></term>
4980
<listitem><para>See the description of
4981
<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
4982
</listitem></varlistentry>
4983
4984
</variablelist>
4985
4986
</sect3>
4987
<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
4988
<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
4989
the right to perform dynamic updates to a zone,
4990
configured by the <command>allow-update</command> and
4991
<command>update-policy</command> option, respectively.</para>
4992
<para>The <command>allow-update</command> clause works the same
4993
way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
4994
permission to update any record of any name in the zone.</para>
4995
<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
4996
9 and allows more fine-grained control over what updates are allowed.
4997
A set of rules is specified, where each rule either grants or denies
4998
permissions for one or more names to be updated by one or more identities.
4999
If the dynamic update request message is signed (that is, it includes
5000
either a TSIG or SIG(0) record), the identity of the signer can
5001
be determined.</para>
5002
<para>Rules are specified in the <command>update-policy</command> zone
5003
option, and are only meaningful for master zones. When the <command>update-policy</command> statement
5004
is present, it is a configuration error for the <command>allow-update</command> statement
5005
to be present. The <command>update-policy</command> statement only
5006
examines the signer of a message; the source address is not relevant.</para>
5007
<para>This is how a rule definition looks:</para>
8357
8358
</sect2>
8359
<sect2>
8360
<title><command>zone</command> Statement Definition and Usage</title>
8361
<sect3>
8362
<title>Zone Types</title>
8363
<informaltable colsep="0" rowsep="0">
8364
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8365
<!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8366
<!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8367
<colspec colname="1" colnum="1" colsep="0"/>
8368
<colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8369
<tbody>
8370
<row rowsep="0">
8371
<entry colname="1">
8372
<para>
8373
<varname>master</varname>
8374
</para>
8375
</entry>
8376
<entry colname="2">
8377
<para>
8378
The server has a master copy of the data
8379
for the zone and will be able to provide authoritative
8380
answers for
8381
it.
8382
</para>
8383
</entry>
8384
</row>
8385
<row rowsep="0">
8386
<entry colname="1">
8387
<para>
8388
<varname>slave</varname>
8389
</para>
8390
</entry>
8391
<entry colname="2">
8392
<para>
8393
A slave zone is a replica of a master
8394
zone. The <command>masters</command> list
8395
specifies one or more IP addresses
8396
of master servers that the slave contacts to update
8397
its copy of the zone.
8398
Masters list elements can also be names of other
8399
masters lists.
8400
By default, transfers are made from port 53 on the
8401
servers; this can
8402
be changed for all servers by specifying a port number
8403
before the
8404
list of IP addresses, or on a per-server basis after
8405
the IP address.
8406
Authentication to the master can also be done with
8407
per-server TSIG keys.
8408
If a file is specified, then the
8409
replica will be written to this file whenever the zone
8410
is changed,
8411
and reloaded from this file on a server restart. Use
8412
of a file is
8413
recommended, since it often speeds server startup and
8414
eliminates
8415
a needless waste of bandwidth. Note that for large
8416
numbers (in the
8417
tens or hundreds of thousands) of zones per server, it
8418
is best to
8419
use a two-level naming scheme for zone filenames. For
8420
example,
8421
a slave server for the zone <literal>example.com</literal> might place
8422
the zone contents into a file called
8423
<filename>ex/example.com</filename> where <filename>ex/</filename> is
8424
just the first two letters of the zone name. (Most
8425
operating systems
8426
behave very slowly if you put 100 000 files into
8427
a single directory.)
8428
</para>
8429
</entry>
8430
</row>
8431
<row rowsep="0">
8432
<entry colname="1">
8433
<para>
8434
<varname>stub</varname>
8435
</para>
8436
</entry>
8437
<entry colname="2">
8438
<para>
8439
A stub zone is similar to a slave zone,
8440
except that it replicates only the NS records of a
8441
master zone instead
8442
of the entire zone. Stub zones are not a standard part
8443
of the DNS;
8444
they are a feature specific to the <acronym>BIND</acronym> implementation.
8445
</para>
8446
8447
<para>
8448
Stub zones can be used to eliminate the need for glue
8449
NS record
8450
in a parent zone at the expense of maintaining a stub
8451
zone entry and
8452
a set of name server addresses in <filename>named.conf</filename>.
8453
This usage is not recommended for new configurations,
8454
and BIND 9
8455
supports it only in a limited way.
8456
In <acronym>BIND</acronym> 4/8, zone
8457
transfers of a parent zone
8458
included the NS records from stub children of that
8459
zone. This meant
8460
that, in some cases, users could get away with
8461
configuring child stubs
8462
only in the master server for the parent zone. <acronym>BIND</acronym>
8463
9 never mixes together zone data from different zones
8464
in this
8465
way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8466
zone has child stub zones configured, all the slave
8467
servers for the
8468
parent zone also need to have the same child stub
8469
zones
8470
configured.
8471
</para>
8472
8473
<para>
8474
Stub zones can also be used as a way of forcing the
8475
resolution
8476
of a given domain to use a particular set of
8477
authoritative servers.
8478
For example, the caching name servers on a private
8479
network using
8480
RFC1918 addressing may be configured with stub zones
8481
for
8482
<literal>10.in-addr.arpa</literal>
8483
to use a set of internal name servers as the
8484
authoritative
8485
servers for that domain.
8486
</para>
8487
</entry>
8488
</row>
8489
<row rowsep="0">
8490
<entry colname="1">
8491
<para>
8492
<varname>forward</varname>
8493
</para>
8494
</entry>
8495
<entry colname="2">
8496
<para>
8497
A "forward zone" is a way to configure
8498
forwarding on a per-domain basis. A <command>zone</command> statement
8499
of type <command>forward</command> can
8500
contain a <command>forward</command>
8501
and/or <command>forwarders</command>
8502
statement,
8503
which will apply to queries within the domain given by
8504
the zone
8505
name. If no <command>forwarders</command>
8506
statement is present or
8507
an empty list for <command>forwarders</command> is given, then no
8508
forwarding will be done for the domain, canceling the
8509
effects of
8510
any forwarders in the <command>options</command> statement. Thus
8511
if you want to use this type of zone to change the
8512
behavior of the
8513
global <command>forward</command> option
8514
(that is, "forward first"
8515
to, then "forward only", or vice versa, but want to
8516
use the same
8517
servers as set globally) you need to re-specify the
8518
global forwarders.
8519
</para>
8520
</entry>
8521
</row>
8522
<row rowsep="0">
8523
<entry colname="1">
8524
<para>
8525
<varname>hint</varname>
8526
</para>
8527
</entry>
8528
<entry colname="2">
8529
<para>
8530
The initial set of root name servers is
8531
specified using a "hint zone". When the server starts
8532
up, it uses
8533
the root hints to find a root name server and get the
8534
most recent
8535
list of root name servers. If no hint zone is
8536
specified for class
8537
IN, the server uses a compiled-in default set of root
8538
servers hints.
8539
Classes other than IN have no built-in defaults hints.
8540
</para>
8541
</entry>
8542
</row>
8543
<row rowsep="0">
8544
<entry colname="1">
8545
<para>
8546
<varname>delegation-only</varname>
8547
</para>
8548
</entry>
8549
<entry colname="2">
8550
<para>
8551
This is used to enforce the delegation-only
8552
status of infrastructure zones (e.g. COM, NET, ORG).
8553
Any answer that
8554
is received without an explicit or implicit delegation
8555
in the authority
8556
section will be treated as NXDOMAIN. This does not
8557
apply to the zone
8558
apex. This should not be applied to leaf zones.
8559
</para>
8560
<para>
8561
<varname>delegation-only</varname> has no
8562
effect on answers received
8563
from forwarders.
8564
</para>
8565
</entry>
8566
</row>
8567
</tbody>
8568
</tgroup>
8569
</informaltable>
8570
</sect3>
8571
8572
<sect3>
8573
<title>Class</title>
8574
<para>
8575
The zone's name may optionally be followed by a class. If
8576
a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
8577
is assumed. This is correct for the vast majority of cases.
8578
</para>
8579
<para>
8580
The <literal>hesiod</literal> class is
8581
named for an information service from MIT's Project Athena. It
8582
is
8583
used to share information about various systems databases, such
8584
as users, groups, printers and so on. The keyword
8585
<literal>HS</literal> is
8586
a synonym for hesiod.
8587
</para>
8588
<para>
8589
Another MIT development is Chaosnet, a LAN protocol created
8590
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
8591
</para>
8592
</sect3>
8593
<sect3>
8594
8595
<title>Zone Options</title>
8596
8597
<variablelist>
8598
8599
<varlistentry>
8600
<term><command>allow-notify</command></term>
8601
<listitem>
8602
<para>
8603
See the description of
8604
<command>allow-notify</command> in <xref linkend="access_control"/>.
8605
</para>
8606
</listitem>
8607
</varlistentry>
8608
8609
<varlistentry>
8610
<term><command>allow-query</command></term>
8611
<listitem>
8612
<para>
8613
See the description of
8614
<command>allow-query</command> in <xref linkend="access_control"/>.
8615
</para>
8616
</listitem>
8617
</varlistentry>
8618
8619
<varlistentry>
8620
<term><command>allow-query-on</command></term>
8621
<listitem>
8622
<para>
8623
See the description of
8624
<command>allow-query-on</command> in <xref linkend="access_control"/>.
8625
</para>
8626
</listitem>
8627
</varlistentry>
8628
8629
<varlistentry>
8630
<term><command>allow-transfer</command></term>
8631
<listitem>
8632
<para>
8633
See the description of <command>allow-transfer</command>
8634
in <xref linkend="access_control"/>.
8635
</para>
8636
</listitem>
8637
</varlistentry>
8638
8639
<varlistentry>
8640
<term><command>allow-update</command></term>
8641
<listitem>
8642
<para>
8643
See the description of <command>allow-update</command>
8644
in <xref linkend="access_control"/>.
8645
</para>
8646
</listitem>
8647
</varlistentry>
8648
8649
<varlistentry>
8650
<term><command>update-policy</command></term>
8651
<listitem>
8652
<para>
8653
Specifies a "Simple Secure Update" policy. See
8654
<xref linkend="dynamic_update_policies"/>.
8655
</para>
8656
</listitem>
8657
</varlistentry>
8658
8659
<varlistentry>
8660
<term><command>allow-update-forwarding</command></term>
8661
<listitem>
8662
<para>
8663
See the description of <command>allow-update-forwarding</command>
8664
in <xref linkend="access_control"/>.
8665
</para>
8666
</listitem>
8667
</varlistentry>
8668
8669
<varlistentry>
8670
<term><command>also-notify</command></term>
8671
<listitem>
8672
<para>
8673
Only meaningful if <command>notify</command>
8674
is
8675
active for this zone. The set of machines that will
8676
receive a
8677
<literal>DNS NOTIFY</literal> message
8678
for this zone is made up of all the listed name servers
8679
(other than
8680
the primary master) for the zone plus any IP addresses
8681
specified
8682
with <command>also-notify</command>. A port
8683
may be specified
8684
with each <command>also-notify</command>
8685
address to send the notify
8686
messages to a port other than the default of 53.
8687
<command>also-notify</command> is not
8688
meaningful for stub zones.
8689
The default is the empty list.
8690
</para>
8691
</listitem>
8692
</varlistentry>
8693
8694
<varlistentry>
8695
<term><command>check-names</command></term>
8696
<listitem>
8697
<para>
8698
This option is used to restrict the character set and
8699
syntax of
8700
certain domain names in master files and/or DNS responses
8701
received from the
8702
network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
8703
zones the default is <command>warn</command>.
8704
</para>
8705
</listitem>
8706
</varlistentry>
8707
8708
<varlistentry>
8709
<term><command>check-mx</command></term>
8710
<listitem>
8711
<para>
8712
See the description of
8713
<command>check-mx</command> in <xref linkend="boolean_options"/>.
8714
</para>
8715
</listitem>
8716
</varlistentry>
8717
8718
<varlistentry>
8719
<term><command>check-wildcard</command></term>
8720
<listitem>
8721
<para>
8722
See the description of
8723
<command>check-wildcard</command> in <xref linkend="boolean_options"/>.
8724
</para>
8725
</listitem>
8726
</varlistentry>
8727
8728
<varlistentry>
8729
<term><command>check-integrity</command></term>
8730
<listitem>
8731
<para>
8732
See the description of
8733
<command>check-integrity</command> in <xref linkend="boolean_options"/>.
8734
</para>
8735
</listitem>
8736
</varlistentry>
8737
8738
<varlistentry>
8739
<term><command>check-sibling</command></term>
8740
<listitem>
8741
<para>
8742
See the description of
8743
<command>check-sibling</command> in <xref linkend="boolean_options"/>.
8744
</para>
8745
</listitem>
8746
</varlistentry>
8747
8748
<varlistentry>
8749
<term><command>zero-no-soa-ttl</command></term>
8750
<listitem>
8751
<para>
8752
See the description of
8753
<command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
8754
</para>
8755
</listitem>
8756
</varlistentry>
8757
8758
<varlistentry>
8759
<term><command>update-check-ksk</command></term>
8760
<listitem>
8761
<para>
8762
See the description of
8763
<command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
8764
</para>
8765
</listitem>
8766
</varlistentry>
8767
8768
<varlistentry>
8769
<term><command>try-tcp-refresh</command></term>
8770
<listitem>
8771
<para>
8772
See the description of
8773
<command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
8774
</para>
8775
</listitem>
8776
</varlistentry>
8777
8778
<varlistentry>
8779
<term><command>database</command></term>
8780
<listitem>
8781
<para>
8782
Specify the type of database to be used for storing the
8783
zone data. The string following the <command>database</command> keyword
8784
is interpreted as a list of whitespace-delimited words.
8785
The first word
8786
identifies the database type, and any subsequent words are
8787
passed
8788
as arguments to the database to be interpreted in a way
8789
specific
8790
to the database type.
8791
</para>
8792
<para>
8793
The default is <userinput>"rbt"</userinput>, BIND 9's
8794
native in-memory
8795
red-black-tree database. This database does not take
8796
arguments.
8797
</para>
8798
<para>
8799
Other values are possible if additional database drivers
8800
have been linked into the server. Some sample drivers are
8801
included
8802
with the distribution but none are linked in by default.
8803
</para>
8804
</listitem>
8805
</varlistentry>
8806
8807
<varlistentry>
8808
<term><command>dialup</command></term>
8809
<listitem>
8810
<para>
8811
See the description of
8812
<command>dialup</command> in <xref linkend="boolean_options"/>.
8813
</para>
8814
</listitem>
8815
</varlistentry>
8816
8817
<varlistentry>
8818
<term><command>delegation-only</command></term>
8819
<listitem>
8820
<para>
8821
The flag only applies to hint and stub zones. If set
8822
to <userinput>yes</userinput>, then the zone will also be
8823
treated as if it
8824
is also a delegation-only type zone.
8825
</para>
8826
</listitem>
8827
</varlistentry>
8828
8829
<varlistentry>
8830
<term><command>forward</command></term>
8831
<listitem>
8832
<para>
8833
Only meaningful if the zone has a forwarders
8834
list. The <command>only</command> value causes
8835
the lookup to fail
8836
after trying the forwarders and getting no answer, while <command>first</command> would
8837
allow a normal lookup to be tried.
8838
</para>
8839
</listitem>
8840
</varlistentry>
8841
8842
<varlistentry>
8843
<term><command>forwarders</command></term>
8844
<listitem>
8845
<para>
8846
Used to override the list of global forwarders.
8847
If it is not specified in a zone of type <command>forward</command>,
8848
no forwarding is done for the zone and the global options are
8849
not used.
8850
</para>
8851
</listitem>
8852
</varlistentry>
8853
8854
<varlistentry>
8855
<term><command>ixfr-base</command></term>
8856
<listitem>
8857
<para>
8858
Was used in <acronym>BIND</acronym> 8 to
8859
specify the name
8860
of the transaction log (journal) file for dynamic update
8861
and IXFR.
8862
<acronym>BIND</acronym> 9 ignores the option
8863
and constructs the name of the journal
8864
file by appending "<filename>.jnl</filename>"
8865
to the name of the
8866
zone file.
8867
</para>
8868
</listitem>
8869
</varlistentry>
8870
8871
<varlistentry>
8872
<term><command>ixfr-tmp-file</command></term>
8873
<listitem>
8874
<para>
8875
Was an undocumented option in <acronym>BIND</acronym> 8.
8876
Ignored in <acronym>BIND</acronym> 9.
8877
</para>
8878
</listitem>
8879
</varlistentry>
8880
8881
<varlistentry>
8882
<term><command>journal</command></term>
8883
<listitem>
8884
<para>
8885
Allow the default journal's filename to be overridden.
8886
The default is the zone's filename with "<filename>.jnl</filename>" appended.
8887
This is applicable to <command>master</command> and <command>slave</command> zones.
8888
</para>
8889
</listitem>
8890
</varlistentry>
8891
8892
<varlistentry>
8893
<term><command>max-transfer-time-in</command></term>
8894
<listitem>
8895
<para>
8896
See the description of
8897
<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
8898
</para>
8899
</listitem>
8900
</varlistentry>
8901
8902
<varlistentry>
8903
<term><command>max-transfer-idle-in</command></term>
8904
<listitem>
8905
<para>
8906
See the description of
8907
<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
8908
</para>
8909
</listitem>
8910
</varlistentry>
8911
8912
<varlistentry>
8913
<term><command>max-transfer-time-out</command></term>
8914
<listitem>
8915
<para>
8916
See the description of
8917
<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
8918
</para>
8919
</listitem>
8920
</varlistentry>
8921
8922
<varlistentry>
8923
<term><command>max-transfer-idle-out</command></term>
8924
<listitem>
8925
<para>
8926
See the description of
8927
<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
8928
</para>
8929
</listitem>
8930
</varlistentry>
8931
8932
<varlistentry>
8933
<term><command>notify</command></term>
8934
<listitem>
8935
<para>
8936
See the description of
8937
<command>notify</command> in <xref linkend="boolean_options"/>.
8938
</para>
8939
</listitem>
8940
</varlistentry>
8941
8942
<varlistentry>
8943
<term><command>notify-delay</command></term>
8944
<listitem>
8945
<para>
8946
See the description of
8947
<command>notify-delay</command> in <xref linkend="tuning"/>.
8948
</para>
8949
</listitem>
8950
</varlistentry>
8951
8952
<varlistentry>
8953
<term><command>notify-to-soa</command></term>
8954
<listitem>
8955
<para>
8956
See the description of
8957
<command>notify-to-soa</command> in
8958
<xref linkend="boolean_options"/>.
8959
</para>
8960
</listitem>
8961
</varlistentry>
8962
8963
<varlistentry>
8964
<term><command>pubkey</command></term>
8965
<listitem>
8966
<para>
8967
In <acronym>BIND</acronym> 8, this option was
8968
intended for specifying
8969
a public zone key for verification of signatures in DNSSEC
8970
signed
8971
zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
8972
on load and ignores the option.
8973
</para>
8974
</listitem>
8975
</varlistentry>
8976
8977
<varlistentry>
8978
<term><command>zone-statistics</command></term>
8979
<listitem>
8980
<para>
8981
If <userinput>yes</userinput>, the server will keep
8982
statistical
8983
information for this zone, which can be dumped to the
8984
<command>statistics-file</command> defined in
8985
the server options.
8986
</para>
8987
</listitem>
8988
</varlistentry>
8989
8990
<varlistentry>
8991
<term><command>sig-validity-interval</command></term>
8992
<listitem>
8993
<para>
8994
See the description of
8995
<command>sig-validity-interval</command> in <xref linkend="tuning"/>.
8996
</para>
8997
</listitem>
8998
</varlistentry>
8999
9000
<varlistentry>
9001
<term><command>transfer-source</command></term>
9002
<listitem>
9003
<para>
9004
See the description of
9005
<command>transfer-source</command> in <xref linkend="zone_transfers"/>.
9006
</para>
9007
</listitem>
9008
</varlistentry>
9009
9010
<varlistentry>
9011
<term><command>transfer-source-v6</command></term>
9012
<listitem>
9013
<para>
9014
See the description of
9015
<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9016
</para>
9017
</listitem>
9018
</varlistentry>
9019
9020
<varlistentry>
9021
<term><command>alt-transfer-source</command></term>
9022
<listitem>
9023
<para>
9024
See the description of
9025
<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9026
</para>
9027
</listitem>
9028
</varlistentry>
9029
9030
<varlistentry>
9031
<term><command>alt-transfer-source-v6</command></term>
9032
<listitem>
9033
<para>
9034
See the description of
9035
<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9036
</para>
9037
</listitem>
9038
</varlistentry>
9039
9040
<varlistentry>
9041
<term><command>use-alt-transfer-source</command></term>
9042
<listitem>
9043
<para>
9044
See the description of
9045
<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9046
</para>
9047
</listitem>
9048
</varlistentry>
9049
9050
9051
<varlistentry>
9052
<term><command>notify-source</command></term>
9053
<listitem>
9054
<para>
9055
See the description of
9056
<command>notify-source</command> in <xref linkend="zone_transfers"/>.
9057
</para>
9058
</listitem>
9059
</varlistentry>
9060
9061
<varlistentry>
9062
<term><command>notify-source-v6</command></term>
9063
<listitem>
9064
<para>
9065
See the description of
9066
<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
9067
</para>
9068
</listitem>
9069
</varlistentry>
9070
9071
<varlistentry>
9072
<term><command>min-refresh-time</command></term>
9073
<term><command>max-refresh-time</command></term>
9074
<term><command>min-retry-time</command></term>
9075
<term><command>max-retry-time</command></term>
9076
<listitem>
9077
<para>
9078
See the description in <xref linkend="tuning"/>.
9079
</para>
9080
</listitem>
9081
</varlistentry>
9082
9083
<varlistentry>
9084
<term><command>ixfr-from-differences</command></term>
9085
<listitem>
9086
<para>
9087
See the description of
9088
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
9089
</para>
9090
</listitem>
9091
</varlistentry>
9092
9093
<varlistentry>
9094
<term><command>key-directory</command></term>
9095
<listitem>
9096
<para>
9097
See the description of
9098
<command>key-directory</command> in <xref linkend="options"/>.
9099
</para>
9100
</listitem>
9101
</varlistentry>
9102
9103
<varlistentry>
9104
<term><command>multi-master</command></term>
9105
<listitem>
9106
<para>
9107
See the description of <command>multi-master</command> in
9108
<xref linkend="boolean_options"/>.
9109
</para>
9110
</listitem>
9111
</varlistentry>
9112
9113
<varlistentry>
9114
<term><command>masterfile-format</command></term>
9115
<listitem>
9116
<para>
9117
See the description of <command>masterfile-format</command>
9118
in <xref linkend="tuning"/>.
9119
</para>
9120
</listitem>
9121
</varlistentry>
9122
9123
</variablelist>
9124
9125
</sect3>
9126
<sect3 id="dynamic_update_policies">
9127
<title>Dynamic Update Policies</title>
9128
<para><acronym>BIND</acronym> 9 supports two alternative
9129
methods of granting clients the right to perform
9130
dynamic updates to a zone, configured by the
9131
<command>allow-update</command> and
9132
<command>update-policy</command> option, respectively.
9133
</para>
9134
<para>
9135
The <command>allow-update</command> clause works the
9136
same way as in previous versions of <acronym>BIND</acronym>.
9137
It grants given clients the permission to update any
9138
record of any name in the zone.
9139
</para>
9140
<para>
9141
The <command>update-policy</command> clause is new
9142
in <acronym>BIND</acronym> 9 and allows more fine-grained
9143
control over what updates are allowed. A set of rules
9144
is specified, where each rule either grants or denies
9145
permissions for one or more names to be updated by
9146
one or more identities. If the dynamic update request
9147
message is signed (that is, it includes either a TSIG
9148
or SIG(0) record), the identity of the signer can be
9149
determined.
9150
</para>
9151
<para>
9152
Rules are specified in the <command>update-policy</command>
9153
zone option, and are only meaningful for master zones.
9154
When the <command>update-policy</command> statement
9155
is present, it is a configuration error for the
9156
<command>allow-update</command> statement to be
9157
present. The <command>update-policy</command> statement
9158
only examines the signer of a message; the source
9159
address is not relevant.
9160
</para>
9161
9162
<para>
9163
This is how a rule definition looks:
9164
</para>
9165
5008
9166
<programlisting>
5009
9167
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
5010
9168
</programlisting>
5011
<para>Each rule grants or denies privileges. Once a message has
5012
successfully matched a rule, the operation is immediately granted
5013
or denied and no further rules are examined. A rule is matched
5014
when the signer matches the identity field, the name matches the
5015
name field in accordance with the nametype field, and the type matches
5016
the types specified in the type field.</para>
5017
5018
<para>The identity field specifies a name or a wildcard name. Normally, this
5019
is the name of the TSIG or SIG(0) key used to sign the update request. When a
5020
TKEY exchange has been used to create a shared secret, the identity of the
5021
shared secret is the same as the identity of the key used to authenticate the
5022
TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
5023
wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
5024
to multiple identities. The <replaceable>identity</replaceable> field must
5025
contain a fully qualified domain name.</para>
5026
5027
<para>The <replaceable>nametype</replaceable> field has 4 values:
5028
<varname>name</varname>, <varname>subdomain</varname>,
5029
<varname>wildcard</varname>, and <varname>self</varname>.
5030
</para>
5031
<informaltable>
5032
<tgroup cols = "2" colsep = "0"
5033
rowsep = "0" tgroupstyle = "4Level-table">
5034
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
5035
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
5036
<tbody>
5037
<row rowsep = "0">
5038
<entry colname = "1"><para><varname>name</varname></para></entry>
5039
<entry colname = "2"><para>Exact-match semantics. This rule matches when the
5040
name being updated is identical to the contents of the
5041
<replaceable>name</replaceable> field.</para></entry>
5042
</row>
5043
<row rowsep = "0">
5044
<entry colname = "1"><para><varname>subdomain</varname></para></entry>
5045
<entry colname = "2"><para>This rule matches when the name being updated
5046
is a subdomain of, or identical to, the contents of the
5047
<replaceable>name</replaceable> field.</para></entry>
5048
</row>
5049
<row rowsep = "0">
5050
<entry colname = "1"><para><varname>wildcard</varname></para></entry>
5051
<entry colname = "2"><para>The <replaceable>name</replaceable> field is
5052
subject to DNS wildcard expansion, and this rule matches when the name
5053
being updated name is a valid expansion of the wildcard.</para></entry>
5054
</row>
5055
<row rowsep = "0">
5056
<entry colname = "1"><para><varname>self</varname></para></entry>
5057
<entry colname = "2"><para>This rule matches when the name being updated
5058
matches the contents of the <replaceable>identity</replaceable> field.
5059
The <replaceable>name</replaceable> field is ignored, but should be
5060
the same as the <replaceable>identity</replaceable> field. The
5061
<varname>self</varname> nametype is most useful when allowing using
5062
one key per name to update, where the key has the same name as the name
5063
to be updated. The <replaceable>identity</replaceable> would be
5064
specified as <constant>*</constant> in this case.</para></entry>
5065
</row>
5066
</tbody>
5067
</tgroup></informaltable>
5068
5069
<para>In all cases, the <replaceable>name</replaceable> field must
5070
specify a fully qualified domain name.</para>
5071
5072
<para>If no types are explicitly specified, this rule matches all types except
5073
SIG, NS, SOA, and NXT. Types may be specified by name, including
5074
"ANY" (ANY matches all types except NXT, which can never be updated).
5075
Note that when an attempt is made to delete all records associated with a
5076
name, the rules are checked for each existing record type.
5077
</para>
5078
</sect3>
5079
</sect2>
5080
</sect1>
5081
<sect1>
5082
<title>Zone File</title>
5083
<sect2 id="types_of_resource_records_and_when_to_use_them">
5084
<title>Types of Resource Records and When to Use Them</title>
5085
<para>This section, largely borrowed from RFC 1034, describes the
5086
concept of a Resource Record (RR) and explains when each is used.
5087
Since the publication of RFC 1034, several new RRs have been identified
5088
and implemented in the DNS. These are also included.</para>
5089
<sect3>
5090
<title>Resource Records</title>
5091
5092
<para>A domain name identifies a node. Each node has a set of
5093
resource information, which may be empty. The set of resource
5094
information associated with a particular name is composed of
5095
separate RRs. The order of RRs in a set is not significant and
5096
need not be preserved by name servers, resolvers, or other
5097
parts of the DNS. However, sorting of multiple RRs is
5098
permitted for optimization purposes, for example, to specify
5099
that a particular nearby server be tried first. See <xref
5100
linkend="the_sortlist_statement"/> and <xref
5101
linkend="rrset_ordering"/>.</para>
5102
5103
<para>The components of a Resource Record are:</para>
5104
<informaltable colsep = "0"
5105
rowsep = "0"><tgroup cols = "2" colsep = "0"
5106
rowsep = "0" tgroupstyle = "4Level-table">
5107
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
5108
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
5109
<tbody>
5110
<row rowsep = "0">
5111
<entry colname = "1"><para>owner name</para></entry>
5112
<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
5113
</row>
5114
<row rowsep = "0">
5115
<entry colname = "1"><para>type</para></entry>
5116
<entry colname = "2"><para>an encoded 16 bit value that specifies
5117
the type of the resource record.</para></entry>
5118
</row>
5119
<row rowsep = "0">
5120
<entry colname = "1"><para>TTL</para></entry>
5121
<entry colname = "2"><para>the time to live of the RR. This field
5122
is a 32 bit integer in units of seconds, and is primarily used by
5123
resolvers when they cache RRs. The TTL describes how long a RR can
5124
be cached before it should be discarded.</para></entry>
5125
</row>
5126
<row rowsep = "0">
5127
<entry colname = "1"><para>class</para></entry>
5128
<entry colname = "2"><para>an encoded 16 bit value that identifies
5129
a protocol family or instance of a protocol.</para></entry>
5130
</row>
5131
<row rowsep = "0">
5132
<entry colname = "1"><para>RDATA</para></entry>
5133
<entry colname = "2"><para>the resource data. The format of the
5134
data is type (and sometimes class) specific.</para></entry>
5135
</row>
5136
</tbody>
5137
</tgroup></informaltable>
5138
<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
5139
<informaltable colsep = "0"
5140
rowsep = "0"><tgroup cols = "2" colsep = "0"
5141
rowsep = "0" tgroupstyle = "4Level-table">
5142
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5143
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
5144
<tbody>
5145
<row rowsep = "0">
5146
<entry colname = "1"><para>A</para></entry>
5147
<entry colname = "2"><para>a host address. In the IN class, this is a
5148
32-bit IP address. Described in RFC 1035.</para></entry>
5149
</row>
5150
<row rowsep = "0">
5151
<entry colname = "1"><para>AAAA</para></entry>
5152
<entry colname = "2"><para>IPv6 address. Described in RFC 1886.</para></entry>
5153
</row>
5154
<row rowsep = "0">
5155
<entry colname = "1"><para>A6</para></entry>
5156
<entry colname = "2"><para>IPv6 address. This can be a partial
5157
address (a suffix) and an indirection to the name where the rest of the
5158
address (the prefix) can be found. Experimental. Described in RFC 2874.</para></entry>
5159
</row>
5160
<row rowsep = "0">
5161
<entry colname = "1"><para>AFSDB</para></entry>
5162
<entry colname = "2"><para>location of AFS database servers.
5163
Experimental. Described in RFC 1183.</para></entry>
5164
</row>
5165
<row rowsep = "0">
5166
<entry colname = "1"><para>APL</para></entry>
5167
<entry colname = "2"><para>address prefix list. Experimental.
5168
Described in RFC 3123.</para></entry>
5169
</row>
5170
<row rowsep = "0">
5171
<entry colname = "1"><para>CERT</para></entry>
5172
<entry colname = "2"><para>holds a digital certificate.
5173
Described in RFC 2538.</para></entry>
5174
</row>
5175
<row rowsep = "0">
5176
<entry colname = "1"><para>CNAME</para></entry>
5177
<entry colname = "2"><para>identifies the canonical name of an alias.
5178
Described in RFC 1035.</para></entry>
5179
</row>
5180
<row rowsep = "0">
5181
<entry colname = "1"><para>DNAME</para></entry>
5182
<entry colname = "2"><para>Replaces the domain name specified with
5183
another name to be looked up, effectively aliasing an entire
5184
subtree of the domain name space rather than a single record
5185
as in the case of the CNAME RR.
5186
Described in RFC 2672.</para></entry>
5187
</row>
5188
<row rowsep = "0">
5189
<entry colname = "1"><para>GPOS</para></entry>
5190
<entry colname = "2"><para>Specifies the global position. Superseded by LOC.</para></entry>
5191
</row>
5192
<row rowsep = "0">
5193
<entry colname = "1"><para>HINFO</para></entry>
5194
<entry colname = "2"><para>identifies the CPU and OS used by a host.
5195
Described in RFC 1035.</para></entry>
5196
</row>
5197
<row rowsep = "0">
5198
<entry colname = "1"><para>ISDN</para></entry>
5199
<entry colname = "2"><para>representation of ISDN addresses.
5200
Experimental. Described in RFC 1183.</para></entry>
5201
</row>
5202
<row rowsep = "0">
5203
<entry colname = "1"><para>KEY</para></entry>
5204
<entry colname = "2"><para>stores a public key associated with a
5205
DNS name. Described in RFC 2535.</para></entry>
5206
</row>
5207
<row rowsep = "0">
5208
<entry colname = "1"><para>KX</para></entry>
5209
<entry colname = "2"><para>identifies a key exchanger for this
5210
DNS name. Described in RFC 2230.</para></entry>
5211
</row>
5212
<row rowsep = "0">
5213
<entry colname = "1"><para>LOC</para></entry>
5214
<entry colname = "2"><para>for storing GPS info. Described in RFC 1876.
5215
Experimental.</para></entry>
5216
</row>
5217
<row rowsep = "0">
5218
<entry colname = "1"><para>MX</para></entry>
5219
<entry colname = "2"><para>identifies a mail exchange for the domain.
5220
a 16 bit preference value (lower is better)
5221
followed by the host name of the mail exchange.
5222
Described in RFC 974, RFC 1035.</para></entry>
5223
</row>
5224
<row rowsep = "0">
5225
<entry colname = "1"><para>NAPTR</para></entry>
5226
<entry colname = "2"><para>name authority pointer. Described in RFC 2915.</para></entry>
5227
</row>
5228
<row rowsep = "0">
5229
<entry colname = "1"><para>NSAP</para></entry>
5230
<entry colname = "2"><para>a network service access point.
5231
Described in RFC 1706.</para></entry>
5232
</row>
5233
<row rowsep = "0">
5234
<entry colname = "1"><para>NS</para></entry>
5235
<entry colname = "2"><para>the authoritative name server for the
5236
domain. Described in RFC 1035.</para></entry>
5237
</row>
5238
<row rowsep = "0">
5239
<entry colname = "1"><para>NXT</para></entry>
5240
<entry colname = "2"><para>used in DNSSEC to securely indicate that
5241
RRs with an owner name in a certain name interval do not exist in
5242
a zone and indicate what RR types are present for an existing name.
5243
Described in RFC 2535.</para></entry>
5244
</row>
5245
<row rowsep = "0">
5246
<entry colname = "1"><para>PTR</para></entry>
5247
<entry colname = "2"><para>a pointer to another part of the domain
5248
name space. Described in RFC 1035.</para></entry>
5249
</row>
5250
<row rowsep = "0">
5251
<entry colname = "1"><para>PX</para></entry>
5252
<entry colname = "2"><para>provides mappings between RFC 822 and X.400
5253
addresses. Described in RFC 2163.</para></entry>
5254
</row>
5255
<row rowsep = "0">
5256
<entry colname = "1"><para>RP</para></entry>
5257
<entry colname = "2"><para>information on persons responsible
5258
for the domain. Experimental. Described in RFC 1183.</para></entry>
5259
</row>
5260
<row rowsep = "0">
5261
<entry colname = "1"><para>RT</para></entry>
5262
<entry colname = "2"><para>route-through binding for hosts that
5263
do not have their own direct wide area network addresses.
5264
Experimental. Described in RFC 1183.</para></entry>
5265
</row>
5266
<row rowsep = "0">
5267
<entry colname = "1"><para>SIG</para></entry>
5268
<entry colname = "2"><para>("signature") contains data authenticated
5269
in the secure DNS. Described in RFC 2535.</para></entry>
5270
</row>
5271
<row rowsep = "0">
5272
<entry colname = "1"><para>SOA</para></entry>
5273
<entry colname = "2"><para>identifies the start of a zone of authority.
5274
Described in RFC 1035.</para></entry>
5275
</row>
5276
<row rowsep = "0">
5277
<entry colname = "1"><para>SRV</para></entry>
5278
<entry colname = "2"><para>information about well known network
5279
services (replaces WKS). Described in RFC 2782.</para></entry>
5280
</row>
5281
<row rowsep = "0">
5282
<entry colname = "1"><para>TXT</para></entry>
5283
<entry colname = "2"><para>text records. Described in RFC 1035.</para></entry>
5284
</row>
5285
<row rowsep = "0">
5286
<entry colname = "1"><para>WKS</para></entry>
5287
<entry colname = "2"><para>information about which well known
5288
network services, such as SMTP, that a domain supports. Historical.
5289
</para></entry>
5290
</row>
5291
<row rowsep = "0">
5292
<entry colname = "1"><para>X25</para></entry>
5293
<entry colname = "2"><para>representation of X.25 network addresses.
5294
Experimental. Described in RFC 1183.</para></entry>
5295
</row>
5296
</tbody>
5297
</tgroup></informaltable>
5298
<para>The following <emphasis>classes</emphasis> of resource records
5299
are currently valid in the DNS:</para><informaltable colsep = "0"
5300
rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
5301
tgroupstyle = "4Level-table">
5302
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5303
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
5304
<tbody>
5305
5306
<row rowsep = "0">
5307
<entry colname = "1"><para>IN</para></entry>
5308
<entry colname = "2"><para>The Internet.</para></entry>
5309
</row>
5310
5311
<row rowsep = "0">
5312
<entry colname = "1"><para>CH</para></entry>
5313
<entry colname = "2"><para>
5314
CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
5315
Rarely used for its historical purpose, but reused for BIND's
5316
built-in server information zones, e.g.,
5317
<literal>version.bind</literal>.
5318
</para></entry>
5319
</row>
5320
5321
<row rowsep = "0">
5322
<entry colname = "1"><para>HS</para></entry>
5323
<entry colname = "2"><para>
5324
Hesiod, an information service
5325
developed by MIT's Project Athena. It is used to share information
5326
about various systems databases, such as users, groups, printers
5327
and so on.
5328
</para></entry>
5329
</row>
5330
5331
</tbody>
5332
</tgroup></informaltable>
5333
5334
<para>The owner name is often implicit, rather than forming an integral
5335
part of the RR. For example, many name servers internally form tree
5336
or hash structures for the name space, and chain RRs off nodes.
5337
The remaining RR parts are the fixed header (type, class, TTL)
5338
which is consistent for all RRs, and a variable part (RDATA) that
5339
fits the needs of the resource being described.</para>
5340
<para>The meaning of the TTL field is a time limit on how long an
5341
RR can be kept in a cache. This limit does not apply to authoritative
5342
data in zones; it is also timed out, but by the refreshing policies
5343
for the zone. The TTL is assigned by the administrator for the
5344
zone where the data originates. While short TTLs can be used to
5345
minimize caching, and a zero TTL prohibits caching, the realities
5346
of Internet performance suggest that these times should be on the
5347
order of days for the typical host. If a change can be anticipated,
5348
the TTL can be reduced prior to the change to minimize inconsistency
5349
during the change, and then increased back to its former value following
5350
the change.</para>
5351
<para>The data in the RDATA section of RRs is carried as a combination
5352
of binary strings and domain names. The domain names are frequently
5353
used as "pointers" to other data in the DNS.</para></sect3>
5354
<sect3><title>Textual expression of RRs</title>
5355
<para>RRs are represented in binary form in the packets of the DNS
5356
protocol, and are usually represented in highly encoded form when
5357
stored in a name server or resolver. In the examples provided in
5358
RFC 1034, a style similar to that used in master files was employed
5359
in order to show the contents of RRs. In this format, most RRs
5360
are shown on a single line, although continuation lines are possible
5361
using parentheses.</para>
5362
<para>The start of the line gives the owner of the RR. If a line
5363
begins with a blank, then the owner is assumed to be the same as
5364
that of the previous RR. Blank lines are often included for readability.</para>
5365
<para>Following the owner, we list the TTL, type, and class of the
5366
RR. Class and type use the mnemonics defined above, and TTL is
5367
an integer before the type field. In order to avoid ambiguity in
5368
parsing, type and class mnemonics are disjoint, TTLs are integers,
5369
and the type mnemonic is always last. The IN class and TTL values
5370
are often omitted from examples in the interests of clarity.</para>
5371
<para>The resource data or RDATA section of the RR are given using
5372
knowledge of the typical representation for the data.</para>
5373
<para>For example, we might show the RRs carried in a message as:</para> <informaltable
5374
colsep = "0" rowsep = "0"><tgroup cols = "3"
5375
colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
5376
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
5377
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
5378
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
5379
<tbody>
5380
<row rowsep = "0">
5381
<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
5382
<entry colname = "2"><para><literal>MX</literal></para></entry>
5383
<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
5384
</row>
5385
<row rowsep = "0">
5386
<entry colname = "1"><para></para></entry>
5387
<entry colname = "2"><para><literal>MX</literal></para></entry>
5388
<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
5389
</row>
5390
<row rowsep = "0">
5391
<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
5392
<entry colname = "2"><para><literal>A</literal></para></entry>
5393
<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
5394
</row>
5395
<row rowsep = "0">
5396
<entry colname = "1"><para></para></entry>
5397
<entry colname = "2"><para><literal>A</literal></para></entry>
5398
<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
5399
</row>
5400
<row rowsep = "0">
5401
<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
5402
<entry colname = "2"><para><literal>A</literal></para></entry>
5403
<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
5404
</row>
5405
<row rowsep = "0">
5406
<entry colname = "1"><para></para></entry>
5407
<entry colname = "2"><para><literal>A</literal></para></entry>
5408
<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
5409
</row>
5410
</tbody>
5411
</tgroup></informaltable>
5412
<para>The MX RRs have an RDATA section which consists of a 16 bit
5413
number followed by a domain name. The address RRs use a standard
5414
IP address format to contain a 32 bit internet address.</para>
5415
<para>This example shows six RRs, with two RRs at each of three
5416
domain names.</para>
5417
<para>Similarly we might see:</para><informaltable colsep = "0"
5418
rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
5419
tgroupstyle = "4Level-table">
5420
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
5421
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
5422
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
5423
<tbody>
5424
<row rowsep = "0">
5425
<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
5426
<entry colname = "2"><para><literal>A</literal></para></entry>
5427
<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
5428
</row>
5429
<row rowsep = "0">
5430
<entry colname = "1"><para><literal>CH</literal></para></entry>
5431
<entry colname = "2"><para><literal>A</literal></para></entry>
5432
<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
5433
</row>
5434
</tbody>
5435
</tgroup></informaltable>
5436
<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
5437
each of a different class.</para></sect3></sect2>
5438
5439
<sect2><title>Discussion of MX Records</title>
5440
5441
<para>As described above, domain servers store information as a
5442
series of resource records, each of which contains a particular
5443
piece of information about a given domain name (which is usually,
5444
but not always, a host). The simplest way to think of a RR is as
5445
a typed pair of data, a domain name matched with a relevant datum,
5446
and stored with some additional type information to help systems
5447
determine when the RR is relevant.</para>
5448
5449
<para>MX records are used to control delivery of email. The data
5450
specified in the record is a priority and a domain name. The priority
5451
controls the order in which email delivery is attempted, with the
5452
lowest number first. If two priorities are the same, a server is
5453
chosen randomly. If no servers at a given priority are responding,
5454
the mail transport agent will fall back to the next largest priority.
5455
Priority numbers do not have any absolute meaning — they are relevant
5456
only respective to other MX records for that domain name. The domain
5457
name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
5458
an associated A record — CNAME is not sufficient.</para>
5459
<para>For a given domain, if there is both a CNAME record and an
5460
MX record, the MX record is in error, and will be ignored. Instead,
5461
the mail will be delivered to the server specified in the MX record
5462
pointed to by the CNAME.</para>
5463
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
5464
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5465
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
5466
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
5467
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
5468
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
5469
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
5470
<tbody>
5471
<row rowsep = "0">
5472
<entry colname = "1"><para><literal>example.com.</literal></para></entry>
5473
<entry colname = "2"><para><literal>IN</literal></para></entry>
5474
<entry colname = "3"><para><literal>MX</literal></para></entry>
5475
<entry colname = "4"><para><literal>10</literal></para></entry>
5476
<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
5477
</row>
5478
<row rowsep = "0">
5479
<entry colname = "1"><para></para></entry>
5480
<entry colname = "2"><para><literal>IN</literal></para></entry>
5481
<entry colname = "3"><para><literal>MX</literal></para></entry>
5482
<entry colname = "4"><para><literal>10</literal></para></entry>
5483
<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
5484
</row>
5485
<row rowsep = "0">
5486
<entry colname = "1"><para></para></entry>
5487
<entry colname = "2"><para><literal>IN</literal></para></entry>
5488
<entry colname = "3"><para><literal>MX</literal></para></entry>
5489
<entry colname = "4"><para><literal>20</literal></para></entry>
5490
<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
5491
</row>
5492
<row rowsep = "0">
5493
<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
5494
<entry colname = "2"><para><literal>IN</literal></para></entry>
5495
<entry colname = "3"><para><literal>A</literal></para></entry>
5496
<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
5497
<entry colname = "5"><para></para></entry>
5498
</row>
5499
<row rowsep = "0">
5500
<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
5501
<entry colname = "2"><para><literal>IN</literal></para></entry>
5502
<entry colname = "3"><para><literal>A</literal></para></entry>
5503
<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
5504
<entry colname = "5"><para></para></entry>
5505
</row>
5506
</tbody>
5507
</tgroup></informaltable><para>For example:</para>
5508
<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
5509
<literal>mail2.example.com</literal> (in
5510
any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
5511
be attempted.</para></sect2>
5512
<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
5513
<para>The time to live of the RR field is a 32 bit integer represented
5514
in units of seconds, and is primarily used by resolvers when they
5515
cache RRs. The TTL describes how long a RR can be cached before it
5516
should be discarded. The following three types of TTL are currently
5517
used in a zone file.</para>
5518
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
5519
colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5520
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
5521
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
5522
<tbody>
5523
<row rowsep = "0">
5524
<entry colname = "1"><para>SOA</para></entry>
5525
<entry colname = "2"><para>The last field in the SOA is the negative
5526
caching TTL. This controls how long other servers will cache no-such-domain
5527
(NXDOMAIN) responses from you.</para><para>The maximum time for
5528
negative caching is 3 hours (3h).</para></entry>
5529
</row>
5530
<row rowsep = "0">
5531
<entry colname = "1"><para>$TTL</para></entry>
5532
<entry colname = "2"><para>The $TTL directive at the top of the
5533
zone file (before the SOA) gives a default TTL for every RR without
5534
a specific TTL set.</para></entry>
5535
</row>
5536
<row rowsep = "0">
5537
<entry colname = "1"><para>RR TTLs</para></entry>
5538
<entry colname = "2"><para>Each RR can have a TTL as the second
5539
field in the RR, which will control how long other servers can cache
5540
the it.</para></entry>
5541
</row>
5542
</tbody>
5543
</tgroup></informaltable>
5544
<para>All of these TTLs default to units of seconds, though units
5545
can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
5546
<sect2><title>Inverse Mapping in IPv4</title>
5547
<para>Reverse name resolution (that is, translation from IP address
5548
to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
5549
and PTR records. Entries in the in-addr.arpa domain are made in
5550
least-to-most significant order, read left to right. This is the
5551
opposite order to the way IP addresses are usually written. Thus,
5552
a machine with an IP address of 10.1.2.3 would have a corresponding
5553
in-addr.arpa name of
5554
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
5555
whose data field is the name of the machine or, optionally, multiple
5556
PTR records if the machine has more than one name. For example,
5557
in the <optional>example.com</optional> domain:</para>
5558
<informaltable colsep = "0" rowsep = "0">
5559
<tgroup cols = "2" colsep = "0" rowsep = "0"
5560
tgroupstyle = "3Level-table">
5561
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
5562
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
5563
<tbody>
5564
<row rowsep = "0">
5565
<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
5566
<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
5567
</row>
5568
<row rowsep = "0">
5569
<entry colname = "1"><para><literal>3</literal></para></entry>
5570
<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
5571
</row>
5572
</tbody>
5573
</tgroup></informaltable>
5574
<note>
5575
<para>The <command>$ORIGIN</command> lines in the examples
5576
are for providing context to the examples only-they do not necessarily
5577
appear in the actual usage. They are only used here to indicate
5578
that the example is relative to the listed origin.</para></note></sect2>
5579
<sect2><title>Other Zone File Directives</title>
5580
<para>The Master File Format was initially defined in RFC 1035 and
5581
has subsequently been extended. While the Master File Format itself
5582
is class independent all records in a Master File must be of the same
5583
class.</para>
5584
<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
5585
and <command>$TTL.</command></para>
5586
<sect3><title>The <command>$ORIGIN</command> Directive</title>
5587
<para>Syntax: <command>$ORIGIN
5588
</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
5589
<para><command>$ORIGIN</command> sets the domain name that will
5590
be appended to any unqualified records. When a zone is first read
5591
in there is an implicit <command>$ORIGIN</command> <<varname>zone-name</varname>><command>.</command> The
5592
current <command>$ORIGIN</command> is appended to the domain specified
5593
in the <command>$ORIGIN</command> argument if it is not absolute.</para>
5594
<programlisting>$ORIGIN example.com.
5595
WWW CNAME MAIN-SERVER</programlisting>
5596
<para>is equivalent to</para>
5597
<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
5598
<sect3><title>The <command>$INCLUDE</command> Directive</title>
5599
<para>Syntax: <command>$INCLUDE</command>
5600
<replaceable>filename</replaceable> <optional>
5601
<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
5602
<para>Read and process the file <filename>filename</filename> as
5603
if it were included into the file at this point. If <command>origin</command> is
5604
specified the file is processed with <command>$ORIGIN</command> set
5605
to that value, otherwise the current <command>$ORIGIN</command> is
5606
used.</para>
5607
<para>The origin and the current domain name
5608
revert to the values they had prior to the <command>$INCLUDE</command> once
5609
the file has been read.</para>
5610
<note><para>
5611
RFC 1035 specifies that the current origin should be restored after
5612
an <command>$INCLUDE</command>, but it is silent on whether the current
5613
domain name should also be restored. BIND 9 restores both of them.
5614
This could be construed as a deviation from RFC 1035, a feature, or both.
5615
</para></note>
5616
</sect3>
5617
<sect3><title>The <command>$TTL</command> Directive</title>
5618
<para>Syntax: <command>$TTL</command>
5619
<replaceable>default-ttl</replaceable> <optional>
5620
<replaceable>comment</replaceable> </optional></para>
5621
<para>Set the default Time To Live (TTL) for subsequent records
5622
with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
5623
<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
5624
<sect2><title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
5625
<para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
5626
<para><command>$GENERATE</command> is used to create a series of
5627
resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
5628
be used to easily generate the sets of records required to support
5629
sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
5630
delegation.</para>
9169
9170
<para>
9171
Each rule grants or denies privileges. Once a message has
9172
successfully matched a rule, the operation is immediately
9173
granted
9174
or denied and no further rules are examined. A rule is matched
9175
when the signer matches the identity field, the name matches the
9176
name field in accordance with the nametype field, and the type
9177
matches
9178
the types specified in the type field.
9179
</para>
9180
<para>
9181
The identity field specifies a name or a wildcard
9182
name. Normally, this is the name of the TSIG or
9183
SIG(0) key used to sign the update request. When a
9184
TKEY exchange has been used to create a shared secret,
9185
the identity of the shared secret is the same as the
9186
identity of the key used to authenticate the TKEY
9187
exchange. TKEY is also the negotiation method used
9188
by GSS-TSIG, which establishes an identity that is
9189
the Kerberos principal of the client, such as
9190
<userinput>"user@host.domain"</userinput>. When the
9191
<replaceable>identity</replaceable> field specifies
9192
a wildcard name, it is subject to DNS wildcard
9193
expansion, so the rule will apply to multiple identities.
9194
The <replaceable>identity</replaceable> field must
9195
contain a fully-qualified domain name.
9196
</para>
9197
9198
<para>
9199
The <replaceable>nametype</replaceable> field has 6
9200
values:
9201
<varname>name</varname>, <varname>subdomain</varname>,
9202
<varname>wildcard</varname>, <varname>self</varname>,
9203
<varname>selfsub</varname>, and <varname>selfwild</varname>.
9204
</para>
9205
<informaltable>
9206
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9207
<colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9208
<colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9209
<tbody>
9210
<row rowsep="0">
9211
<entry colname="1">
9212
<para>
9213
<varname>name</varname>
9214
</para>
9215
</entry> <entry colname="2">
9216
<para>
9217
Exact-match semantics. This rule matches
9218
when the name being updated is identical
9219
to the contents of the
9220
<replaceable>name</replaceable> field.
9221
</para>
9222
</entry>
9223
</row>
9224
<row rowsep="0">
9225
<entry colname="1">
9226
<para>
9227
<varname>subdomain</varname>
9228
</para>
9229
</entry> <entry colname="2">
9230
<para>
9231
This rule matches when the name being updated
9232
is a subdomain of, or identical to, the
9233
contents of the <replaceable>name</replaceable>
9234
field.
9235
</para>
9236
</entry>
9237
</row>
9238
<row rowsep="0">
9239
<entry colname="1">
9240
<para>
9241
<varname>wildcard</varname>
9242
</para>
9243
</entry> <entry colname="2">
9244
<para>
9245
The <replaceable>name</replaceable> field
9246
is subject to DNS wildcard expansion, and
9247
this rule matches when the name being updated
9248
name is a valid expansion of the wildcard.
9249
</para>
9250
</entry>
9251
</row>
9252
<row rowsep="0">
9253
<entry colname="1">
9254
<para>
9255
<varname>self</varname>
9256
</para>
9257
</entry>
9258
<entry colname="2">
9259
<para>
9260
This rule matches when the name being updated
9261
matches the contents of the
9262
<replaceable>identity</replaceable> field.
9263
The <replaceable>name</replaceable> field
9264
is ignored, but should be the same as the
9265
<replaceable>identity</replaceable> field.
9266
The <varname>self</varname> nametype is
9267
most useful when allowing using one key per
9268
name to update, where the key has the same
9269
name as the name to be updated. The
9270
<replaceable>identity</replaceable> would
9271
be specified as <constant>*</constant> (an asterisk) in
9272
this case.
9273
</para>
9274
</entry>
9275
</row>
9276
<row rowsep="0">
9277
<entry colname="1">
9278
<para>
9279
<varname>selfsub</varname>
9280
</para>
9281
</entry> <entry colname="2">
9282
<para>
9283
This rule is similar to <varname>self</varname>
9284
except that subdomains of <varname>self</varname>
9285
can also be updated.
9286
</para>
9287
</entry>
9288
</row>
9289
<row rowsep="0">
9290
<entry colname="1">
9291
<para>
9292
<varname>selfwild</varname>
9293
</para>
9294
</entry> <entry colname="2">
9295
<para>
9296
This rule is similar to <varname>self</varname>
9297
except that only subdomains of
9298
<varname>self</varname> can be updated.
9299
</para>
9300
</entry>
9301
</row>
9302
</tbody>
9303
</tgroup>
9304
</informaltable>
9305
9306
<para>
9307
In all cases, the <replaceable>name</replaceable>
9308
field must
9309
specify a fully-qualified domain name.
9310
</para>
9311
9312
<para>
9313
If no types are explicitly specified, this rule matches all
9314
types except
9315
RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
9316
"ANY" (ANY matches all types except NSEC, which can never be
9317
updated).
9318
Note that when an attempt is made to delete all records
9319
associated with a
9320
name, the rules are checked for each existing record type.
9321
</para>
9322
</sect3>
9323
</sect2>
9324
</sect1>
9325
<sect1>
9326
<title>Zone File</title>
9327
<sect2 id="types_of_resource_records_and_when_to_use_them">
9328
<title>Types of Resource Records and When to Use Them</title>
9329
<para>
9330
This section, largely borrowed from RFC 1034, describes the
9331
concept of a Resource Record (RR) and explains when each is used.
9332
Since the publication of RFC 1034, several new RRs have been
9333
identified
9334
and implemented in the DNS. These are also included.
9335
</para>
9336
<sect3>
9337
<title>Resource Records</title>
9338
9339
<para>
9340
A domain name identifies a node. Each node has a set of
9341
resource information, which may be empty. The set of resource
9342
information associated with a particular name is composed of
9343
separate RRs. The order of RRs in a set is not significant and
9344
need not be preserved by name servers, resolvers, or other
9345
parts of the DNS. However, sorting of multiple RRs is
9346
permitted for optimization purposes, for example, to specify
9347
that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9348
</para>
9349
9350
<para>
9351
The components of a Resource Record are:
9352
</para>
9353
<informaltable colsep="0" rowsep="0">
9354
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9355
<colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9356
<colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9357
<tbody>
9358
<row rowsep="0">
9359
<entry colname="1">
9360
<para>
9361
owner name
9362
</para>
9363
</entry>
9364
<entry colname="2">
9365
<para>
9366
The domain name where the RR is found.
9367
</para>
9368
</entry>
9369
</row>
9370
<row rowsep="0">
9371
<entry colname="1">
9372
<para>
9373
type
9374
</para>
9375
</entry>
9376
<entry colname="2">
9377
<para>
9378
An encoded 16-bit value that specifies
9379
the type of the resource record.
9380
</para>
9381
</entry>
9382
</row>
9383
<row rowsep="0">
9384
<entry colname="1">
9385
<para>
9386
TTL
9387
</para>
9388
</entry>
9389
<entry colname="2">
9390
<para>
9391
The time-to-live of the RR. This field
9392
is a 32-bit integer in units of seconds, and is
9393
primarily used by
9394
resolvers when they cache RRs. The TTL describes how
9395
long a RR can
9396
be cached before it should be discarded.
9397
</para>
9398
</entry>
9399
</row>
9400
<row rowsep="0">
9401
<entry colname="1">
9402
<para>
9403
class
9404
</para>
9405
</entry>
9406
<entry colname="2">
9407
<para>
9408
An encoded 16-bit value that identifies
9409
a protocol family or instance of a protocol.
9410
</para>
9411
</entry>
9412
</row>
9413
<row rowsep="0">
9414
<entry colname="1">
9415
<para>
9416
RDATA
9417
</para>
9418
</entry>
9419
<entry colname="2">
9420
<para>
9421
The resource data. The format of the
9422
data is type (and sometimes class) specific.
9423
</para>
9424
</entry>
9425
</row>
9426
</tbody>
9427
</tgroup>
9428
</informaltable>
9429
<para>
9430
The following are <emphasis>types</emphasis> of valid RRs:
9431
</para>
9432
<informaltable colsep="0" rowsep="0">
9433
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9434
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9435
<colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9436
<tbody>
9437
<row rowsep="0">
9438
<entry colname="1">
9439
<para>
9440
A
9441
</para>
9442
</entry>
9443
<entry colname="2">
9444
<para>
9445
A host address. In the IN class, this is a
9446
32-bit IP address. Described in RFC 1035.
9447
</para>
9448
</entry>
9449
</row>
9450
<row rowsep="0">
9451
<entry colname="1">
9452
<para>
9453
AAAA
9454
</para>
9455
</entry>
9456
<entry colname="2">
9457
<para>
9458
IPv6 address. Described in RFC 1886.
9459
</para>
9460
</entry>
9461
</row>
9462
<row rowsep="0">
9463
<entry colname="1">
9464
<para>
9465
A6
9466
</para>
9467
</entry>
9468
<entry colname="2">
9469
<para>
9470
IPv6 address. This can be a partial
9471
address (a suffix) and an indirection to the name
9472
where the rest of the
9473
address (the prefix) can be found. Experimental.
9474
Described in RFC 2874.
9475
</para>
9476
</entry>
9477
</row>
9478
<row rowsep="0">
9479
<entry colname="1">
9480
<para>
9481
AFSDB
9482
</para>
9483
</entry>
9484
<entry colname="2">
9485
<para>
9486
Location of AFS database servers.
9487
Experimental. Described in RFC 1183.
9488
</para>
9489
</entry>
9490
</row>
9491
<row rowsep="0">
9492
<entry colname="1">
9493
<para>
9494
APL
9495
</para>
9496
</entry>
9497
<entry colname="2">
9498
<para>
9499
Address prefix list. Experimental.
9500
Described in RFC 3123.
9501
</para>
9502
</entry>
9503
</row>
9504
<row rowsep="0">
9505
<entry colname="1">
9506
<para>
9507
CERT
9508
</para>
9509
</entry>
9510
<entry colname="2">
9511
<para>
9512
Holds a digital certificate.
9513
Described in RFC 2538.
9514
</para>
9515
</entry>
9516
</row>
9517
<row rowsep="0">
9518
<entry colname="1">
9519
<para>
9520
CNAME
9521
</para>
9522
</entry>
9523
<entry colname="2">
9524
<para>
9525
Identifies the canonical name of an alias.
9526
Described in RFC 1035.
9527
</para>
9528
</entry>
9529
</row>
9530
<row rowsep="0">
9531
<entry colname="1">
9532
<para>
9533
DNAME
9534
</para>
9535
</entry>
9536
<entry colname="2">
9537
<para>
9538
Replaces the domain name specified with
9539
another name to be looked up, effectively aliasing an
9540
entire
9541
subtree of the domain name space rather than a single
9542
record
9543
as in the case of the CNAME RR.
9544
Described in RFC 2672.
9545
</para>
9546
</entry>
9547
</row>
9548
<row rowsep="0">
9549
<entry colname="1">
9550
<para>
9551
DNSKEY
9552
</para>
9553
</entry>
9554
<entry colname="2">
9555
<para>
9556
Stores a public key associated with a signed
9557
DNS zone. Described in RFC 4034.
9558
</para>
9559
</entry>
9560
</row>
9561
<row rowsep="0">
9562
<entry colname="1">
9563
<para>
9564
DS
9565
</para>
9566
</entry>
9567
<entry colname="2">
9568
<para>
9569
Stores the hash of a public key associated with a
9570
signed DNS zone. Described in RFC 4034.
9571
</para>
9572
</entry>
9573
</row>
9574
<row rowsep="0">
9575
<entry colname="1">
9576
<para>
9577
GPOS
9578
</para>
9579
</entry>
9580
<entry colname="2">
9581
<para>
9582
Specifies the global position. Superseded by LOC.
9583
</para>
9584
</entry>
9585
</row>
9586
<row rowsep="0">
9587
<entry colname="1">
9588
<para>
9589
HINFO
9590
</para>
9591
</entry>
9592
<entry colname="2">
9593
<para>
9594
Identifies the CPU and OS used by a host.
9595
Described in RFC 1035.
9596
</para>
9597
</entry>
9598
</row>
9599
<row rowsep="0">
9600
<entry colname="1">
9601
<para>
9602
ISDN
9603
</para>
9604
</entry>
9605
<entry colname="2">
9606
<para>
9607
Representation of ISDN addresses.
9608
Experimental. Described in RFC 1183.
9609
</para>
9610
</entry>
9611
</row>
9612
<row rowsep="0">
9613
<entry colname="1">
9614
<para>
9615
KEY
9616
</para>
9617
</entry>
9618
<entry colname="2">
9619
<para>
9620
Stores a public key associated with a
9621
DNS name. Used in original DNSSEC; replaced
9622
by DNSKEY in DNSSECbis, but still used with
9623
SIG(0). Described in RFCs 2535 and 2931.
9624
</para>
9625
</entry>
9626
</row>
9627
<row rowsep="0">
9628
<entry colname="1">
9629
<para>
9630
KX
9631
</para>
9632
</entry>
9633
<entry colname="2">
9634
<para>
9635
Identifies a key exchanger for this
9636
DNS name. Described in RFC 2230.
9637
</para>
9638
</entry>
9639
</row>
9640
<row rowsep="0">
9641
<entry colname="1">
9642
<para>
9643
LOC
9644
</para>
9645
</entry>
9646
<entry colname="2">
9647
<para>
9648
For storing GPS info. Described in RFC 1876.
9649
Experimental.
9650
</para>
9651
</entry>
9652
</row>
9653
<row rowsep="0">
9654
<entry colname="1">
9655
<para>
9656
MX
9657
</para>
9658
</entry>
9659
<entry colname="2">
9660
<para>
9661
Identifies a mail exchange for the domain with
9662
a 16-bit preference value (lower is better)
9663
followed by the host name of the mail exchange.
9664
Described in RFC 974, RFC 1035.
9665
</para>
9666
</entry>
9667
</row>
9668
<row rowsep="0">
9669
<entry colname="1">
9670
<para>
9671
NAPTR
9672
</para>
9673
</entry>
9674
<entry colname="2">
9675
<para>
9676
Name authority pointer. Described in RFC 2915.
9677
</para>
9678
</entry>
9679
</row>
9680
<row rowsep="0">
9681
<entry colname="1">
9682
<para>
9683
NSAP
9684
</para>
9685
</entry>
9686
<entry colname="2">
9687
<para>
9688
A network service access point.
9689
Described in RFC 1706.
9690
</para>
9691
</entry>
9692
</row>
9693
<row rowsep="0">
9694
<entry colname="1">
9695
<para>
9696
NS
9697
</para>
9698
</entry>
9699
<entry colname="2">
9700
<para>
9701
The authoritative name server for the
9702
domain. Described in RFC 1035.
9703
</para>
9704
</entry>
9705
</row>
9706
<row rowsep="0">
9707
<entry colname="1">
9708
<para>
9709
NSEC
9710
</para>
9711
</entry>
9712
<entry colname="2">
9713
<para>
9714
Used in DNSSECbis to securely indicate that
9715
RRs with an owner name in a certain name interval do
9716
not exist in
9717
a zone and indicate what RR types are present for an
9718
existing name.
9719
Described in RFC 4034.
9720
</para>
9721
</entry>
9722
</row>
9723
<row rowsep="0">
9724
<entry colname="1">
9725
<para>
9726
NXT
9727
</para>
9728
</entry>
9729
<entry colname="2">
9730
<para>
9731
Used in DNSSEC to securely indicate that
9732
RRs with an owner name in a certain name interval do
9733
not exist in
9734
a zone and indicate what RR types are present for an
9735
existing name.
9736
Used in original DNSSEC; replaced by NSEC in
9737
DNSSECbis.
9738
Described in RFC 2535.
9739
</para>
9740
</entry>
9741
</row>
9742
<row rowsep="0">
9743
<entry colname="1">
9744
<para>
9745
PTR
9746
</para>
9747
</entry>
9748
<entry colname="2">
9749
<para>
9750
A pointer to another part of the domain
9751
name space. Described in RFC 1035.
9752
</para>
9753
</entry>
9754
</row>
9755
<row rowsep="0">
9756
<entry colname="1">
9757
<para>
9758
PX
9759
</para>
9760
</entry>
9761
<entry colname="2">
9762
<para>
9763
Provides mappings between RFC 822 and X.400
9764
addresses. Described in RFC 2163.
9765
</para>
9766
</entry>
9767
</row>
9768
<row rowsep="0">
9769
<entry colname="1">
9770
<para>
9771
RP
9772
</para>
9773
</entry>
9774
<entry colname="2">
9775
<para>
9776
Information on persons responsible
9777
for the domain. Experimental. Described in RFC 1183.
9778
</para>
9779
</entry>
9780
</row>
9781
<row rowsep="0">
9782
<entry colname="1">
9783
<para>
9784
RRSIG
9785
</para>
9786
</entry>
9787
<entry colname="2">
9788
<para>
9789
Contains DNSSECbis signature data. Described
9790
in RFC 4034.
9791
</para>
9792
</entry>
9793
</row>
9794
<row rowsep="0">
9795
<entry colname="1">
9796
<para>
9797
RT
9798
</para>
9799
</entry>
9800
<entry colname="2">
9801
<para>
9802
Route-through binding for hosts that
9803
do not have their own direct wide area network
9804
addresses.
9805
Experimental. Described in RFC 1183.
9806
</para>
9807
</entry>
9808
</row>
9809
<row rowsep="0">
9810
<entry colname="1">
9811
<para>
9812
SIG
9813
</para>
9814
</entry>
9815
<entry colname="2">
9816
<para>
9817
Contains DNSSEC signature data. Used in
9818
original DNSSEC; replaced by RRSIG in
9819
DNSSECbis, but still used for SIG(0).
9820
Described in RFCs 2535 and 2931.
9821
</para>
9822
</entry>
9823
</row>
9824
<row rowsep="0">
9825
<entry colname="1">
9826
<para>
9827
SOA
9828
</para>
9829
</entry>
9830
<entry colname="2">
9831
<para>
9832
Identifies the start of a zone of authority.
9833
Described in RFC 1035.
9834
</para>
9835
</entry>
9836
</row>
9837
<row rowsep="0">
9838
<entry colname="1">
9839
<para>
9840
SRV
9841
</para>
9842
</entry>
9843
<entry colname="2">
9844
<para>
9845
Information about well known network
9846
services (replaces WKS). Described in RFC 2782.
9847
</para>
9848
</entry>
9849
</row>
9850
<row rowsep="0">
9851
<entry colname="1">
9852
<para>
9853
TXT
9854
</para>
9855
</entry>
9856
<entry colname="2">
9857
<para>
9858
Text records. Described in RFC 1035.
9859
</para>
9860
</entry>
9861
</row>
9862
<row rowsep="0">
9863
<entry colname="1">
9864
<para>
9865
WKS
9866
</para>
9867
</entry>
9868
<entry colname="2">
9869
<para>
9870
Information about which well known
9871
network services, such as SMTP, that a domain
9872
supports. Historical.
9873
</para>
9874
</entry>
9875
</row>
9876
<row rowsep="0">
9877
<entry colname="1">
9878
<para>
9879
X25
9880
</para>
9881
</entry>
9882
<entry colname="2">
9883
<para>
9884
Representation of X.25 network addresses.
9885
Experimental. Described in RFC 1183.
9886
</para>
9887
</entry>
9888
</row>
9889
</tbody>
9890
</tgroup>
9891
</informaltable>
9892
<para>
9893
The following <emphasis>classes</emphasis> of resource records
9894
are currently valid in the DNS:
9895
</para>
9896
<informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9897
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9898
<colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9899
<tbody>
9900
9901
<row rowsep="0">
9902
<entry colname="1">
9903
<para>
9904
IN
9905
</para>
9906
</entry>
9907
<entry colname="2">
9908
<para>
9909
The Internet.
9910
</para>
9911
</entry>
9912
</row>
9913
9914
<row rowsep="0">
9915
<entry colname="1">
9916
<para>
9917
CH
9918
</para>
9919
</entry>
9920
<entry colname="2">
9921
<para>
9922
Chaosnet, a LAN protocol created at MIT in the
9923
mid-1970s.
9924
Rarely used for its historical purpose, but reused for
9925
BIND's
9926
built-in server information zones, e.g.,
9927
<literal>version.bind</literal>.
9928
</para>
9929
</entry>
9930
</row>
9931
9932
<row rowsep="0">
9933
<entry colname="1">
9934
<para>
9935
HS
9936
</para>
9937
</entry>
9938
<entry colname="2">
9939
<para>
9940
Hesiod, an information service
9941
developed by MIT's Project Athena. It is used to share
9942
information
9943
about various systems databases, such as users,
9944
groups, printers
9945
and so on.
9946
</para>
9947
</entry>
9948
</row>
9949
9950
</tbody>
9951
</tgroup>
9952
</informaltable>
9953
9954
<para>
9955
The owner name is often implicit, rather than forming an
9956
integral
9957
part of the RR. For example, many name servers internally form
9958
tree
9959
or hash structures for the name space, and chain RRs off nodes.
9960
The remaining RR parts are the fixed header (type, class, TTL)
9961
which is consistent for all RRs, and a variable part (RDATA)
9962
that
9963
fits the needs of the resource being described.
9964
</para>
9965
<para>
9966
The meaning of the TTL field is a time limit on how long an
9967
RR can be kept in a cache. This limit does not apply to
9968
authoritative
9969
data in zones; it is also timed out, but by the refreshing
9970
policies
9971
for the zone. The TTL is assigned by the administrator for the
9972
zone where the data originates. While short TTLs can be used to
9973
minimize caching, and a zero TTL prohibits caching, the
9974
realities
9975
of Internet performance suggest that these times should be on
9976
the
9977
order of days for the typical host. If a change can be
9978
anticipated,
9979
the TTL can be reduced prior to the change to minimize
9980
inconsistency
9981
during the change, and then increased back to its former value
9982
following
9983
the change.
9984
</para>
9985
<para>
9986
The data in the RDATA section of RRs is carried as a combination
9987
of binary strings and domain names. The domain names are
9988
frequently
9989
used as "pointers" to other data in the DNS.
9990
</para>
9991
</sect3>
9992
<sect3>
9993
<title>Textual expression of RRs</title>
9994
<para>
9995
RRs are represented in binary form in the packets of the DNS
9996
protocol, and are usually represented in highly encoded form
9997
when
9998
stored in a name server or resolver. In the examples provided
9999
in
10000
RFC 1034, a style similar to that used in master files was
10001
employed
10002
in order to show the contents of RRs. In this format, most RRs
10003
are shown on a single line, although continuation lines are
10004
possible
10005
using parentheses.
10006
</para>
10007
<para>
10008
The start of the line gives the owner of the RR. If a line
10009
begins with a blank, then the owner is assumed to be the same as
10010
that of the previous RR. Blank lines are often included for
10011
readability.
10012
</para>
10013
<para>
10014
Following the owner, we list the TTL, type, and class of the
10015
RR. Class and type use the mnemonics defined above, and TTL is
10016
an integer before the type field. In order to avoid ambiguity
10017
in
10018
parsing, type and class mnemonics are disjoint, TTLs are
10019
integers,
10020
and the type mnemonic is always last. The IN class and TTL
10021
values
10022
are often omitted from examples in the interests of clarity.
10023
</para>
10024
<para>
10025
The resource data or RDATA section of the RR are given using
10026
knowledge of the typical representation for the data.
10027
</para>
10028
<para>
10029
For example, we might show the RRs carried in a message as:
10030
</para>
10031
<informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10032
<colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
10033
<colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
10034
<colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
10035
<tbody>
10036
<row rowsep="0">
10037
<entry colname="1">
10038
<para>
10039
<literal>ISI.EDU.</literal>
10040
</para>
10041
</entry>
10042
<entry colname="2">
10043
<para>
10044
<literal>MX</literal>
10045
</para>
10046
</entry>
10047
<entry colname="3">
10048
<para>
10049
<literal>10 VENERA.ISI.EDU.</literal>
10050
</para>
10051
</entry>
10052
</row>
10053
<row rowsep="0">
10054
<entry colname="1">
10055
<para/>
10056
</entry>
10057
<entry colname="2">
10058
<para>
10059
<literal>MX</literal>
10060
</para>
10061
</entry>
10062
<entry colname="3">
10063
<para>
10064
<literal>10 VAXA.ISI.EDU</literal>
10065
</para>
10066
</entry>
10067
</row>
10068
<row rowsep="0">
10069
<entry colname="1">
10070
<para>
10071
<literal>VENERA.ISI.EDU</literal>
10072
</para>
10073
</entry>
10074
<entry colname="2">
10075
<para>
10076
<literal>A</literal>
10077
</para>
10078
</entry>
10079
<entry colname="3">
10080
<para>
10081
<literal>128.9.0.32</literal>
10082
</para>
10083
</entry>
10084
</row>
10085
<row rowsep="0">
10086
<entry colname="1">
10087
<para/>
10088
</entry>
10089
<entry colname="2">
10090
<para>
10091
<literal>A</literal>
10092
</para>
10093
</entry>
10094
<entry colname="3">
10095
<para>
10096
<literal>10.1.0.52</literal>
10097
</para>
10098
</entry>
10099
</row>
10100
<row rowsep="0">
10101
<entry colname="1">
10102
<para>
10103
<literal>VAXA.ISI.EDU</literal>
10104
</para>
10105
</entry>
10106
<entry colname="2">
10107
<para>
10108
<literal>A</literal>
10109
</para>
10110
</entry>
10111
<entry colname="3">
10112
<para>
10113
<literal>10.2.0.27</literal>
10114
</para>
10115
</entry>
10116
</row>
10117
<row rowsep="0">
10118
<entry colname="1">
10119
<para/>
10120
</entry>
10121
<entry colname="2">
10122
<para>
10123
<literal>A</literal>
10124
</para>
10125
</entry>
10126
<entry colname="3">
10127
<para>
10128
<literal>128.9.0.33</literal>
10129
</para>
10130
</entry>
10131
</row>
10132
</tbody>
10133
</tgroup>
10134
</informaltable>
10135
<para>
10136
The MX RRs have an RDATA section which consists of a 16-bit
10137
number followed by a domain name. The address RRs use a
10138
standard
10139
IP address format to contain a 32-bit internet address.
10140
</para>
10141
<para>
10142
The above example shows six RRs, with two RRs at each of three
10143
domain names.
10144
</para>
10145
<para>
10146
Similarly we might see:
10147
</para>
10148
<informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10149
<colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
10150
<colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
10151
<colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
10152
<tbody>
10153
<row rowsep="0">
10154
<entry colname="1">
10155
<para>
10156
<literal>XX.LCS.MIT.EDU.</literal>
10157
</para>
10158
</entry>
10159
<entry colname="2">
10160
<para>
10161
<literal>IN A</literal>
10162
</para>
10163
</entry>
10164
<entry colname="3">
10165
<para>
10166
<literal>10.0.0.44</literal>
10167
</para>
10168
</entry>
10169
</row>
10170
<row rowsep="0">
10171
<entry colname="1"/>
10172
<entry colname="2">
10173
<para>
10174
<literal>CH A</literal>
10175
</para>
10176
</entry>
10177
<entry colname="3">
10178
<para>
10179
<literal>MIT.EDU. 2420</literal>
10180
</para>
10181
</entry>
10182
</row>
10183
</tbody>
10184
</tgroup>
10185
</informaltable>
10186
<para>
10187
This example shows two addresses for
10188
<literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10189
</para>
10190
</sect3>
10191
</sect2>
10192
10193
<sect2>
10194
<title>Discussion of MX Records</title>
10195
10196
<para>
10197
As described above, domain servers store information as a
10198
series of resource records, each of which contains a particular
10199
piece of information about a given domain name (which is usually,
10200
but not always, a host). The simplest way to think of a RR is as
10201
a typed pair of data, a domain name matched with a relevant datum,
10202
and stored with some additional type information to help systems
10203
determine when the RR is relevant.
10204
</para>
10205
10206
<para>
10207
MX records are used to control delivery of email. The data
10208
specified in the record is a priority and a domain name. The
10209
priority
10210
controls the order in which email delivery is attempted, with the
10211
lowest number first. If two priorities are the same, a server is
10212
chosen randomly. If no servers at a given priority are responding,
10213
the mail transport agent will fall back to the next largest
10214
priority.
10215
Priority numbers do not have any absolute meaning — they are
10216
relevant
10217
only respective to other MX records for that domain name. The
10218
domain
10219
name given is the machine to which the mail will be delivered.
10220
It <emphasis>must</emphasis> have an associated address record
10221
(A or AAAA) — CNAME is not sufficient.
10222
</para>
10223
<para>
10224
For a given domain, if there is both a CNAME record and an
10225
MX record, the MX record is in error, and will be ignored.
10226
Instead,
10227
the mail will be delivered to the server specified in the MX
10228
record
10229
pointed to by the CNAME.
10230
</para>
10231
<para>
10232
For example:
10233
</para>
10234
<informaltable colsep="0" rowsep="0">
10235
<tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10236
<colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10237
<colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10238
<colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10239
<colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10240
<colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10241
<tbody>
10242
<row rowsep="0">
10243
<entry colname="1">
10244
<para>
10245
<literal>example.com.</literal>
10246
</para>
10247
</entry>
10248
<entry colname="2">
10249
<para>
10250
<literal>IN</literal>
10251
</para>
10252
</entry>
10253
<entry colname="3">
10254
<para>
10255
<literal>MX</literal>
10256
</para>
10257
</entry>
10258
<entry colname="4">
10259
<para>
10260
<literal>10</literal>
10261
</para>
10262
</entry>
10263
<entry colname="5">
10264
<para>
10265
<literal>mail.example.com.</literal>
10266
</para>
10267
</entry>
10268
</row>
10269
<row rowsep="0">
10270
<entry colname="1">
10271
<para/>
10272
</entry>
10273
<entry colname="2">
10274
<para>
10275
<literal>IN</literal>
10276
</para>
10277
</entry>
10278
<entry colname="3">
10279
<para>
10280
<literal>MX</literal>
10281
</para>
10282
</entry>
10283
<entry colname="4">
10284
<para>
10285
<literal>10</literal>
10286
</para>
10287
</entry>
10288
<entry colname="5">
10289
<para>
10290
<literal>mail2.example.com.</literal>
10291
</para>
10292
</entry>
10293
</row>
10294
<row rowsep="0">
10295
<entry colname="1">
10296
<para/>
10297
</entry>
10298
<entry colname="2">
10299
<para>
10300
<literal>IN</literal>
10301
</para>
10302
</entry>
10303
<entry colname="3">
10304
<para>
10305
<literal>MX</literal>
10306
</para>
10307
</entry>
10308
<entry colname="4">
10309
<para>
10310
<literal>20</literal>
10311
</para>
10312
</entry>
10313
<entry colname="5">
10314
<para>
10315
<literal>mail.backup.org.</literal>
10316
</para>
10317
</entry>
10318
</row>
10319
<row rowsep="0">
10320
<entry colname="1">
10321
<para>
10322
<literal>mail.example.com.</literal>
10323
</para>
10324
</entry>
10325
<entry colname="2">
10326
<para>
10327
<literal>IN</literal>
10328
</para>
10329
</entry>
10330
<entry colname="3">
10331
<para>
10332
<literal>A</literal>
10333
</para>
10334
</entry>
10335
<entry colname="4">
10336
<para>
10337
<literal>10.0.0.1</literal>
10338
</para>
10339
</entry>
10340
<entry colname="5">
10341
<para/>
10342
</entry>
10343
</row>
10344
<row rowsep="0">
10345
<entry colname="1">
10346
<para>
10347
<literal>mail2.example.com.</literal>
10348
</para>
10349
</entry>
10350
<entry colname="2">
10351
<para>
10352
<literal>IN</literal>
10353
</para>
10354
</entry>
10355
<entry colname="3">
10356
<para>
10357
<literal>A</literal>
10358
</para>
10359
</entry>
10360
<entry colname="4">
10361
<para>
10362
<literal>10.0.0.2</literal>
10363
</para>
10364
</entry>
10365
<entry colname="5">
10366
<para/>
10367
</entry>
10368
</row>
10369
</tbody>
10370
</tgroup>
10371
</informaltable><para>
10372
Mail delivery will be attempted to <literal>mail.example.com</literal> and
10373
<literal>mail2.example.com</literal> (in
10374
any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
10375
be attempted.
10376
</para>
10377
</sect2>
10378
<sect2 id="Setting_TTLs">
10379
<title>Setting TTLs</title>
10380
<para>
10381
The time-to-live of the RR field is a 32-bit integer represented
10382
in units of seconds, and is primarily used by resolvers when they
10383
cache RRs. The TTL describes how long a RR can be cached before it
10384
should be discarded. The following three types of TTL are
10385
currently
10386
used in a zone file.
10387
</para>
10388
<informaltable colsep="0" rowsep="0">
10389
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10390
<colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
10391
<colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
10392
<tbody>
10393
<row rowsep="0">
10394
<entry colname="1">
10395
<para>
10396
SOA
10397
</para>
10398
</entry>
10399
<entry colname="2">
10400
<para>
10401
The last field in the SOA is the negative
10402
caching TTL. This controls how long other servers will
10403
cache no-such-domain
10404
(NXDOMAIN) responses from you.
10405
</para>
10406
<para>
10407
The maximum time for
10408
negative caching is 3 hours (3h).
10409
</para>
10410
</entry>
10411
</row>
10412
<row rowsep="0">
10413
<entry colname="1">
10414
<para>
10415
$TTL
10416
</para>
10417
</entry>
10418
<entry colname="2">
10419
<para>
10420
The $TTL directive at the top of the
10421
zone file (before the SOA) gives a default TTL for every
10422
RR without
10423
a specific TTL set.
10424
</para>
10425
</entry>
10426
</row>
10427
<row rowsep="0">
10428
<entry colname="1">
10429
<para>
10430
RR TTLs
10431
</para>
10432
</entry>
10433
<entry colname="2">
10434
<para>
10435
Each RR can have a TTL as the second
10436
field in the RR, which will control how long other
10437
servers can cache
10438
the it.
10439
</para>
10440
</entry>
10441
</row>
10442
</tbody>
10443
</tgroup>
10444
</informaltable>
10445
<para>
10446
All of these TTLs default to units of seconds, though units
10447
can be explicitly specified, for example, <literal>1h30m</literal>.
10448
</para>
10449
</sect2>
10450
<sect2>
10451
<title>Inverse Mapping in IPv4</title>
10452
<para>
10453
Reverse name resolution (that is, translation from IP address
10454
to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
10455
and PTR records. Entries in the in-addr.arpa domain are made in
10456
least-to-most significant order, read left to right. This is the
10457
opposite order to the way IP addresses are usually written. Thus,
10458
a machine with an IP address of 10.1.2.3 would have a
10459
corresponding
10460
in-addr.arpa name of
10461
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10462
whose data field is the name of the machine or, optionally,
10463
multiple
10464
PTR records if the machine has more than one name. For example,
10465
in the <optional>example.com</optional> domain:
10466
</para>
10467
<informaltable colsep="0" rowsep="0">
10468
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10469
<colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
10470
<colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
10471
<tbody>
10472
<row rowsep="0">
10473
<entry colname="1">
10474
<para>
10475
<literal>$ORIGIN</literal>
10476
</para>
10477
</entry>
10478
<entry colname="2">
10479
<para>
10480
<literal>2.1.10.in-addr.arpa</literal>
10481
</para>
10482
</entry>
10483
</row>
10484
<row rowsep="0">
10485
<entry colname="1">
10486
<para>
10487
<literal>3</literal>
10488
</para>
10489
</entry>
10490
<entry colname="2">
10491
<para>
10492
<literal>IN PTR foo.example.com.</literal>
10493
</para>
10494
</entry>
10495
</row>
10496
</tbody>
10497
</tgroup>
10498
</informaltable>
10499
<note>
10500
<para>
10501
The <command>$ORIGIN</command> lines in the examples
10502
are for providing context to the examples only — they do not
10503
necessarily
10504
appear in the actual usage. They are only used here to indicate
10505
that the example is relative to the listed origin.
10506
</para>
10507
</note>
10508
</sect2>
10509
<sect2>
10510
<title>Other Zone File Directives</title>
10511
<para>
10512
The Master File Format was initially defined in RFC 1035 and
10513
has subsequently been extended. While the Master File Format
10514
itself
10515
is class independent all records in a Master File must be of the
10516
same
10517
class.
10518
</para>
10519
<para>
10520
Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
10521
and <command>$TTL.</command>
10522
</para>
10523
<sect3>
10524
<title>The <command>$ORIGIN</command> Directive</title>
10525
<para>
10526
Syntax: <command>$ORIGIN</command>
10527
<replaceable>domain-name</replaceable>
10528
<optional><replaceable>comment</replaceable></optional>
10529
</para>
10530
<para><command>$ORIGIN</command>
10531
sets the domain name that will be appended to any
10532
unqualified records. When a zone is first read in there
10533
is an implicit <command>$ORIGIN</command>
10534
<<varname>zone-name</varname>><command>.</command>
10535
The current <command>$ORIGIN</command> is appended to
10536
the domain specified in the <command>$ORIGIN</command>
10537
argument if it is not absolute.
10538
</para>
10539
10540
<programlisting>
10541
$ORIGIN example.com.
10542
WWW CNAME MAIN-SERVER
10543
</programlisting>
10544
10545
<para>
10546
is equivalent to
10547
</para>
10548
10549
<programlisting>
10550
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10551
</programlisting>
10552
10553
</sect3>
10554
<sect3>
10555
<title>The <command>$INCLUDE</command> Directive</title>
10556
<para>
10557
Syntax: <command>$INCLUDE</command>
10558
<replaceable>filename</replaceable>
10559
<optional>
10560
<replaceable>origin</replaceable> </optional>
10561
<optional> <replaceable>comment</replaceable> </optional>
10562
</para>
10563
<para>
10564
Read and process the file <filename>filename</filename> as
10565
if it were included into the file at this point. If <command>origin</command> is
10566
specified the file is processed with <command>$ORIGIN</command> set
10567
to that value, otherwise the current <command>$ORIGIN</command> is
10568
used.
10569
</para>
10570
<para>
10571
The origin and the current domain name
10572
revert to the values they had prior to the <command>$INCLUDE</command> once
10573
the file has been read.
10574
</para>
10575
<note>
10576
<para>
10577
RFC 1035 specifies that the current origin should be restored
10578
after
10579
an <command>$INCLUDE</command>, but it is silent
10580
on whether the current
10581
domain name should also be restored. BIND 9 restores both of
10582
them.
10583
This could be construed as a deviation from RFC 1035, a
10584
feature, or both.
10585
</para>
10586
</note>
10587
</sect3>
10588
<sect3>
10589
<title>The <command>$TTL</command> Directive</title>
10590
<para>
10591
Syntax: <command>$TTL</command>
10592
<replaceable>default-ttl</replaceable>
10593
<optional>
10594
<replaceable>comment</replaceable> </optional>
10595
</para>
10596
<para>
10597
Set the default Time To Live (TTL) for subsequent records
10598
with undefined TTLs. Valid TTLs are of the range 0-2147483647
10599
seconds.
10600
</para>
10601
<para><command>$TTL</command>
10602
is defined in RFC 2308.
10603
</para>
10604
</sect3>
10605
</sect2>
10606
<sect2>
10607
<title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
10608
<para>
10609
Syntax: <command>$GENERATE</command>
10610
<replaceable>range</replaceable>
10611
<replaceable>lhs</replaceable>
10612
<optional><replaceable>ttl</replaceable></optional>
10613
<optional><replaceable>class</replaceable></optional>
10614
<replaceable>type</replaceable>
10615
<replaceable>rhs</replaceable>
10616
<optional><replaceable>comment</replaceable></optional>
10617
</para>
10618
<para><command>$GENERATE</command>
10619
is used to create a series of resource records that only
10620
differ from each other by an
10621
iterator. <command>$GENERATE</command> can be used to
10622
easily generate the sets of records required to support
10623
sub /24 reverse delegations described in RFC 2317:
10624
Classless IN-ADDR.ARPA delegation.
10625
</para>
10626
5631
10627
<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
5632
10628
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
5633
10629
$GENERATE 1-127 $ CNAME $.0</programlisting>
5634
<para>is equivalent to</para>
5635
<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
10630
10631
<para>
10632
is equivalent to
10633
</para>
10634
10635
<programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
5636
10636
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
5637
10637
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
5638
10638
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
5639
10639
...
5640
10640
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
5641
10641
</programlisting>
5642
<informaltable colsep = "0" rowsep = "0">
5643
<tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
5644
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
5645
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
5646
<tbody>
5647
<row rowsep = "0">
5648
<entry colname = "1"><para><command>range</command></para></entry>
5649
<entry colname = "2"><para>This can be one of two forms: start-stop
5650
or start-stop/step. If the first form is used then step is set to
5651
1. All of start, stop and step must be positive.</para></entry>
5652
</row>
5653
<row rowsep = "0">
5654
<entry colname = "1"><para><command>lhs</command></para></entry>
5655
<entry colname = "2"><para><command>lhs</command> describes the
5656
owner name of the resource records to be created. Any single <command>$</command> symbols
5657
within the <command>lhs</command> side are replaced by the iterator
5658
value.
5659
To get a $ in the output you need to escape the <command>$</command>
5660
using a backslash <command>\</command>,
5661
e.g. <command>\$</command>. The <command>$</command> may optionally be followed
5662
by modifiers which change the offset from the iterator, field width and base.
5663
Modifiers are introduced by a <command>{</command> immediately following the
5664
<command>$</command> as <command>${offset[,width[,base]]}</command>.
5665
e.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
5666
prints the result as a decimal in a zero padded field of with 3. Available
5667
output forms are decimal (<command>d</command>), octal (<command>o</command>)
5668
and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
5669
The default modifier is <command>${0,0,d}</command>.
5670
If the <command>lhs</command> is not
5671
absolute, the current <command>$ORIGIN</command> is appended to
5672
the name.</para>
5673
<para>For compatibility with earlier versions <command>$$</command> is still
5674
recognized a indicating a literal $ in the output.</para></entry>
5675
</row>
5676
<row rowsep = "0">
5677
<entry colname = "1"><para><command>ttl</command></para></entry>
5678
<entry colname = "2"><para><command>ttl</command> specifies the
5679
ttl of the generated records. If not specified this will be
5680
inherited using the normal ttl inheritance rules.</para>
5681
<para><command>class</command> and <command>ttl</command> can be
5682
entered in either order.</para></entry>
5683
</row>
5684
<row rowsep = "0">
5685
<entry colname = "1"><para><command>class</command></para></entry>
5686
<entry colname = "2"><para><command>class</command> specifies the
5687
class of the generated records. This must match the zone class if
5688
it is specified.</para>
5689
<para><command>class</command> and <command>ttl</command> can be
5690
entered in either order.</para></entry>
5691
</row>
5692
<row rowsep = "0">
5693
<entry colname = "1"><para><command>type</command></para></entry>
5694
<entry colname = "2"><para>At present the only supported types are
5695
PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
5696
</row>
5697
<row rowsep = "0">
5698
<entry colname = "1"><para><command>rhs</command></para></entry>
5699
<entry colname = "2"><para>rhs is a domain name. It is processed
5700
similarly to lhs.</para></entry>
5701
</row>
5702
</tbody>
5703
</tgroup></informaltable>
5704
<para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
5705
and not part of the standard zone file format.</para>
5706
<para>BIND 8 does not support the optional TTL and CLASS fields.</para>
5707
</sect2>
5708
</sect1>
5709
</chapter>
5710
<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
5711
<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
5712
<para>Access Control Lists (ACLs), are address match lists that
5713
you can set up and nickname for future use in <command>allow-notify</command>,
5714
<command>allow-query</command>, <command>allow-recursion</command>,
5715
<command>blackhole</command>, <command>allow-transfer</command>,
5716
etc.</para>
5717
<para>Using ACLs allows you to have finer control over who can access
5718
your name server, without cluttering up your config files with huge
5719
lists of IP addresses.</para>
5720
<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
5721
control access to your server. Limiting access to your server by
5722
outside parties can help prevent spoofing and DoS attacks against
5723
your server.</para>
5724
<para>Here is an example of how to properly apply ACLs:</para>
10642
10643
<informaltable colsep="0" rowsep="0">
10644
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10645
<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10646
<colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
10647
<tbody>
10648
<row rowsep="0">
10649
<entry colname="1">
10650
<para><command>range</command></para>
10651
</entry>
10652
<entry colname="2">
10653
<para>
10654
This can be one of two forms: start-stop
10655
or start-stop/step. If the first form is used, then step
10656
is set to
10657
1. All of start, stop and step must be positive.
10658
</para>
10659
</entry>
10660
</row>
10661
<row rowsep="0">
10662
<entry colname="1">
10663
<para><command>lhs</command></para>
10664
</entry>
10665
<entry colname="2">
10666
<para>This
10667
describes the owner name of the resource records
10668
to be created. Any single <command>$</command>
10669
(dollar sign)
10670
symbols within the <command>lhs</command> side
10671
are replaced by the iterator value.
10672
10673
To get a $ in the output, you need to escape the
10674
<command>$</command> using a backslash
10675
<command>\</command>,
10676
e.g. <command>\$</command>. The
10677
<command>$</command> may optionally be followed
10678
by modifiers which change the offset from the
10679
iterator, field width and base.
10680
10681
Modifiers are introduced by a
10682
<command>{</command> (left brace) immediately following the
10683
<command>$</command> as
10684
<command>${offset[,width[,base]]}</command>.
10685
For example, <command>${-20,3,d}</command>
10686
subtracts 20 from the current value, prints the
10687
result as a decimal in a zero-padded field of
10688
width 3.
10689
10690
Available output forms are decimal
10691
(<command>d</command>), octal
10692
(<command>o</command>) and hexadecimal
10693
(<command>x</command> or <command>X</command>
10694
for uppercase). The default modifier is
10695
<command>${0,0,d}</command>. If the
10696
<command>lhs</command> is not absolute, the
10697
current <command>$ORIGIN</command> is appended
10698
to the name.
10699
</para>
10700
<para>
10701
For compatibility with earlier versions, <command>$$</command> is still
10702
recognized as indicating a literal $ in the output.
10703
</para>
10704
</entry>
10705
</row>
10706
<row rowsep="0">
10707
<entry colname="1">
10708
<para><command>ttl</command></para>
10709
</entry>
10710
<entry colname="2">
10711
<para>
10712
Specifies the time-to-live of the generated records. If
10713
not specified this will be inherited using the
10714
normal ttl inheritance rules.
10715
</para>
10716
<para><command>class</command>
10717
and <command>ttl</command> can be
10718
entered in either order.
10719
</para>
10720
</entry>
10721
</row>
10722
<row rowsep="0">
10723
<entry colname="1">
10724
<para><command>class</command></para>
10725
</entry>
10726
<entry colname="2">
10727
<para>
10728
Specifies the class of the generated records.
10729
This must match the zone class if it is
10730
specified.
10731
</para>
10732
<para><command>class</command>
10733
and <command>ttl</command> can be
10734
entered in either order.
10735
</para>
10736
</entry>
10737
</row>
10738
<row rowsep="0">
10739
<entry colname="1">
10740
<para><command>type</command></para>
10741
</entry>
10742
<entry colname="2">
10743
<para>
10744
At present the only supported types are
10745
PTR, CNAME, DNAME, A, AAAA and NS.
10746
</para>
10747
</entry>
10748
</row>
10749
<row rowsep="0">
10750
<entry colname="1">
10751
<para><command>rhs</command></para>
10752
</entry>
10753
<entry colname="2">
10754
<para>
10755
<command>rhs</command> is a domain name. It is processed
10756
similarly to lhs.
10757
</para>
10758
</entry>
10759
</row>
10760
</tbody>
10761
</tgroup>
10762
</informaltable>
10763
<para>
10764
The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
10765
and not part of the standard zone file format.
10766
</para>
10767
<para>
10768
BIND 8 does not support the optional TTL and CLASS fields.
10769
</para>
10770
</sect2>
10771
10772
<sect2 id="zonefile_format">
10773
<title>Additional File Formats</title>
10774
<para>
10775
In addition to the standard textual format, BIND 9
10776
supports the ability to read or dump to zone files in
10777
other formats. The <constant>raw</constant> format is
10778
currently available as an additional format. It is a
10779
binary format representing BIND 9's internal data
10780
structure directly, thereby remarkably improving the
10781
loading time.
10782
</para>
10783
<para>
10784
For a primary server, a zone file in the
10785
<constant>raw</constant> format is expected to be
10786
generated from a textual zone file by the
10787
<command>named-compilezone</command> command. For a
10788
secondary server or for a dynamic zone, it is automatically
10789
generated (if this format is specified by the
10790
<command>masterfile-format</command> option) when
10791
<command>named</command> dumps the zone contents after
10792
zone transfer or when applying prior updates.
10793
</para>
10794
<para>
10795
If a zone file in a binary format needs manual modification,
10796
it first must be converted to a textual form by the
10797
<command>named-compilezone</command> command. All
10798
necessary modification should go to the text file, which
10799
should then be converted to the binary form by the
10800
<command>named-compilezone</command> command again.
10801
</para>
10802
<para>
10803
Although the <constant>raw</constant> format uses the
10804
network byte order and avoids architecture-dependent
10805
data alignment so that it is as much portable as
10806
possible, it is primarily expected to be used inside
10807
the same single system. In order to export a zone
10808
file in the <constant>raw</constant> format or make a
10809
portable backup of the file, it is recommended to
10810
convert the file to the standard textual representation.
10811
</para>
10812
</sect2>
10813
</sect1>
10814
10815
<sect1>
10816
<title>BIND9 Statistics</title>
10817
<para>
10818
<acronym>BIND</acronym> 9 maintains lots of statistics
10819
information and provides several interfaces for users to
10820
get access to the statistics.
10821
The available statistics include all statistics counters
10822
that were available in <acronym>BIND</acronym> 8 and
10823
are meaningful in <acronym>BIND</acronym> 9,
10824
and other information that is considered useful.
10825
</para>
10826
10827
<para>
10828
The statistics information is categorized into the following
10829
sections.
10830
</para>
10831
10832
<informaltable frame="all">
10833
<tgroup cols="2">
10834
<colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
10835
<colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
10836
<tbody>
10837
10838
<row rowsep="0">
10839
<entry colname="1">
10840
<para>Incoming Requests</para>
10841
</entry>
10842
<entry colname="2">
10843
<para>
10844
The number of incoming DNS requests for each OPCODE.
10845
</para>
10846
</entry>
10847
</row>
10848
10849
<row rowsep="0">
10850
<entry colname="1">
10851
<para>Incoming Queries</para>
10852
</entry>
10853
<entry colname="2">
10854
<para>
10855
The number of incoming queries for each RR type.
10856
</para>
10857
</entry>
10858
</row>
10859
10860
<row rowsep="0">
10861
<entry colname="1">
10862
<para>Outgoing Queries</para>
10863
</entry>
10864
<entry colname="2">
10865
<para>
10866
The number of outgoing queries for each RR
10867
type sent from the internal resolver.
10868
Maintained per view.
10869
</para>
10870
</entry>
10871
</row>
10872
10873
<row rowsep="0">
10874
<entry colname="1">
10875
<para>Name Server Statistics</para>
10876
</entry>
10877
<entry colname="2">
10878
<para>
10879
Statistics counters about incoming request processing.
10880
</para>
10881
</entry>
10882
</row>
10883
10884
<row rowsep="0">
10885
<entry colname="1">
10886
<para>Zone Maintenance Statistics</para>
10887
</entry>
10888
<entry colname="2">
10889
<para>
10890
Statistics counters regarding zone maintenance
10891
operations such as zone transfers.
10892
</para>
10893
</entry>
10894
</row>
10895
10896
<row rowsep="0">
10897
<entry colname="1">
10898
<para>Resolver Statistics</para>
10899
</entry>
10900
<entry colname="2">
10901
<para>
10902
Statistics counters about name resolution
10903
performed in the internal resolver.
10904
Maintained per view.
10905
</para>
10906
</entry>
10907
</row>
10908
10909
<row rowsep="0">
10910
<entry colname="1">
10911
<para>Cache DB RRsets</para>
10912
</entry>
10913
<entry colname="2">
10914
<para>
10915
The number of RRsets per RR type (positive
10916
or negative) and nonexistent names stored in the
10917
cache database.
10918
Maintained per view.
10919
</para>
10920
</entry>
10921
</row>
10922
10923
</tbody>
10924
</tgroup>
10925
</informaltable>
10926
10927
<para>
10928
A subset of Name Server Statistics is collected and shown
10929
per zone for which the server has the authority when
10930
<command>zone-statistics</command> is set to
10931
<userinput>yes</userinput>.
10932
These statistics counters are shown with their zone and view
10933
names.
10934
In some cases the view names are omitted for the default view.
10935
</para>
10936
10937
<para>
10938
There are currently two user interfaces to get access to the
10939
statistics.
10940
One is in the plain text format dumped to the file specified
10941
by the <command>statistics-file</command> configuration option.
10942
The other is remotely accessible via a statistics channel
10943
when the <command>statistics-channels</command> statement
10944
is specified in the configuration file
10945
(see <xref linkend="statschannels"/>.)
10946
</para>
10947
10948
<sect3 id="statsfile">
10949
<title>The Statistics File</title>
10950
<para>
10951
The text format statistics dump begins with a line, like:
10952
</para>
10953
<para>
10954
<command>+++ Statistics Dump +++ (973798949)</command>
10955
</para>
10956
<para>
10957
The number in parentheses is a standard
10958
Unix-style timestamp, measured as seconds since January 1, 1970.
10959
10960
Following
10961
that line is a set of statistics information, which is categorized
10962
as described above.
10963
Each section begins with a line, like:
10964
</para>
10965
10966
<para>
10967
<command>++ Name Server Statistics ++</command>
10968
</para>
10969
10970
<para>
10971
Each section consists of lines, each containing the statistics
10972
counter value followed by its textual description.
10973
See below for available counters.
10974
For brevity, counters that have a value of 0 are not shown
10975
in the statistics file.
10976
</para>
10977
10978
<para>
10979
The statistics dump ends with the line where the
10980
number is identical to the number in the beginning line; for example:
10981
</para>
10982
<para>
10983
<command>--- Statistics Dump --- (973798949)</command>
10984
</para>
10985
</sect3>
10986
10987
<sect2>
10988
<title>Statistics Counters</title>
10989
<para>
10990
The following tables summarize statistics counters that
10991
<acronym>BIND</acronym> 9 provides.
10992
For each row of the tables, the leftmost column is the
10993
abbreviated symbol name of that counter.
10994
These symbols are shown in the statistics information
10995
accessed via an HTTP statistics channel.
10996
The rightmost column gives the description of the counter,
10997
which is also shown in the statistics file
10998
(but, in this document, possibly with slight modification
10999
for better readability).
11000
Additional notes may also be provided in this column.
11001
When a middle column exists between these two columns,
11002
it gives the corresponding counter name of the
11003
<acronym>BIND</acronym> 8 statistics, if applicable.
11004
</para>
11005
11006
<sect3>
11007
<title>Name Server Statistics Counters</title>
11008
11009
<informaltable colsep="0" rowsep="0">
11010
<tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11011
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11012
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11013
<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11014
<tbody>
11015
<row>
11016
<entry colname="1">
11017
<para>
11018
<emphasis>Symbol</emphasis>
11019
</para>
11020
</entry>
11021
<entry colname="2">
11022
<para>
11023
<emphasis>BIND8 Symbol</emphasis>
11024
</para>
11025
</entry>
11026
<entry colname="3">
11027
<para>
11028
<emphasis>Description</emphasis>
11029
</para>
11030
</entry>
11031
</row>
11032
11033
<row rowsep="0">
11034
<entry colname="1">
11035
<para><command>Requestv4</command></para>
11036
</entry>
11037
<entry colname="2">
11038
<para><command>RQ</command></para>
11039
</entry>
11040
<entry colname="3">
11041
<para>
11042
IPv4 requests received.
11043
Note: this also counts non query requests.
11044
</para>
11045
</entry>
11046
</row>
11047
<row rowsep="0">
11048
<entry colname="1">
11049
<para><command>Requestv6</command></para>
11050
</entry>
11051
<entry colname="2">
11052
<para><command>RQ</command></para>
11053
</entry>
11054
<entry colname="3">
11055
<para>
11056
IPv6 requests received.
11057
Note: this also counts non query requests.
11058
</para>
11059
</entry>
11060
</row>
11061
<row rowsep="0">
11062
<entry colname="1">
11063
<para><command>ReqEdns0</command></para>
11064
</entry>
11065
<entry colname="2">
11066
<para><command></command></para>
11067
</entry>
11068
<entry colname="3">
11069
<para>
11070
Requests with EDNS(0) received.
11071
</para>
11072
</entry>
11073
</row>
11074
<row rowsep="0">
11075
<entry colname="1">
11076
<para><command>ReqBadEDNSVer</command></para>
11077
</entry>
11078
<entry colname="2">
11079
<para><command></command></para>
11080
</entry>
11081
<entry colname="3">
11082
<para>
11083
Requests with unsupported EDNS version received.
11084
</para>
11085
</entry>
11086
</row>
11087
<row rowsep="0">
11088
<entry colname="1">
11089
<para><command>ReqTSIG</command></para>
11090
</entry>
11091
<entry colname="2">
11092
<para><command></command></para>
11093
</entry>
11094
<entry colname="3">
11095
<para>
11096
Requests with TSIG received.
11097
</para>
11098
</entry>
11099
</row>
11100
<row rowsep="0">
11101
<entry colname="1">
11102
<para><command>ReqSIG0</command></para>
11103
</entry>
11104
<entry colname="2">
11105
<para><command></command></para>
11106
</entry>
11107
<entry colname="3">
11108
<para>
11109
Requests with SIG(0) received.
11110
</para>
11111
</entry>
11112
</row>
11113
<row rowsep="0">
11114
<entry colname="1">
11115
<para><command>ReqBadSIG</command></para>
11116
</entry>
11117
<entry colname="2">
11118
<para><command></command></para>
11119
</entry>
11120
<entry colname="3">
11121
<para>
11122
Requests with invalid (TSIG or SIG(0)) signature.
11123
</para>
11124
</entry>
11125
</row>
11126
<row rowsep="0">
11127
<entry colname="1">
11128
<para><command>ReqTCP</command></para>
11129
</entry>
11130
<entry colname="2">
11131
<para><command>RTCP</command></para>
11132
</entry>
11133
<entry colname="3">
11134
<para>
11135
TCP requests received.
11136
</para>
11137
</entry>
11138
</row>
11139
<row rowsep="0">
11140
<entry colname="1">
11141
<para><command>AuthQryRej</command></para>
11142
</entry>
11143
<entry colname="2">
11144
<para><command>RUQ</command></para>
11145
</entry>
11146
<entry colname="3">
11147
<para>
11148
Authoritative (non recursive) queries rejected.
11149
</para>
11150
</entry>
11151
</row>
11152
<row rowsep="0">
11153
<entry colname="1">
11154
<para><command>RecQryRej</command></para>
11155
</entry>
11156
<entry colname="2">
11157
<para><command>RURQ</command></para>
11158
</entry>
11159
<entry colname="3">
11160
<para>
11161
Recursive queries rejected.
11162
</para>
11163
</entry>
11164
</row>
11165
<row rowsep="0">
11166
<entry colname="1">
11167
<para><command>XfrRej</command></para>
11168
</entry>
11169
<entry colname="2">
11170
<para><command>RUXFR</command></para>
11171
</entry>
11172
<entry colname="3">
11173
<para>
11174
Zone transfer requests rejected.
11175
</para>
11176
</entry>
11177
</row>
11178
<row rowsep="0">
11179
<entry colname="1">
11180
<para><command>UpdateRej</command></para>
11181
</entry>
11182
<entry colname="2">
11183
<para><command>RUUpd</command></para>
11184
</entry>
11185
<entry colname="3">
11186
<para>
11187
Dynamic update requests rejected.
11188
</para>
11189
</entry>
11190
</row>
11191
<row rowsep="0">
11192
<entry colname="1">
11193
<para><command>Response</command></para>
11194
</entry>
11195
<entry colname="2">
11196
<para><command>SAns</command></para>
11197
</entry>
11198
<entry colname="3">
11199
<para>
11200
Responses sent.
11201
</para>
11202
</entry>
11203
</row>
11204
<row rowsep="0">
11205
<entry colname="1">
11206
<para><command>RespTruncated</command></para>
11207
</entry>
11208
<entry colname="2">
11209
<para><command></command></para>
11210
</entry>
11211
<entry colname="3">
11212
<para>
11213
Truncated responses sent.
11214
</para>
11215
</entry>
11216
</row>
11217
<row rowsep="0">
11218
<entry colname="1">
11219
<para><command>RespEDNS0</command></para>
11220
</entry>
11221
<entry colname="2">
11222
<para><command></command></para>
11223
</entry>
11224
<entry colname="3">
11225
<para>
11226
Responses with EDNS(0) sent.
11227
</para>
11228
</entry>
11229
</row>
11230
<row rowsep="0">
11231
<entry colname="1">
11232
<para><command>RespTSIG</command></para>
11233
</entry>
11234
<entry colname="2">
11235
<para><command></command></para>
11236
</entry>
11237
<entry colname="3">
11238
<para>
11239
Responses with TSIG sent.
11240
</para>
11241
</entry>
11242
</row>
11243
<row rowsep="0">
11244
<entry colname="1">
11245
<para><command>RespSIG0</command></para>
11246
</entry>
11247
<entry colname="2">
11248
<para><command></command></para>
11249
</entry>
11250
<entry colname="3">
11251
<para>
11252
Responses with SIG(0) sent.
11253
</para>
11254
</entry>
11255
</row>
11256
<row rowsep="0">
11257
<entry colname="1">
11258
<para><command>QrySuccess</command></para>
11259
</entry>
11260
<entry colname="2">
11261
<para><command></command></para>
11262
</entry>
11263
<entry colname="3">
11264
<para>
11265
Queries resulted in a successful answer.
11266
This means the query which returns a NOERROR response
11267
with at least one answer RR.
11268
This corresponds to the
11269
<command>success</command> counter
11270
of previous versions of
11271
<acronym>BIND</acronym> 9.
11272
</para>
11273
</entry>
11274
</row>
11275
<row rowsep="0">
11276
<entry colname="1">
11277
<para><command>QryAuthAns</command></para>
11278
</entry>
11279
<entry colname="2">
11280
<para><command></command></para>
11281
</entry>
11282
<entry colname="3">
11283
<para>
11284
Queries resulted in authoritative answer.
11285
</para>
11286
</entry>
11287
</row>
11288
<row rowsep="0">
11289
<entry colname="1">
11290
<para><command>QryNoauthAns</command></para>
11291
</entry>
11292
<entry colname="2">
11293
<para><command>SNaAns</command></para>
11294
</entry>
11295
<entry colname="3">
11296
<para>
11297
Queries resulted in non authoritative answer.
11298
</para>
11299
</entry>
11300
</row>
11301
<row rowsep="0">
11302
<entry colname="1">
11303
<para><command>QryReferral</command></para>
11304
</entry>
11305
<entry colname="2">
11306
<para><command></command></para>
11307
</entry>
11308
<entry colname="3">
11309
<para>
11310
Queries resulted in referral answer.
11311
This corresponds to the
11312
<command>referral</command> counter
11313
of previous versions of
11314
<acronym>BIND</acronym> 9.
11315
</para>
11316
</entry>
11317
</row>
11318
<row rowsep="0">
11319
<entry colname="1">
11320
<para><command>QryNxrrset</command></para>
11321
</entry>
11322
<entry colname="2">
11323
<para><command></command></para>
11324
</entry>
11325
<entry colname="3">
11326
<para>
11327
Queries resulted in NOERROR responses with no data.
11328
This corresponds to the
11329
<command>nxrrset</command> counter
11330
of previous versions of
11331
<acronym>BIND</acronym> 9.
11332
</para>
11333
</entry>
11334
</row>
11335
<row rowsep="0">
11336
<entry colname="1">
11337
<para><command>QrySERVFAIL</command></para>
11338
</entry>
11339
<entry colname="2">
11340
<para><command>SFail</command></para>
11341
</entry>
11342
<entry colname="3">
11343
<para>
11344
Queries resulted in SERVFAIL.
11345
</para>
11346
</entry>
11347
</row>
11348
<row rowsep="0">
11349
<entry colname="1">
11350
<para><command>QryFORMERR</command></para>
11351
</entry>
11352
<entry colname="2">
11353
<para><command>SFErr</command></para>
11354
</entry>
11355
<entry colname="3">
11356
<para>
11357
Queries resulted in FORMERR.
11358
</para>
11359
</entry>
11360
</row>
11361
<row rowsep="0">
11362
<entry colname="1">
11363
<para><command>QryNXDOMAIN</command></para>
11364
</entry>
11365
<entry colname="2">
11366
<para><command>SNXD</command></para>
11367
</entry>
11368
<entry colname="3">
11369
<para>
11370
Queries resulted in NXDOMAIN.
11371
This corresponds to the
11372
<command>nxdomain</command> counter
11373
of previous versions of
11374
<acronym>BIND</acronym> 9.
11375
</para>
11376
</entry>
11377
</row>
11378
<row rowsep="0">
11379
<entry colname="1">
11380
<para><command>QryRecursion</command></para>
11381
</entry>
11382
<entry colname="2">
11383
<para><command>RFwdQ</command></para>
11384
</entry>
11385
<entry colname="3">
11386
<para>
11387
Queries which caused the server
11388
to perform recursion in order to find the final answer.
11389
This corresponds to the
11390
<command>recursion</command> counter
11391
of previous versions of
11392
<acronym>BIND</acronym> 9.
11393
</para>
11394
</entry>
11395
</row>
11396
<row rowsep="0">
11397
<entry colname="1">
11398
<para><command>QryDuplicate</command></para>
11399
</entry>
11400
<entry colname="2">
11401
<para><command>RDupQ</command></para>
11402
</entry>
11403
<entry colname="3">
11404
<para>
11405
Queries which the server attempted to
11406
recurse but discovered an existing query with the same
11407
IP address, port, query ID, name, type and class
11408
already being processed.
11409
This corresponds to the
11410
<command>duplicate</command> counter
11411
of previous versions of
11412
<acronym>BIND</acronym> 9.
11413
</para>
11414
</entry>
11415
</row>
11416
<row rowsep="0">
11417
<entry colname="1">
11418
<para><command>QryDropped</command></para>
11419
</entry>
11420
<entry colname="2">
11421
<para><command></command></para>
11422
</entry>
11423
<entry colname="3">
11424
<para>
11425
Queries for which the server
11426
discovered an excessive number of existing
11427
recursive queries for the same name, type and
11428
class and were subsequently dropped.
11429
This corresponds to the
11430
<command>dropped</command> counter
11431
of previous versions of
11432
<acronym>BIND</acronym> 9.
11433
</para>
11434
</entry>
11435
</row>
11436
<row rowsep="0">
11437
<entry colname="1">
11438
<para><command>QryFailure</command></para>
11439
</entry>
11440
<entry colname="2">
11441
<para><command></command></para>
11442
</entry>
11443
<entry colname="3">
11444
<para>
11445
Other query failures.
11446
This corresponds to the
11447
<command>failure</command> counter
11448
of previous versions of
11449
<acronym>BIND</acronym> 9.
11450
</para>
11451
</entry>
11452
</row>
11453
<row rowsep="0">
11454
<entry colname="1">
11455
<para><command>XfrReqDone</command></para>
11456
</entry>
11457
<entry colname="2">
11458
<para><command></command></para>
11459
</entry>
11460
<entry colname="3">
11461
<para>
11462
Requested zone transfers completed.
11463
</para>
11464
</entry>
11465
</row>
11466
<row rowsep="0">
11467
<entry colname="1">
11468
<para><command>UpdateReqFwd</command></para>
11469
</entry>
11470
<entry colname="2">
11471
<para><command></command></para>
11472
</entry>
11473
<entry colname="3">
11474
<para>
11475
Update requests forwarded.
11476
</para>
11477
</entry>
11478
</row>
11479
<row rowsep="0">
11480
<entry colname="1">
11481
<para><command>UpdateRespFwd</command></para>
11482
</entry>
11483
<entry colname="2">
11484
<para><command></command></para>
11485
</entry>
11486
<entry colname="3">
11487
<para>
11488
Update responses forwarded.
11489
</para>
11490
</entry>
11491
</row>
11492
<row rowsep="0">
11493
<entry colname="1">
11494
<para><command>UpdateFwdFail</command></para>
11495
</entry>
11496
<entry colname="2">
11497
<para><command></command></para>
11498
</entry>
11499
<entry colname="3">
11500
<para>
11501
Dynamic update forward failed.
11502
</para>
11503
</entry>
11504
</row>
11505
<row rowsep="0">
11506
<entry colname="1">
11507
<para><command>UpdateDone</command></para>
11508
</entry>
11509
<entry colname="2">
11510
<para><command></command></para>
11511
</entry>
11512
<entry colname="3">
11513
<para>
11514
Dynamic updates completed.
11515
</para>
11516
</entry>
11517
</row>
11518
<row rowsep="0">
11519
<entry colname="1">
11520
<para><command>UpdateFail</command></para>
11521
</entry>
11522
<entry colname="2">
11523
<para><command></command></para>
11524
</entry>
11525
<entry colname="3">
11526
<para>
11527
Dynamic updates failed.
11528
</para>
11529
</entry>
11530
</row>
11531
<row rowsep="0">
11532
<entry colname="1">
11533
<para><command>UpdateBadPrereq</command></para>
11534
</entry>
11535
<entry colname="2">
11536
<para><command></command></para>
11537
</entry>
11538
<entry colname="3">
11539
<para>
11540
Dynamic updates rejected due to prerequisite failure.
11541
</para>
11542
</entry>
11543
</row>
11544
</tbody>
11545
</tgroup>
11546
</informaltable>
11547
</sect3>
11548
11549
<sect3>
11550
<title>Zone Maintenance Statistics Counters</title>
11551
11552
<informaltable colsep="0" rowsep="0">
11553
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11554
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11555
<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
11556
<tbody>
11557
<row>
11558
<entry colname="1">
11559
<para>
11560
<emphasis>Symbol</emphasis>
11561
</para>
11562
</entry>
11563
<entry colname="2">
11564
<para>
11565
<emphasis>Description</emphasis>
11566
</para>
11567
</entry>
11568
</row>
11569
11570
<row rowsep="0">
11571
<entry colname="1">
11572
<para><command>NotifyOutv4</command></para>
11573
</entry>
11574
<entry colname="2">
11575
<para>
11576
IPv4 notifies sent.
11577
</para>
11578
</entry>
11579
</row>
11580
<row rowsep="0">
11581
<entry colname="1">
11582
<para><command>NotifyOutv6</command></para>
11583
</entry>
11584
<entry colname="2">
11585
<para>
11586
IPv6 notifies sent.
11587
</para>
11588
</entry>
11589
</row>
11590
<row rowsep="0">
11591
<entry colname="1">
11592
<para><command>NotifyInv4</command></para>
11593
</entry>
11594
<entry colname="2">
11595
<para>
11596
IPv4 notifies received.
11597
</para>
11598
</entry>
11599
</row>
11600
<row rowsep="0">
11601
<entry colname="1">
11602
<para><command>NotifyInv6</command></para>
11603
</entry>
11604
<entry colname="2">
11605
<para>
11606
IPv6 notifies received.
11607
</para>
11608
</entry>
11609
</row>
11610
<row rowsep="0">
11611
<entry colname="1">
11612
<para><command>NotifyRej</command></para>
11613
</entry>
11614
<entry colname="2">
11615
<para>
11616
Incoming notifies rejected.
11617
</para>
11618
</entry>
11619
</row>
11620
<row rowsep="0">
11621
<entry colname="1">
11622
<para><command>SOAOutv4</command></para>
11623
</entry>
11624
<entry colname="2">
11625
<para>
11626
IPv4 SOA queries sent.
11627
</para>
11628
</entry>
11629
</row>
11630
<row rowsep="0">
11631
<entry colname="1">
11632
<para><command>SOAOutv6</command></para>
11633
</entry>
11634
<entry colname="2">
11635
<para>
11636
IPv6 SOA queries sent.
11637
</para>
11638
</entry>
11639
</row>
11640
<row rowsep="0">
11641
<entry colname="1">
11642
<para><command>AXFRReqv4</command></para>
11643
</entry>
11644
<entry colname="2">
11645
<para>
11646
IPv4 AXFR requested.
11647
</para>
11648
</entry>
11649
</row>
11650
<row rowsep="0">
11651
<entry colname="1">
11652
<para><command>AXFRReqv6</command></para>
11653
</entry>
11654
<entry colname="2">
11655
<para>
11656
IPv6 AXFR requested.
11657
</para>
11658
</entry>
11659
</row>
11660
<row rowsep="0">
11661
<entry colname="1">
11662
<para><command>IXFRReqv4</command></para>
11663
</entry>
11664
<entry colname="2">
11665
<para>
11666
IPv4 IXFR requested.
11667
</para>
11668
</entry>
11669
</row>
11670
<row rowsep="0">
11671
<entry colname="1">
11672
<para><command>IXFRReqv6</command></para>
11673
</entry>
11674
<entry colname="2">
11675
<para>
11676
IPv6 IXFR requested.
11677
</para>
11678
</entry>
11679
</row>
11680
<row rowsep="0">
11681
<entry colname="1">
11682
<para><command>XfrSuccess</command></para>
11683
</entry>
11684
<entry colname="2">
11685
<para>
11686
Zone transfer requests succeeded.
11687
</para>
11688
</entry>
11689
</row>
11690
<row rowsep="0">
11691
<entry colname="1">
11692
<para><command>XfrFail</command></para>
11693
</entry>
11694
<entry colname="2">
11695
<para>
11696
Zone transfer requests failed.
11697
</para>
11698
</entry>
11699
</row>
11700
</tbody>
11701
</tgroup>
11702
</informaltable>
11703
</sect3>
11704
11705
<sect3>
11706
<title>Resolver Statistics Counters</title>
11707
11708
<informaltable colsep="0" rowsep="0">
11709
<tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11710
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11711
<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11712
<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11713
<tbody>
11714
<row>
11715
<entry colname="1">
11716
<para>
11717
<emphasis>Symbol</emphasis>
11718
</para>
11719
</entry>
11720
<entry colname="2">
11721
<para>
11722
<emphasis>BIND8 Symbol</emphasis>
11723
</para>
11724
</entry>
11725
<entry colname="3">
11726
<para>
11727
<emphasis>Description</emphasis>
11728
</para>
11729
</entry>
11730
</row>
11731
11732
11733
<row rowsep="0">
11734
<entry colname="1">
11735
<para><command>Queryv4</command></para>
11736
</entry>
11737
<entry colname="2">
11738
<para><command>SFwdQ</command></para>
11739
</entry>
11740
<entry colname="3">
11741
<para>
11742
IPv4 queries sent.
11743
</para>
11744
</entry>
11745
</row>
11746
<row rowsep="0">
11747
<entry colname="1">
11748
<para><command>Queryv6</command></para>
11749
</entry>
11750
<entry colname="2">
11751
<para><command>SFwdQ</command></para>
11752
</entry>
11753
<entry colname="3">
11754
<para>
11755
IPv6 queries sent.
11756
</para>
11757
</entry>
11758
</row>
11759
<row rowsep="0">
11760
<entry colname="1">
11761
<para><command>Responsev4</command></para>
11762
</entry>
11763
<entry colname="2">
11764
<para><command>RR</command></para>
11765
</entry>
11766
<entry colname="3">
11767
<para>
11768
IPv4 responses received.
11769
</para>
11770
</entry>
11771
</row>
11772
<row rowsep="0">
11773
<entry colname="1">
11774
<para><command>Responsev6</command></para>
11775
</entry>
11776
<entry colname="2">
11777
<para><command>RR</command></para>
11778
</entry>
11779
<entry colname="3">
11780
<para>
11781
IPv6 responses received.
11782
</para>
11783
</entry>
11784
</row>
11785
<row rowsep="0">
11786
<entry colname="1">
11787
<para><command>NXDOMAIN</command></para>
11788
</entry>
11789
<entry colname="2">
11790
<para><command>RNXD</command></para>
11791
</entry>
11792
<entry colname="3">
11793
<para>
11794
NXDOMAIN received.
11795
</para>
11796
</entry>
11797
</row>
11798
<row rowsep="0">
11799
<entry colname="1">
11800
<para><command>SERVFAIL</command></para>
11801
</entry>
11802
<entry colname="2">
11803
<para><command>RFail</command></para>
11804
</entry>
11805
<entry colname="3">
11806
<para>
11807
SERVFAIL received.
11808
</para>
11809
</entry>
11810
</row>
11811
<row rowsep="0">
11812
<entry colname="1">
11813
<para><command>FORMERR</command></para>
11814
</entry>
11815
<entry colname="2">
11816
<para><command>RFErr</command></para>
11817
</entry>
11818
<entry colname="3">
11819
<para>
11820
FORMERR received.
11821
</para>
11822
</entry>
11823
</row>
11824
<row rowsep="0">
11825
<entry colname="1">
11826
<para><command>OtherError</command></para>
11827
</entry>
11828
<entry colname="2">
11829
<para><command>RErr</command></para>
11830
</entry>
11831
<entry colname="3">
11832
<para>
11833
Other errors received.
11834
</para>
11835
</entry>
11836
</row>
11837
<row rowsep="0">
11838
<entry colname="1">
11839
<para><command>EDNS0Fail</command></para>
11840
</entry>
11841
<entry colname="2">
11842
<para><command></command></para>
11843
</entry>
11844
<entry colname="3">
11845
<para>
11846
EDNS(0) query failures.
11847
</para>
11848
</entry>
11849
</row>
11850
<row rowsep="0">
11851
<entry colname="1">
11852
<para><command>Mismatch</command></para>
11853
</entry>
11854
<entry colname="2">
11855
<para><command>RDupR</command></para>
11856
</entry>
11857
<entry colname="3">
11858
<para>
11859
Mismatch responses received.
11860
When shown via an HTTP statistics channel,
11861
this counter is shown in the
11862
Name Server Statistics section for brevity.
11863
</para>
11864
</entry>
11865
</row>
11866
<row rowsep="0">
11867
<entry colname="1">
11868
<para><command>Truncated</command></para>
11869
</entry>
11870
<entry colname="2">
11871
<para><command></command></para>
11872
</entry>
11873
<entry colname="3">
11874
<para>
11875
Truncated responses received.
11876
</para>
11877
</entry>
11878
</row>
11879
<row rowsep="0">
11880
<entry colname="1">
11881
<para><command>Lame</command></para>
11882
</entry>
11883
<entry colname="2">
11884
<para><command>RLame</command></para>
11885
</entry>
11886
<entry colname="3">
11887
<para>
11888
Lame delegations received.
11889
</para>
11890
</entry>
11891
</row>
11892
<row rowsep="0">
11893
<entry colname="1">
11894
<para><command>Retry</command></para>
11895
</entry>
11896
<entry colname="2">
11897
<para><command>SDupQ</command></para>
11898
</entry>
11899
<entry colname="3">
11900
<para>
11901
Query retries performed.
11902
</para>
11903
</entry>
11904
</row>
11905
<row rowsep="0">
11906
<entry colname="1">
11907
<para><command>GlueFetchv4</command></para>
11908
</entry>
11909
<entry colname="2">
11910
<para><command>SSysQ</command></para>
11911
</entry>
11912
<entry colname="3">
11913
<para>
11914
IPv4 NS address fetches invoked.
11915
</para>
11916
</entry>
11917
</row>
11918
<row rowsep="0">
11919
<entry colname="1">
11920
<para><command>GlueFetchv6</command></para>
11921
</entry>
11922
<entry colname="2">
11923
<para><command>SSysQ</command></para>
11924
</entry>
11925
<entry colname="3">
11926
<para>
11927
IPv6 NS address fetches invoked.
11928
</para>
11929
</entry>
11930
</row>
11931
<row rowsep="0">
11932
<entry colname="1">
11933
<para><command>GlueFetchv4Fail</command></para>
11934
</entry>
11935
<entry colname="2">
11936
<para><command></command></para>
11937
</entry>
11938
<entry colname="3">
11939
<para>
11940
IPv4 NS address fetch failed.
11941
</para>
11942
</entry>
11943
</row>
11944
<row rowsep="0">
11945
<entry colname="1">
11946
<para><command>GlueFetchv6Fail</command></para>
11947
</entry>
11948
<entry colname="2">
11949
<para><command></command></para>
11950
</entry>
11951
<entry colname="3">
11952
<para>
11953
IPv6 NS address fetch failed.
11954
</para>
11955
</entry>
11956
</row>
11957
<row rowsep="0">
11958
<entry colname="1">
11959
<para><command>ValAttempt</command></para>
11960
</entry>
11961
<entry colname="2">
11962
<para><command></command></para>
11963
</entry>
11964
<entry colname="3">
11965
<para>
11966
DNSSEC validation attempted.
11967
</para>
11968
</entry>
11969
</row>
11970
<row rowsep="0">
11971
<entry colname="1">
11972
<para><command>ValOk</command></para>
11973
</entry>
11974
<entry colname="2">
11975
<para><command></command></para>
11976
</entry>
11977
<entry colname="3">
11978
<para>
11979
DNSSEC validation succeeded.
11980
</para>
11981
</entry>
11982
</row>
11983
<row rowsep="0">
11984
<entry colname="1">
11985
<para><command>ValNegOk</command></para>
11986
</entry>
11987
<entry colname="2">
11988
<para><command></command></para>
11989
</entry>
11990
<entry colname="3">
11991
<para>
11992
DNSSEC validation on negative information succeeded.
11993
</para>
11994
</entry>
11995
</row>
11996
<row rowsep="0">
11997
<entry colname="1">
11998
<para><command>ValFail</command></para>
11999
</entry>
12000
<entry colname="2">
12001
<para><command></command></para>
12002
</entry>
12003
<entry colname="3">
12004
<para>
12005
DNSSEC validation failed.
12006
</para>
12007
</entry>
12008
</row>
12009
12010
</tbody>
12011
</tgroup>
12012
</informaltable>
12013
12014
</sect3>
12015
12016
<sect3>
12017
<title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
12018
<para>
12019
Most statistics counters that were available
12020
in <command>BIND</command> 8 are also supported in
12021
<command>BIND</command> 9 as shown in the above tables.
12022
Here are notes about other counters that do not appear
12023
in these tables.
12024
</para>
12025
12026
<variablelist>
12027
<varlistentry>
12028
<term><command>RFwdR,SFwdR</command></term>
12029
<listitem>
12030
<para>
12031
These counters are not supported
12032
because <command>BIND</command> 9 does not adopt
12033
the notion of <emphasis>forwarding</emphasis>
12034
as <command>BIND</command> 8 did.
12035
</para>
12036
</listitem>
12037
</varlistentry>
12038
12039
<varlistentry>
12040
<term><command>RAXFR</command></term>
12041
<listitem>
12042
<para>
12043
This counter is accessible in the Incoming Queries section.
12044
</para>
12045
</listitem>
12046
</varlistentry>
12047
12048
<varlistentry>
12049
<term><command>RIQ</command></term>
12050
<listitem>
12051
<para>
12052
This counter is accessible in the Incoming Requests section.
12053
</para>
12054
</listitem>
12055
</varlistentry>
12056
12057
<varlistentry>
12058
<term><command>ROpts</command></term>
12059
<listitem>
12060
<para>
12061
This counter is not supported
12062
because <command>BIND</command> 9 does not care
12063
about IP options in the first place.
12064
</para>
12065
</listitem>
12066
</varlistentry>
12067
12068
<varlistentry>
12069
<term><command>SErr</command></term>
12070
<listitem>
12071
<para>
12072
This counter could be implemented, but is not yet
12073
supported.
12074
</para>
12075
</listitem>
12076
</varlistentry>
12077
12078
</variablelist>
12079
</sect3>
12080
</sect2>
12081
</sect1>
12082
12083
</chapter>
12084
<chapter id="Bv9ARM.ch07">
12085
<title><acronym>BIND</acronym> 9 Security Considerations</title>
12086
<sect1 id="Access_Control_Lists">
12087
<title>Access Control Lists</title>
12088
<para>
12089
Access Control Lists (ACLs), are address match lists that
12090
you can set up and nickname for future use in <command>allow-notify</command>,
12091
<command>allow-query</command>, <command>allow-query-on</command>,
12092
<command>allow-recursion</command>, <command>allow-recursion-on</command>,
12093
<command>blackhole</command>, <command>allow-transfer</command>,
12094
etc.
12095
</para>
12096
<para>
12097
Using ACLs allows you to have finer control over who can access
12098
your name server, without cluttering up your config files with huge
12099
lists of IP addresses.
12100
</para>
12101
<para>
12102
It is a <emphasis>good idea</emphasis> to use ACLs, and to
12103
control access to your server. Limiting access to your server by
12104
outside parties can help prevent spoofing and denial of service (DoS) attacks against
12105
your server.
12106
</para>
12107
<para>
12108
Here is an example of how to properly apply ACLs:
12109
</para>
12110
5725
12111
<programlisting>
5726
// Set up an ACL named "bogusnets" that will block RFC1918 space,
5727
// which is commonly used in spoofing attacks.
5728
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
12112
// Set up an ACL named "bogusnets" that will block RFC1918 space
12113
// and some reserved space, which is commonly used in spoofing attacks.
12114
acl bogusnets {
12115
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
12116
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
12117
};
12118
5729
12119
// Set up an ACL called our-nets. Replace this with the real IP numbers.
5730
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
12120
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
5731
12121
options {
5732
12122
...
5733
12123
...
5737
12127
blackhole { bogusnets; };
5738
12128
...
5739
12129
};
12130
5740
12131
zone "example.com" {
5741
12132
type master;
5742
12133
file "m/example.com";
5743
12134
allow-query { any; };
5744
12135
};
5745
12136
</programlisting>
5746
<para>This allows recursive queries of the server from the outside
5747
unless recursion has been previously disabled.</para>
5748
<para>For more information on how to use ACLs to protect your server,
5749
see the <emphasis>AUSCERT</emphasis> advisory at
5750
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
5751
<sect1><title><command>chroot</command> and <command>setuid</command> (for
5752
UNIX servers)</title>
5753
<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
5754
(<command>chroot()</command>) by specifying the "<option>-t</option>"
5755
option. This can help improve system security by placing <acronym>BIND</acronym> in
5756
a "sandbox", which will limit the damage done if a server is compromised.</para>
5757
<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
5758
ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
5759
We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
5760
<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
5761
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
5762
user 202:</para>
5763
<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
5764
5765
<sect2><title>The <command>chroot</command> Environment</title>
5766
5767
<para>In order for a <command>chroot()</command> environment to
5768
work properly in a particular directory
5769
(for example, <filename>/var/named</filename>),
5770
you will need to set up an environment that includes everything
5771
<acronym>BIND</acronym> needs to run.
5772
From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
5773
the root of the filesystem. You will need to adjust the values of options like
5774
like <command>directory</command> and <command>pid-file</command> to account
5775
for this.
5776
</para>
5777
<para>
5778
Unlike with earlier versions of BIND, you will typically
5779
<emphasis>not</emphasis> need to compile <command>named</command>
5780
statically nor install shared libraries under the new root.
5781
However, depending on your operating system, you may need
5782
to set up things like
5783
<filename>/dev/zero</filename>,
5784
<filename>/dev/random</filename>,
5785
<filename>/dev/log</filename>, and/or
5786
<filename>/etc/localtime</filename>.
5787
</para>
5788
</sect2>
5789
5790
<sect2><title>Using the <command>setuid</command> Function</title>
5791
5792
<para>Prior to running the <command>named</command> daemon, use
5793
the <command>touch</command> utility (to change file access and
5794
modification times) or the <command>chown</command> utility (to
5795
set the user id and/or group id) on files
5796
to which you want <acronym>BIND</acronym>
5797
to write. Note that if the <command>named</command> daemon is running as an
5798
unprivileged user, it will not be able to bind to new restricted ports if the
5799
server is reloaded.</para>
5800
</sect2>
5801
</sect1>
5802
5803
<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title>
5804
5805
<para>Access to the dynamic
5806
update facility should be strictly limited. In earlier versions of
5807
<acronym>BIND</acronym> the only way to do this was based on the IP
5808
address of the host requesting the update, by listing an IP address or
5809
network prefix in the <command>allow-update</command> zone option.
5810
This method is insecure since the source address of the update UDP packet
5811
is easily forged. Also note that if the IP addresses allowed by the
5812
<command>allow-update</command> option include the address of a slave
5813
server which performs forwarding of dynamic updates, the master can be
5814
trivially attacked by sending the update to the slave, which will
5815
forward it to the master with its own source IP address causing the
5816
master to approve it without question.</para>
5817
5818
<para>For these reasons, we strongly recommend that updates be
5819
cryptographically authenticated by means of transaction signatures
5820
(TSIG). That is, the <command>allow-update</command> option should
5821
list only TSIG key names, not IP addresses or network
5822
prefixes. Alternatively, the new <command>update-policy</command>
5823
option can be used.</para>
5824
5825
<para>Some sites choose to keep all dynamically updated DNS data
5826
in a subdomain and delegate that subdomain to a separate zone. This
5827
way, the top-level zone containing critical data such as the IP addresses
5828
of public web and mail servers need not allow dynamic update at
5829
all.</para>
5830
5831
</sect1></chapter>
5832
5833
<chapter id="Bv9ARM.ch08">
5834
<title>Troubleshooting</title>
5835
<sect1>
5836
<title>Common Problems</title>
5837
<sect2>
5838
<title>It's not working; how can I figure out what's wrong?</title>
5839
5840
<para>The best solution to solving installation and
5841
configuration issues is to take preventative measures by setting
5842
up logging files beforehand. The log files provide a
5843
source of hints and information that can be used to figure out
5844
what went wrong and how to fix the problem.</para>
5845
5846
</sect2>
5847
</sect1>
5848
<sect1>
5849
<title>Incrementing and Changing the Serial Number</title>
5850
5851
<para>Zone serial numbers are just numbers-they aren't date
5852
related. A lot of people set them to a number that represents a
5853
date, usually of the form YYYYMMDDRR. A number of people have been
5854
testing these numbers for Y2K compliance and have set the number
5855
to the year 2000 to see if it will work. They then try to restore
5856
the old serial number. This will cause problems because serial
5857
numbers are used to indicate that a zone has been updated. If the
5858
serial number on the slave server is lower than the serial number
5859
on the master, the slave server will attempt to update its copy of
5860
the zone.</para>
5861
5862
<para>Setting the serial number to a lower number on the master
5863
server than the slave server means that the slave will not perform
5864
updates to its copy of the zone.</para>
5865
5866
<para>The solution to this is to add 2147483647 (2^31-1) to the
5867
number, reload the zone and make sure all slaves have updated to
5868
the new zone serial number, then reset the number to what you want
5869
it to be, and reload the zone again.</para>
5870
5871
</sect1>
5872
<sect1>
5873
<title>Where Can I Get Help?</title>
5874
5875
<para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
5876
of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
5877
levels of premium support are available and each level includes
5878
support for all <acronym>ISC</acronym> programs, significant discounts on products
5879
and training, and a recognized priority on bug fixes and
5880
non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
5881
support agreement package which includes services ranging from bug
5882
fix announcements to remote support. It also includes training in
5883
<acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
5884
5885
<para>To discuss arrangements for support, contact
5886
<ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
5887
<acronym>ISC</acronym> web page at <ulink
5888
url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
5889
to read more.</para>
5890
</sect1>
5891
</chapter>
5892
<appendix id="Bv9ARM.ch09">
5893
<title>Appendices</title>
5894
<sect1>
5895
<title>Acknowledgments</title>
5896
<sect2>
5897
<title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
5898
5899
<para>Although the "official" beginning of the Domain Name
5900
System occurred in 1984 with the publication of RFC 920, the
5901
core of the new system was described in 1983 in RFCs 882 and
5902
883. From 1984 to 1987, the ARPAnet (the precursor to today's
5903
Internet) became a testbed of experimentation for developing the
5904
new naming/addressing scheme in an rapidly expanding,
5905
operational network environment. New RFCs were written and
5906
published in 1987 that modified the original documents to
5907
incorporate improvements based on the working model. RFC 1034,
5908
"Domain Names-Concepts and Facilities", and RFC 1035, "Domain
5909
Names-Implementation and Specification" were published and
5910
became the standards upon which all <acronym>DNS</acronym> implementations are
5911
built.
5912
</para>
5913
5914
<para>The first working domain name server, called "Jeeves", was
5915
written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
5916
machines located at the University of Southern California's Information
5917
Sciences Institute (USC-ISI) and SRI International's Network Information
5918
Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
5919
Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
5920
graduate students at the University of California at Berkeley under
5921
a grant from the US Defense Advanced Research Projects Administration
5922
(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
5923
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
5924
Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
5925
project team. After that, additional work on the software package
5926
was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
5927
employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
5928
to 1987. Many other people also contributed to <acronym>BIND</acronym> development
5929
during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
5930
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
5931
handled by Mike Karels and O. Kure.</para>
5932
<para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
5933
Corporation (now Compaq Computer Corporation). Paul Vixie, then
5934
a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
5935
by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
5936
Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
5937
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
5938
Wolfhugel, and others.</para>
5939
<para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
5940
Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
5941
<para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
5942
by the Internet Software Consortium with support being provided
5943
by ISC's sponsors. As co-architects/programmers, Bob Halley and
5944
Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
5945
8 in May 1997.</para>
5946
<para><acronym>BIND</acronym> development work is made possible today by the sponsorship
5947
of several corporations, and by the tireless work efforts of numerous
5948
individuals.</para>
5949
</sect2>
5950
</sect1>
5951
<sect1 id="historical_dns_information">
5952
5953
<title>General <acronym>DNS</acronym> Reference Information</title>
5954
<sect2 id="ipv6addresses">
5955
<title>IPv6 addresses (AAAA)</title>
5956
<para>IPv6 addresses are 128-bit identifiers for interfaces and
5957
sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
5958
scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
5959
an identifier for a single interface; <emphasis>Anycast</emphasis>,
5960
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
5961
an identifier for a set of interfaces. Here we describe the global
5962
Unicast address scheme. For more information, see RFC 2374.</para>
5963
<para>The aggregatable global Unicast address format is as follows:</para>
5964
<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
5965
colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
5966
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
5967
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
5968
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
5969
<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
5970
<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
5971
<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
5972
<tbody>
5973
<row rowsep = "0">
5974
<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
5975
<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
5976
<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
5977
<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
5978
<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
5979
<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
5980
</row>
5981
<row rowsep = "0">
5982
<entry colname = "1" colsep = "1"><para>FP</para></entry>
5983
<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
5984
<entry colname = "3" colsep = "1"><para>RES</para></entry>
5985
<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
5986
<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
5987
<entry colname = "6"><para>Interface ID</para></entry>
5988
</row>
5989
<row rowsep = "0">
5990
<entry nameend = "4" namest = "1"><para><------ Public Topology
5991
------></para></entry>
5992
<entry colname = "5"><para></para></entry>
5993
<entry colname = "6"><para></para></entry>
5994
</row>
5995
<row rowsep = "0">
5996
<entry colname = "1"><para></para></entry>
5997
<entry colname = "2"><para></para></entry>
5998
<entry colname = "3"><para></para></entry>
5999
<entry colname = "4"><para></para></entry>
6000
<entry colname = "5"><para><-Site Topology-></para></entry>
6001
<entry colname = "6"><para></para></entry>
6002
</row>
6003
<row rowsep = "0">
6004
<entry colname = "1"><para></para></entry>
6005
<entry colname = "2"><para></para></entry>
6006
<entry colname = "3"><para></para></entry>
6007
<entry colname = "4"><para></para></entry>
6008
<entry colname = "5"><para></para></entry>
6009
<entry colname = "6"><para><------ Interface Identifier ------></para></entry>
6010
</row>
6011
</tbody>
6012
</tgroup></informaltable>
6013
<para>Where
6014
<informaltable colsep = "0" rowsep = "0"><tgroup
6015
cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
6016
<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
6017
<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
6018
<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
6019
<tbody>
6020
<row rowsep = "0">
6021
<entry colname = "1"><para>FP</para></entry>
6022
<entry colname = "2"><para>=</para></entry>
6023
<entry colname = "3"><para>Format Prefix (001)</para></entry>
6024
</row>
6025
<row rowsep = "0">
6026
<entry colname = "1"><para>TLA ID</para></entry>
6027
<entry colname = "2"><para>=</para></entry>
6028
<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
6029
</row>
6030
<row rowsep = "0">
6031
<entry colname = "1"><para>RES</para></entry>
6032
<entry colname = "2"><para>=</para></entry>
6033
<entry colname = "3"><para>Reserved for future use</para></entry>
6034
</row>
6035
<row rowsep = "0">
6036
<entry colname = "1"><para>NLA ID</para></entry>
6037
<entry colname = "2"><para>=</para></entry>
6038
<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
6039
</row>
6040
<row rowsep = "0">
6041
<entry colname = "1"><para>SLA ID</para></entry>
6042
<entry colname = "2"><para>=</para></entry>
6043
<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
6044
</row>
6045
<row rowsep = "0">
6046
<entry colname = "1"><para>INTERFACE ID</para></entry>
6047
<entry colname = "2"><para>=</para></entry>
6048
<entry colname = "3"><para>Interface Identifier</para></entry>
6049
</row>
6050
</tbody>
6051
</tgroup></informaltable></para>
6052
<para>The <emphasis>Public Topology</emphasis> is provided by the
6053
upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
6054
of the address range. The <emphasis>Site Topology</emphasis> is
6055
where you can subnet this space, much the same as subnetting an
6056
IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
6057
the address of an individual interface on a given network. (With
6058
IPv6, addresses belong to interfaces rather than machines.)</para>
6059
<para>The subnetting capability of IPv6 is much more flexible than
6060
that of IPv4: subnetting can now be carried out on bit boundaries,
6061
in much the same way as Classless InterDomain Routing (CIDR).</para>
6062
<para>The Interface Identifier must be unique on that network. On
6063
ethernet networks, one way to ensure this is to set the address
6064
to the first three bytes of the hardware address, "FFFE", then the
6065
last three bytes of the hardware address. The lowest significant
6066
bit of the first byte should then be complemented. Addresses are
6067
written as 32-bit blocks separated with a colon, and leading zeros
6068
of a block may be omitted, for example:</para>
6069
<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
6070
<para>IPv6 address specifications are likely to contain long strings
6071
of zeros, so the architects have included a shorthand for specifying
6072
them. The double colon (`::') indicates the longest possible string
6073
of zeros that can fit, and can be used only once in an address.</para>
6074
</sect2>
6075
</sect1>
6076
<sect1 id="bibliography">
6077
<title>Bibliography (and Suggested Reading)</title>
6078
<sect2 id="rfcs">
6079
<title>Request for Comments (RFCs)</title>
6080
<para>Specification documents for the Internet protocol suite, including
6081
the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
6082
series of technical notes. The standards themselves are defined
6083
by the Internet Engineering Task Force (IETF) and the Internet Engineering
6084
Steering Group (IESG). RFCs can be obtained online via FTP at
6085
<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
6086
the number of the RFC). RFCs are also available via the Web at
6087
<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
6088
</para>
6089
<bibliography>
6090
<bibliodiv>
6091
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
6092
<title>Standards</title>
6093
<biblioentry>
6094
<abbrev>RFC974</abbrev>
6095
<author>
6096
<surname>Partridge</surname>
6097
<firstname>C.</firstname>
6098
</author>
6099
<title>Mail Routing and the Domain System</title>
6100
<pubdate>January 1986</pubdate>
6101
</biblioentry>
6102
<biblioentry>
6103
<abbrev>RFC1034</abbrev>
6104
<author>
6105
<surname>Mockapetris</surname>
6106
<firstname>P.V.</firstname>
6107
</author>
6108
<title>Domain Names — Concepts and Facilities</title>
6109
<pubdate>November 1987</pubdate>
6110
</biblioentry>
6111
<biblioentry>
6112
<abbrev>RFC1035</abbrev>
6113
<author>
6114
<surname>Mockapetris</surname>
6115
<firstname>P. V.</firstname>
6116
</author> <title>Domain Names — Implementation and
6117
Specification</title>
6118
<pubdate>November 1987</pubdate>
6119
</biblioentry>
6120
</bibliodiv>
6121
<bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
6122
6123
<title>Proposed Standards</title>
6124
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
6125
<biblioentry>
6126
<abbrev>RFC2181</abbrev>
6127
<author>
6128
<surname>Elz</surname>
6129
<firstname>R., R. Bush</firstname>
6130
</author>
6131
<title>Clarifications to the <acronym>DNS</acronym> Specification</title>
6132
<pubdate>July 1997</pubdate>
6133
</biblioentry>
6134
<biblioentry>
6135
<abbrev>RFC2308</abbrev>
6136
<author>
6137
<surname>Andrews</surname>
6138
<firstname>M.</firstname>
6139
</author>
6140
<title>Negative Caching of <acronym>DNS</acronym> Queries</title>
6141
<pubdate>March 1998</pubdate>
6142
</biblioentry>
6143
<biblioentry>
6144
<abbrev>RFC1995</abbrev>
6145
<author>
6146
<surname>Ohta</surname>
6147
<firstname>M.</firstname>
6148
</author>
6149
<title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
6150
<pubdate>August 1996</pubdate>
6151
</biblioentry>
6152
<biblioentry>
6153
<abbrev>RFC1996</abbrev>
6154
<author>
6155
<surname>Vixie</surname>
6156
<firstname>P.</firstname>
6157
</author>
6158
<title>A Mechanism for Prompt Notification of Zone Changes</title>
6159
<pubdate>August 1996</pubdate>
6160
</biblioentry>
6161
<biblioentry>
6162
<abbrev>RFC2136</abbrev>
6163
<authorgroup>
6164
<author>
6165
<surname>Vixie</surname>
6166
<firstname>P.</firstname>
6167
</author>
6168
<author>
6169
<firstname>S.</firstname>
6170
<surname>Thomson</surname>
6171
</author>
6172
<author>
6173
<firstname>Y.</firstname>
6174
<surname>Rekhter</surname>
6175
</author>
6176
<author>
6177
<firstname>J.</firstname>
6178
<surname>Bound</surname>
6179
</author>
6180
</authorgroup>
6181
<title>Dynamic Updates in the Domain Name System</title>
6182
<pubdate>April 1997</pubdate>
6183
</biblioentry>
6184
<biblioentry>
6185
<abbrev>RFC2845</abbrev>
6186
<authorgroup>
6187
<author>
6188
<surname>Vixie</surname>
6189
<firstname>P.</firstname>
6190
</author>
6191
<author>
6192
<firstname>O.</firstname>
6193
<surname>Gudmundsson</surname>
6194
</author>
6195
<author>
6196
<firstname>D.</firstname>
6197
<surname>Eastlake</surname>
6198
<lineage>3rd</lineage></author>
6199
<author>
6200
<firstname>B.</firstname>
6201
<surname>Wellington</surname>
6202
</author></authorgroup>
6203
<title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
6204
<pubdate>May 2000</pubdate>
6205
</biblioentry>
6206
</bibliodiv>
6207
<bibliodiv>
6208
<title>Proposed Standards Still Under Development</title>
6209
<note>
6210
<para><emphasis>Note:</emphasis> the following list of
6211
RFCs are undergoing major revision by the IETF.</para>
6212
</note>
6213
<biblioentry>
6214
<abbrev>RFC1886</abbrev>
6215
<authorgroup>
6216
<author>
6217
<surname>Thomson</surname>
6218
<firstname>S.</firstname>
6219
</author>
6220
<author>
6221
<firstname>C.</firstname>
6222
<surname>Huitema</surname>
6223
</author>
6224
</authorgroup>
6225
<title><acronym>DNS</acronym> Extensions to support IP version 6</title>
6226
<pubdate>December 1995</pubdate>
6227
</biblioentry>
6228
<biblioentry>
6229
<abbrev>RFC2065</abbrev>
6230
<authorgroup>
6231
<author>
6232
<surname>Eastlake</surname>
6233
<lineage>3rd</lineage>
6234
<firstname>D.</firstname>
6235
</author>
6236
<author>
6237
<firstname>C.</firstname>
6238
<surname>Kaufman</surname>
6239
</author>
6240
</authorgroup>
6241
<title>Domain Name System Security Extensions</title>
6242
<pubdate>January 1997</pubdate>
6243
</biblioentry>
6244
<biblioentry>
6245
<abbrev>RFC2137</abbrev>
6246
<author>
6247
<surname>Eastlake</surname>
6248
<lineage>3rd</lineage>
6249
<firstname>D.</firstname>
6250
</author>
6251
<title>Secure Domain Name System Dynamic Update</title>
6252
<pubdate>April 1997</pubdate>
6253
</biblioentry>
6254
</bibliodiv>
6255
<bibliodiv>
6256
<title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
6257
<biblioentry>
6258
<abbrev>RFC1535</abbrev>
6259
<author>
6260
<surname>Gavron</surname>
6261
<firstname>E.</firstname>
6262
</author>
6263
<title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
6264
<pubdate>October 1993</pubdate>
6265
</biblioentry>
6266
<biblioentry>
6267
<abbrev>RFC1536</abbrev>
6268
<authorgroup>
6269
<author>
6270
<surname>Kumar</surname>
6271
<firstname>A.</firstname>
6272
</author>
6273
<author>
6274
<firstname>J.</firstname>
6275
<surname>Postel</surname>
6276
</author>
6277
<author>
6278
<firstname>C.</firstname>
6279
<surname>Neuman</surname></author>
6280
<author>
6281
<firstname>P.</firstname>
6282
<surname>Danzig</surname>
6283
</author>
6284
<author>
6285
<firstname>S.</firstname>
6286
<surname>Miller</surname>
6287
</author>
6288
</authorgroup>
6289
<title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
6290
<pubdate>October 1993</pubdate>
6291
</biblioentry>
6292
<biblioentry>
6293
<abbrev>RFC1982</abbrev>
6294
<authorgroup>
6295
<author>
6296
<surname>Elz</surname>
6297
<firstname>R.</firstname>
6298
</author>
6299
<author>
6300
<firstname>R.</firstname>
6301
<surname>Bush</surname>
6302
</author>
6303
</authorgroup>
6304
<title>Serial Number Arithmetic</title>
6305
<pubdate>August 1996</pubdate>
6306
</biblioentry>
6307
</bibliodiv>
6308
<bibliodiv>
6309
<title>Resource Record Types</title>
6310
<biblioentry>
6311
<abbrev>RFC1183</abbrev>
6312
<authorgroup>
6313
<author>
6314
<surname>Everhart</surname>
6315
<firstname>C.F.</firstname>
6316
</author>
6317
<author>
6318
<firstname>L. A.</firstname>
6319
<surname>Mamakos</surname>
6320
</author>
6321
<author>
6322
<firstname>R.</firstname>
6323
<surname>Ullmann</surname>
6324
</author>
6325
<author>
6326
<firstname>P.</firstname>
6327
<surname>Mockapetris</surname>
6328
</author>
6329
</authorgroup>
6330
<title>New <acronym>DNS</acronym> RR Definitions</title>
6331
<pubdate>October 1990</pubdate>
6332
</biblioentry>
6333
<biblioentry>
6334
<abbrev>RFC1706</abbrev>
6335
<authorgroup>
6336
<author>
6337
<surname>Manning</surname>
6338
<firstname>B.</firstname>
6339
</author>
6340
<author>
6341
<firstname>R.</firstname>
6342
<surname>Colella</surname>
6343
</author>
6344
</authorgroup>
6345
<title><acronym>DNS</acronym> NSAP Resource Records</title>
6346
<pubdate>October 1994</pubdate>
6347
</biblioentry>
6348
<biblioentry>
6349
<abbrev>RFC2168</abbrev>
6350
<authorgroup>
6351
<author>
6352
<surname>Daniel</surname>
6353
<firstname>R.</firstname>
6354
</author>
6355
<author>
6356
<firstname>M.</firstname>
6357
<surname>Mealling</surname>
6358
</author>
6359
</authorgroup>
6360
<title>Resolution of Uniform Resource Identifiers using
6361
the Domain Name System</title>
6362
<pubdate>June 1997</pubdate>
6363
</biblioentry>
6364
<biblioentry>
6365
<abbrev>RFC1876</abbrev>
6366
<authorgroup>
6367
<author>
6368
<surname>Davis</surname>
6369
<firstname>C.</firstname>
6370
</author>
6371
<author>
6372
<firstname>P.</firstname>
6373
<surname>Vixie</surname>
6374
</author>
6375
<author>
6376
<firstname>T.</firstname>
6377
<firstname>Goodwin</firstname>
6378
</author>
6379
<author>
6380
<firstname>I.</firstname>
6381
<surname>Dickinson</surname>
6382
</author>
6383
</authorgroup>
6384
<title>A Means for Expressing Location Information in the Domain
6385
Name System</title>
6386
<pubdate>January 1996</pubdate>
6387
</biblioentry>
6388
<biblioentry>
6389
<abbrev>RFC2052</abbrev>
6390
<authorgroup>
6391
<author>
6392
<surname>Gulbrandsen</surname>
6393
<firstname>A.</firstname>
6394
</author>
6395
<author>
6396
<firstname>P.</firstname>
6397
<surname>Vixie</surname>
6398
</author>
6399
</authorgroup>
6400
<title>A <acronym>DNS</acronym> RR for Specifying the Location of
6401
Services.</title>
6402
<pubdate>October 1996</pubdate>
6403
</biblioentry>
6404
<biblioentry>
6405
<abbrev>RFC2163</abbrev>
6406
<author>
6407
<surname>Allocchio</surname>
6408
<firstname>A.</firstname>
6409
</author>
6410
<title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
6411
Conformant Global Address Mapping</title>
6412
<pubdate>January 1998</pubdate>
6413
</biblioentry>
6414
<biblioentry>
6415
<abbrev>RFC2230</abbrev>
6416
<author>
6417
<surname>Atkinson</surname>
6418
<firstname>R.</firstname>
6419
</author>
6420
<title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
6421
<pubdate>October 1997</pubdate>
6422
</biblioentry>
6423
</bibliodiv>
6424
<bibliodiv>
6425
<title><acronym>DNS</acronym> and the Internet</title>
6426
<biblioentry>
6427
<abbrev>RFC1101</abbrev>
6428
<author>
6429
<surname>Mockapetris</surname>
6430
<firstname>P. V.</firstname>
6431
</author>
6432
<title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
6433
<pubdate>April 1989</pubdate>
6434
</biblioentry>
6435
<biblioentry>
6436
<abbrev>RFC1123</abbrev>
6437
<author>
6438
<surname>Braden</surname>
6439
<surname>R.</surname>
6440
</author>
6441
<title>Requirements for Internet Hosts - Application and Support</title>
6442
<pubdate>October 1989</pubdate>
6443
</biblioentry>
6444
<biblioentry>
6445
<abbrev>RFC1591</abbrev>
6446
<author>
6447
<surname>Postel</surname>
6448
<firstname>J.</firstname></author>
6449
<title>Domain Name System Structure and Delegation</title>
6450
<pubdate>March 1994</pubdate></biblioentry>
6451
<biblioentry>
6452
<abbrev>RFC2317</abbrev>
6453
<authorgroup>
6454
<author>
6455
<surname>Eidnes</surname>
6456
<firstname>H.</firstname>
6457
</author>
6458
<author>
6459
<firstname>G.</firstname>
6460
<surname>de Groot</surname>
6461
</author>
6462
<author>
6463
<firstname>P.</firstname>
6464
<surname>Vixie</surname>
6465
</author>
6466
</authorgroup>
6467
<title>Classless IN-ADDR.ARPA Delegation</title>
6468
<pubdate>March 1998</pubdate>
6469
</biblioentry>
6470
</bibliodiv>
6471
<bibliodiv>
6472
<title><acronym>DNS</acronym> Operations</title>
6473
<biblioentry>
6474
<abbrev>RFC1537</abbrev>
6475
<author>
6476
<surname>Beertema</surname>
6477
<firstname>P.</firstname>
6478
</author>
6479
<title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
6480
<pubdate>October 1993</pubdate>
6481
</biblioentry>
6482
<biblioentry>
6483
<abbrev>RFC1912</abbrev>
6484
<author>
6485
<surname>Barr</surname>
6486
<firstname>D.</firstname>
6487
</author>
6488
<title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
6489
<pubdate>February 1996</pubdate>
6490
</biblioentry>
6491
<biblioentry>
6492
<abbrev>RFC2010</abbrev>
6493
<authorgroup>
6494
<author>
6495
<surname>Manning</surname>
6496
<firstname>B.</firstname>
6497
</author>
6498
<author>
6499
<firstname>P.</firstname>
6500
<surname>Vixie</surname>
6501
</author>
6502
</authorgroup>
6503
<title>Operational Criteria for Root Name Servers.</title>
6504
<pubdate>October 1996</pubdate>
6505
</biblioentry>
6506
<biblioentry>
6507
<abbrev>RFC2219</abbrev>
6508
<authorgroup>
6509
<author>
6510
<surname>Hamilton</surname>
6511
<firstname>M.</firstname>
6512
</author>
6513
<author>
6514
<firstname>R.</firstname>
6515
<surname>Wright</surname>
6516
</author>
6517
</authorgroup>
6518
<title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
6519
<pubdate>October 1997</pubdate>
6520
</biblioentry>
6521
</bibliodiv>
6522
<bibliodiv>
6523
<title>Other <acronym>DNS</acronym>-related RFCs</title>
6524
<note>
6525
<para>Note: the following list of RFCs, although
6526
<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
6527
</note>
6528
<biblioentry>
6529
<abbrev>RFC1464</abbrev>
6530
<author>
6531
<surname>Rosenbaum</surname>
6532
<firstname>R.</firstname>
6533
</author>
6534
<title>Using the Domain Name System To Store Arbitrary String Attributes</title>
6535
<pubdate>May 1993</pubdate>
6536
</biblioentry>
6537
<biblioentry>
6538
<abbrev>RFC1713</abbrev>
6539
<author>
6540
<surname>Romao</surname>
6541
<firstname>A.</firstname>
6542
</author>
6543
<title>Tools for <acronym>DNS</acronym> Debugging</title>
6544
<pubdate>November 1994</pubdate></biblioentry>
6545
<biblioentry>
6546
<abbrev>RFC1794</abbrev>
6547
<author>
6548
<surname>Brisco</surname>
6549
<firstname>T.</firstname>
6550
</author>
6551
<title><acronym>DNS</acronym> Support for Load Balancing</title>
6552
<pubdate>April 1995</pubdate>
6553
</biblioentry>
6554
<biblioentry>
6555
<abbrev>RFC2240</abbrev>
6556
<author>
6557
<surname>Vaughan</surname>
6558
<firstname>O.</firstname></author>
6559
<title>A Legal Basis for Domain Name Allocation</title>
6560
<pubdate>November 1997</pubdate>
6561
</biblioentry>
6562
<biblioentry>
6563
<abbrev>RFC2345</abbrev>
6564
<authorgroup>
6565
<author>
6566
<surname>Klensin</surname>
6567
<firstname>J.</firstname>
6568
</author>
6569
<author>
6570
<firstname>T.</firstname>
6571
<surname>Wolf</surname>
6572
</author>
6573
<author>
6574
<firstname>G.</firstname>
6575
<surname>Oglesby</surname>
6576
</author>
6577
</authorgroup>
6578
<title>Domain Names and Company Name Retrieval</title>
6579
<pubdate>May 1998</pubdate>
6580
</biblioentry>
6581
<biblioentry>
6582
<abbrev>RFC2352</abbrev>
6583
<author>
6584
<surname>Vaughan</surname>
6585
<firstname>O.</firstname>
6586
</author>
6587
<title>A Convention For Using Legal Names as Domain Names</title>
6588
<pubdate>May 1998</pubdate>
6589
</biblioentry>
6590
</bibliodiv>
6591
<bibliodiv>
6592
<title>Obsolete and Unimplemented Experimental RRs</title>
6593
<biblioentry>
6594
<abbrev>RFC1712</abbrev>
6595
<authorgroup>
6596
<author>
6597
<surname>Farrell</surname>
6598
<firstname>C.</firstname>
6599
</author>
6600
<author>
6601
<firstname>M.</firstname>
6602
<surname>Schulze</surname>
6603
</author>
6604
<author>
6605
<firstname>S.</firstname>
6606
<surname>Pleitner</surname>
6607
</author>
6608
<author>
6609
<firstname>D.</firstname>
6610
<surname>Baldoni</surname>
6611
</author>
6612
</authorgroup>
6613
<title><acronym>DNS</acronym> Encoding of Geographical
6614
Location</title>
6615
<pubdate>November 1994</pubdate>
6616
</biblioentry>
6617
</bibliodiv>
6618
</bibliography>
6619
</sect2>
6620
<sect2 id="internet_drafts">
6621
<title>Internet Drafts</title>
6622
<para>Internet Drafts (IDs) are rough-draft working documents of
6623
the Internet Engineering Task Force. They are, in essence, RFCs
6624
in the preliminary stages of development. Implementors are cautioned not
6625
to regard IDs as archival, and they should not be quoted or cited
6626
in any formal documents unless accompanied by the disclaimer that
6627
they are "works in progress." IDs have a lifespan of six months
6628
after which they are deleted unless updated by their authors.
6629
</para>
6630
</sect2>
6631
<sect2>
6632
<title>Other Documents About <acronym>BIND</acronym></title>
6633
<para></para>
6634
<bibliography>
6635
<biblioentry>
6636
<authorgroup>
6637
<author>
6638
<surname>Albitz</surname>
6639
<firstname>Paul</firstname>
6640
</author>
6641
<author>
6642
<firstname>Cricket</firstname>
6643
<surname>Liu</surname>
6644
</author>
6645
</authorgroup>
6646
<title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
6647
<copyright>
6648
<year>1998</year>
6649
<holder>Sebastopol, CA: O'Reilly and Associates</holder>
6650
</copyright>
6651
</biblioentry>
6652
</bibliography>
6653
</sect2>
6654
</sect1>
6655
6656
</appendix>
6657
6658
</book>
12137
12138
<para>
12139
This allows recursive queries of the server from the outside
12140
unless recursion has been previously disabled.
12141
</para>
12142
<para>
12143
For more information on how to use ACLs to protect your server,
12144
see the <emphasis>AUSCERT</emphasis> advisory at:
12145
</para>
12146
<para>
12147
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
12148
>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
12149
</para>
12150
</sect1>
12151
<sect1>
12152
<title><command>Chroot</command> and <command>Setuid</command></title>
12153
<para>
12154
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
12155
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
12156
option. This can help improve system security by placing <acronym>BIND</acronym> in
12157
a "sandbox", which will limit the damage done if a server is
12158
compromised.
12159
</para>
12160
<para>
12161
Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
12162
ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
12163
We suggest running as an unprivileged user when using the <command>chroot</command> feature.
12164
</para>
12165
<para>
12166
Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
12167
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
12168
user 202:
12169
</para>
12170
<para>
12171
<userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
12172
</para>
12173
12174
<sect2>
12175
<title>The <command>chroot</command> Environment</title>
12176
12177
<para>
12178
In order for a <command>chroot</command> environment
12179
to
12180
work properly in a particular directory
12181
(for example, <filename>/var/named</filename>),
12182
you will need to set up an environment that includes everything
12183
<acronym>BIND</acronym> needs to run.
12184
From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
12185
the root of the filesystem. You will need to adjust the values of
12186
options like
12187
like <command>directory</command> and <command>pid-file</command> to account
12188
for this.
12189
</para>
12190
<para>
12191
Unlike with earlier versions of BIND, you typically will
12192
<emphasis>not</emphasis> need to compile <command>named</command>
12193
statically nor install shared libraries under the new root.
12194
However, depending on your operating system, you may need
12195
to set up things like
12196
<filename>/dev/zero</filename>,
12197
<filename>/dev/random</filename>,
12198
<filename>/dev/log</filename>, and
12199
<filename>/etc/localtime</filename>.
12200
</para>
12201
</sect2>
12202
12203
<sect2>
12204
<title>Using the <command>setuid</command> Function</title>
12205
12206
<para>
12207
Prior to running the <command>named</command> daemon,
12208
use
12209
the <command>touch</command> utility (to change file
12210
access and
12211
modification times) or the <command>chown</command>
12212
utility (to
12213
set the user id and/or group id) on files
12214
to which you want <acronym>BIND</acronym>
12215
to write.
12216
</para>
12217
<note>
12218
Note that if the <command>named</command> daemon is running as an
12219
unprivileged user, it will not be able to bind to new restricted
12220
ports if the server is reloaded.
12221
</note>
12222
</sect2>
12223
</sect1>
12224
12225
<sect1 id="dynamic_update_security">
12226
<title>Dynamic Update Security</title>
12227
12228
<para>
12229
Access to the dynamic
12230
update facility should be strictly limited. In earlier versions of
12231
<acronym>BIND</acronym>, the only way to do this was
12232
based on the IP
12233
address of the host requesting the update, by listing an IP address
12234
or
12235
network prefix in the <command>allow-update</command>
12236
zone option.
12237
This method is insecure since the source address of the update UDP
12238
packet
12239
is easily forged. Also note that if the IP addresses allowed by the
12240
<command>allow-update</command> option include the
12241
address of a slave
12242
server which performs forwarding of dynamic updates, the master can
12243
be
12244
trivially attacked by sending the update to the slave, which will
12245
forward it to the master with its own source IP address causing the
12246
master to approve it without question.
12247
</para>
12248
12249
<para>
12250
For these reasons, we strongly recommend that updates be
12251
cryptographically authenticated by means of transaction signatures
12252
(TSIG). That is, the <command>allow-update</command>
12253
option should
12254
list only TSIG key names, not IP addresses or network
12255
prefixes. Alternatively, the new <command>update-policy</command>
12256
option can be used.
12257
</para>
12258
12259
<para>
12260
Some sites choose to keep all dynamically-updated DNS data
12261
in a subdomain and delegate that subdomain to a separate zone. This
12262
way, the top-level zone containing critical data such as the IP
12263
addresses
12264
of public web and mail servers need not allow dynamic update at
12265
all.
12266
</para>
12267
12268
</sect1>
12269
</chapter>
12270
12271
<chapter id="Bv9ARM.ch08">
12272
<title>Troubleshooting</title>
12273
<sect1>
12274
<title>Common Problems</title>
12275
<sect2>
12276
<title>It's not working; how can I figure out what's wrong?</title>
12277
12278
<para>
12279
The best solution to solving installation and
12280
configuration issues is to take preventative measures by setting
12281
up logging files beforehand. The log files provide a
12282
source of hints and information that can be used to figure out
12283
what went wrong and how to fix the problem.
12284
</para>
12285
12286
</sect2>
12287
</sect1>
12288
<sect1>
12289
<title>Incrementing and Changing the Serial Number</title>
12290
12291
<para>
12292
Zone serial numbers are just numbers — they aren't
12293
date related. A lot of people set them to a number that
12294
represents a date, usually of the form YYYYMMDDRR.
12295
Occasionally they will make a mistake and set them to a
12296
"date in the future" then try to correct them by setting
12297
them to the "current date". This causes problems because
12298
serial numbers are used to indicate that a zone has been
12299
updated. If the serial number on the slave server is
12300
lower than the serial number on the master, the slave
12301
server will attempt to update its copy of the zone.
12302
</para>
12303
12304
<para>
12305
Setting the serial number to a lower number on the master
12306
server than the slave server means that the slave will not perform
12307
updates to its copy of the zone.
12308
</para>
12309
12310
<para>
12311
The solution to this is to add 2147483647 (2^31-1) to the
12312
number, reload the zone and make sure all slaves have updated to
12313
the new zone serial number, then reset the number to what you want
12314
it to be, and reload the zone again.
12315
</para>
12316
12317
</sect1>
12318
<sect1>
12319
<title>Where Can I Get Help?</title>
12320
12321
<para>
12322
The Internet Systems Consortium
12323
(<acronym>ISC</acronym>) offers a wide range
12324
of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
12325
levels of premium support are available and each level includes
12326
support for all <acronym>ISC</acronym> programs,
12327
significant discounts on products
12328
and training, and a recognized priority on bug fixes and
12329
non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
12330
support agreement package which includes services ranging from bug
12331
fix announcements to remote support. It also includes training in
12332
<acronym>BIND</acronym> and <acronym>DHCP</acronym>.
12333
</para>
12334
12335
<para>
12336
To discuss arrangements for support, contact
12337
<ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
12338
<acronym>ISC</acronym> web page at
12339
<ulink url="http://www.isc.org/services/support/"
12340
>http://www.isc.org/services/support/</ulink>
12341
to read more.
12342
</para>
12343
</sect1>
12344
</chapter>
12345
<appendix id="Bv9ARM.ch09">
12346
<title>Appendices</title>
12347
<sect1>
12348
<title>Acknowledgments</title>
12349
<sect2 id="historical_dns_information">
12350
<title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
12351
12352
<para>
12353
Although the "official" beginning of the Domain Name
12354
System occurred in 1984 with the publication of RFC 920, the
12355
core of the new system was described in 1983 in RFCs 882 and
12356
883. From 1984 to 1987, the ARPAnet (the precursor to today's
12357
Internet) became a testbed of experimentation for developing the
12358
new naming/addressing scheme in a rapidly expanding,
12359
operational network environment. New RFCs were written and
12360
published in 1987 that modified the original documents to
12361
incorporate improvements based on the working model. RFC 1034,
12362
"Domain Names-Concepts and Facilities", and RFC 1035, "Domain
12363
Names-Implementation and Specification" were published and
12364
became the standards upon which all <acronym>DNS</acronym> implementations are
12365
built.
12366
</para>
12367
12368
<para>
12369
The first working domain name server, called "Jeeves", was
12370
written in 1983-84 by Paul Mockapetris for operation on DEC
12371
Tops-20
12372
machines located at the University of Southern California's
12373
Information
12374
Sciences Institute (USC-ISI) and SRI International's Network
12375
Information
12376
Center (SRI-NIC). A <acronym>DNS</acronym> server for
12377
Unix machines, the Berkeley Internet
12378
Name Domain (<acronym>BIND</acronym>) package, was
12379
written soon after by a group of
12380
graduate students at the University of California at Berkeley
12381
under
12382
a grant from the US Defense Advanced Research Projects
12383
Administration
12384
(DARPA).
12385
</para>
12386
<para>
12387
Versions of <acronym>BIND</acronym> through
12388
4.8.3 were maintained by the Computer
12389
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
12390
Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
12391
project team. After that, additional work on the software package
12392
was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
12393
Corporation
12394
employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
12395
to 1987. Many other people also contributed to <acronym>BIND</acronym> development
12396
during that time: Doug Kingston, Craig Partridge, Smoot
12397
Carl-Mitchell,
12398
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
12399
handled by Mike Karels and Øivind Kure.
12400
</para>
12401
<para>
12402
<acronym>BIND</acronym> versions 4.9 and 4.9.1 were
12403
released by Digital Equipment
12404
Corporation (now Compaq Computer Corporation). Paul Vixie, then
12405
a DEC employee, became <acronym>BIND</acronym>'s
12406
primary caretaker. He was assisted
12407
by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
12408
Beecher, Andrew
12409
Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
12410
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
12411
Wolfhugel, and others.
12412
</para>
12413
<para>
12414
In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
12415
Vixie Enterprises. Paul
12416
Vixie became <acronym>BIND</acronym>'s principal
12417
architect/programmer.
12418
</para>
12419
<para>
12420
<acronym>BIND</acronym> versions from 4.9.3 onward
12421
have been developed and maintained
12422
by the Internet Systems Consortium and its predecessor,
12423
the Internet Software Consortium, with support being provided
12424
by ISC's sponsors.
12425
</para>
12426
<para>
12427
As co-architects/programmers, Bob Halley and
12428
Paul Vixie released the first production-ready version of
12429
<acronym>BIND</acronym> version 8 in May 1997.
12430
</para>
12431
<para>
12432
BIND version 9 was released in September 2000 and is a
12433
major rewrite of nearly all aspects of the underlying
12434
BIND architecture.
12435
</para>
12436
<para>
12437
BIND version 4 is officially deprecated and BIND version
12438
8 development is considered maintenance-only in favor
12439
of BIND version 9. No additional development is done
12440
on BIND version 4 or BIND version 8 other than for
12441
security-related patches.
12442
</para>
12443
<para>
12444
<acronym>BIND</acronym> development work is made
12445
possible today by the sponsorship
12446
of several corporations, and by the tireless work efforts of
12447
numerous individuals.
12448
</para>
12449
</sect2>
12450
</sect1>
12451
<sect1>
12452
<title>General <acronym>DNS</acronym> Reference Information</title>
12453
<sect2 id="ipv6addresses">
12454
<title>IPv6 addresses (AAAA)</title>
12455
<para>
12456
IPv6 addresses are 128-bit identifiers for interfaces and
12457
sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
12458
scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
12459
an identifier for a single interface;
12460
<emphasis>Anycast</emphasis>,
12461
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
12462
an identifier for a set of interfaces. Here we describe the global
12463
Unicast address scheme. For more information, see RFC 3587,
12464
"Global Unicast Address Format."
12465
</para>
12466
<para>
12467
IPv6 unicast addresses consist of a
12468
<emphasis>global routing prefix</emphasis>, a
12469
<emphasis>subnet identifier</emphasis>, and an
12470
<emphasis>interface identifier</emphasis>.
12471
</para>
12472
<para>
12473
The global routing prefix is provided by the
12474
upstream provider or ISP, and (roughly) corresponds to the
12475
IPv4 <emphasis>network</emphasis> section
12476
of the address range.
12477
12478
The subnet identifier is for local subnetting, much the
12479
same as subnetting an
12480
IPv4 /16 network into /24 subnets.
12481
12482
The interface identifier is the address of an individual
12483
interface on a given network; in IPv6, addresses belong to
12484
interfaces rather than to machines.
12485
</para>
12486
<para>
12487
The subnetting capability of IPv6 is much more flexible than
12488
that of IPv4: subnetting can be carried out on bit boundaries,
12489
in much the same way as Classless InterDomain Routing
12490
(CIDR), and the DNS PTR representation ("nibble" format)
12491
makes setting up reverse zones easier.
12492
</para>
12493
<para>
12494
The Interface Identifier must be unique on the local link,
12495
and is usually generated automatically by the IPv6
12496
implementation, although it is usually possible to
12497
override the default setting if necessary. A typical IPv6
12498
address might look like:
12499
<command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
12500
</para>
12501
<para>
12502
IPv6 address specifications often contain long strings
12503
of zeros, so the architects have included a shorthand for
12504
specifying
12505
them. The double colon (`::') indicates the longest possible
12506
string
12507
of zeros that can fit, and can be used only once in an address.
12508
</para>
12509
</sect2>
12510
</sect1>
12511
<sect1 id="bibliography">
12512
<title>Bibliography (and Suggested Reading)</title>
12513
<sect2 id="rfcs">
12514
<title>Request for Comments (RFCs)</title>
12515
<para>
12516
Specification documents for the Internet protocol suite, including
12517
the <acronym>DNS</acronym>, are published as part of
12518
the Request for Comments (RFCs)
12519
series of technical notes. The standards themselves are defined
12520
by the Internet Engineering Task Force (IETF) and the Internet
12521
Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
12522
</para>
12523
<para>
12524
<ulink url="ftp://www.isi.edu/in-notes/">
12525
ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
12526
</ulink>
12527
</para>
12528
<para>
12529
(where <replaceable>xxxx</replaceable> is
12530
the number of the RFC). RFCs are also available via the Web at:
12531
</para>
12532
<para>
12533
<ulink url="http://www.ietf.org/rfc/"
12534
>http://www.ietf.org/rfc/</ulink>.
12535
</para>
12536
<bibliography>
12537
<bibliodiv>
12538
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
12539
<title>Standards</title>
12540
<biblioentry>
12541
<abbrev>RFC974</abbrev>
12542
<author>
12543
<surname>Partridge</surname>
12544
<firstname>C.</firstname>
12545
</author>
12546
<title>Mail Routing and the Domain System</title>
12547
<pubdate>January 1986</pubdate>
12548
</biblioentry>
12549
<biblioentry>
12550
<abbrev>RFC1034</abbrev>
12551
<author>
12552
<surname>Mockapetris</surname>
12553
<firstname>P.V.</firstname>
12554
</author>
12555
<title>Domain Names — Concepts and Facilities</title>
12556
<pubdate>November 1987</pubdate>
12557
</biblioentry>
12558
<biblioentry>
12559
<abbrev>RFC1035</abbrev>
12560
<author>
12561
<surname>Mockapetris</surname>
12562
<firstname>P. V.</firstname>
12563
</author> <title>Domain Names — Implementation and
12564
Specification</title>
12565
<pubdate>November 1987</pubdate>
12566
</biblioentry>
12567
</bibliodiv>
12568
<bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
12569
12570
<title>Proposed Standards</title>
12571
<!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
12572
<biblioentry>
12573
<abbrev>RFC2181</abbrev>
12574
<author>
12575
<surname>Elz</surname>
12576
<firstname>R., R. Bush</firstname>
12577
</author>
12578
<title>Clarifications to the <acronym>DNS</acronym>
12579
Specification</title>
12580
<pubdate>July 1997</pubdate>
12581
</biblioentry>
12582
<biblioentry>
12583
<abbrev>RFC2308</abbrev>
12584
<author>
12585
<surname>Andrews</surname>
12586
<firstname>M.</firstname>
12587
</author>
12588
<title>Negative Caching of <acronym>DNS</acronym>
12589
Queries</title>
12590
<pubdate>March 1998</pubdate>
12591
</biblioentry>
12592
<biblioentry>
12593
<abbrev>RFC1995</abbrev>
12594
<author>
12595
<surname>Ohta</surname>
12596
<firstname>M.</firstname>
12597
</author>
12598
<title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
12599
<pubdate>August 1996</pubdate>
12600
</biblioentry>
12601
<biblioentry>
12602
<abbrev>RFC1996</abbrev>
12603
<author>
12604
<surname>Vixie</surname>
12605
<firstname>P.</firstname>
12606
</author>
12607
<title>A Mechanism for Prompt Notification of Zone Changes</title>
12608
<pubdate>August 1996</pubdate>
12609
</biblioentry>
12610
<biblioentry>
12611
<abbrev>RFC2136</abbrev>
12612
<authorgroup>
12613
<author>
12614
<surname>Vixie</surname>
12615
<firstname>P.</firstname>
12616
</author>
12617
<author>
12618
<firstname>S.</firstname>
12619
<surname>Thomson</surname>
12620
</author>
12621
<author>
12622
<firstname>Y.</firstname>
12623
<surname>Rekhter</surname>
12624
</author>
12625
<author>
12626
<firstname>J.</firstname>
12627
<surname>Bound</surname>
12628
</author>
12629
</authorgroup>
12630
<title>Dynamic Updates in the Domain Name System</title>
12631
<pubdate>April 1997</pubdate>
12632
</biblioentry>
12633
<biblioentry>
12634
<abbrev>RFC2671</abbrev>
12635
<authorgroup>
12636
<author>
12637
<firstname>P.</firstname>
12638
<surname>Vixie</surname>
12639
</author>
12640
</authorgroup>
12641
<title>Extension Mechanisms for DNS (EDNS0)</title>
12642
<pubdate>August 1997</pubdate>
12643
</biblioentry>
12644
<biblioentry>
12645
<abbrev>RFC2672</abbrev>
12646
<authorgroup>
12647
<author>
12648
<firstname>M.</firstname>
12649
<surname>Crawford</surname>
12650
</author>
12651
</authorgroup>
12652
<title>Non-Terminal DNS Name Redirection</title>
12653
<pubdate>August 1999</pubdate>
12654
</biblioentry>
12655
<biblioentry>
12656
<abbrev>RFC2845</abbrev>
12657
<authorgroup>
12658
<author>
12659
<surname>Vixie</surname>
12660
<firstname>P.</firstname>
12661
</author>
12662
<author>
12663
<firstname>O.</firstname>
12664
<surname>Gudmundsson</surname>
12665
</author>
12666
<author>
12667
<firstname>D.</firstname>
12668
<surname>Eastlake</surname>
12669
<lineage>3rd</lineage>
12670
</author>
12671
<author>
12672
<firstname>B.</firstname>
12673
<surname>Wellington</surname>
12674
</author>
12675
</authorgroup>
12676
<title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
12677
<pubdate>May 2000</pubdate>
12678
</biblioentry>
12679
<biblioentry>
12680
<abbrev>RFC2930</abbrev>
12681
<authorgroup>
12682
<author>
12683
<firstname>D.</firstname>
12684
<surname>Eastlake</surname>
12685
<lineage>3rd</lineage>
12686
</author>
12687
</authorgroup>
12688
<title>Secret Key Establishment for DNS (TKEY RR)</title>
12689
<pubdate>September 2000</pubdate>
12690
</biblioentry>
12691
<biblioentry>
12692
<abbrev>RFC2931</abbrev>
12693
<authorgroup>
12694
<author>
12695
<firstname>D.</firstname>
12696
<surname>Eastlake</surname>
12697
<lineage>3rd</lineage>
12698
</author>
12699
</authorgroup>
12700
<title>DNS Request and Transaction Signatures (SIG(0)s)</title>
12701
<pubdate>September 2000</pubdate>
12702
</biblioentry>
12703
<biblioentry>
12704
<abbrev>RFC3007</abbrev>
12705
<authorgroup>
12706
<author>
12707
<firstname>B.</firstname>
12708
<surname>Wellington</surname>
12709
</author>
12710
</authorgroup>
12711
<title>Secure Domain Name System (DNS) Dynamic Update</title>
12712
<pubdate>November 2000</pubdate>
12713
</biblioentry>
12714
<biblioentry>
12715
<abbrev>RFC3645</abbrev>
12716
<authorgroup>
12717
<author>
12718
<firstname>S.</firstname>
12719
<surname>Kwan</surname>
12720
</author>
12721
<author>
12722
<firstname>P.</firstname>
12723
<surname>Garg</surname>
12724
</author>
12725
<author>
12726
<firstname>J.</firstname>
12727
<surname>Gilroy</surname>
12728
</author>
12729
<author>
12730
<firstname>L.</firstname>
12731
<surname>Esibov</surname>
12732
</author>
12733
<author>
12734
<firstname>J.</firstname>
12735
<surname>Westhead</surname>
12736
</author>
12737
<author>
12738
<firstname>R.</firstname>
12739
<surname>Hall</surname>
12740
</author>
12741
</authorgroup>
12742
<title>Generic Security Service Algorithm for Secret
12743
Key Transaction Authentication for DNS
12744
(GSS-TSIG)</title>
12745
<pubdate>October 2003</pubdate>
12746
</biblioentry>
12747
</bibliodiv>
12748
<bibliodiv>
12749
<title><acronym>DNS</acronym> Security Proposed Standards</title>
12750
<biblioentry>
12751
<abbrev>RFC3225</abbrev>
12752
<authorgroup>
12753
<author>
12754
<firstname>D.</firstname>
12755
<surname>Conrad</surname>
12756
</author>
12757
</authorgroup>
12758
<title>Indicating Resolver Support of DNSSEC</title>
12759
<pubdate>December 2001</pubdate>
12760
</biblioentry>
12761
<biblioentry>
12762
<abbrev>RFC3833</abbrev>
12763
<authorgroup>
12764
<author>
12765
<firstname>D.</firstname>
12766
<surname>Atkins</surname>
12767
</author>
12768
<author>
12769
<firstname>R.</firstname>
12770
<surname>Austein</surname>
12771
</author>
12772
</authorgroup>
12773
<title>Threat Analysis of the Domain Name System (DNS)</title>
12774
<pubdate>August 2004</pubdate>
12775
</biblioentry>
12776
<biblioentry>
12777
<abbrev>RFC4033</abbrev>
12778
<authorgroup>
12779
<author>
12780
<firstname>R.</firstname>
12781
<surname>Arends</surname>
12782
</author>
12783
<author>
12784
<firstname>R.</firstname>
12785
<surname>Austein</surname>
12786
</author>
12787
<author>
12788
<firstname>M.</firstname>
12789
<surname>Larson</surname>
12790
</author>
12791
<author>
12792
<firstname>D.</firstname>
12793
<surname>Massey</surname>
12794
</author>
12795
<author>
12796
<firstname>S.</firstname>
12797
<surname>Rose</surname>
12798
</author>
12799
</authorgroup>
12800
<title>DNS Security Introduction and Requirements</title>
12801
<pubdate>March 2005</pubdate>
12802
</biblioentry>
12803
<biblioentry>
12804
<abbrev>RFC4044</abbrev>
12805
<authorgroup>
12806
<author>
12807
<firstname>R.</firstname>
12808
<surname>Arends</surname>
12809
</author>
12810
<author>
12811
<firstname>R.</firstname>
12812
<surname>Austein</surname>
12813
</author>
12814
<author>
12815
<firstname>M.</firstname>
12816
<surname>Larson</surname>
12817
</author>
12818
<author>
12819
<firstname>D.</firstname>
12820
<surname>Massey</surname>
12821
</author>
12822
<author>
12823
<firstname>S.</firstname>
12824
<surname>Rose</surname>
12825
</author>
12826
</authorgroup>
12827
<title>Resource Records for the DNS Security Extensions</title>
12828
<pubdate>March 2005</pubdate>
12829
</biblioentry>
12830
<biblioentry>
12831
<abbrev>RFC4035</abbrev>
12832
<authorgroup>
12833
<author>
12834
<firstname>R.</firstname>
12835
<surname>Arends</surname>
12836
</author>
12837
<author>
12838
<firstname>R.</firstname>
12839
<surname>Austein</surname>
12840
</author>
12841
<author>
12842
<firstname>M.</firstname>
12843
<surname>Larson</surname>
12844
</author>
12845
<author>
12846
<firstname>D.</firstname>
12847
<surname>Massey</surname>
12848
</author>
12849
<author>
12850
<firstname>S.</firstname>
12851
<surname>Rose</surname>
12852
</author>
12853
</authorgroup>
12854
<title>Protocol Modifications for the DNS
12855
Security Extensions</title>
12856
<pubdate>March 2005</pubdate>
12857
</biblioentry>
12858
</bibliodiv>
12859
<bibliodiv>
12860
<title>Other Important RFCs About <acronym>DNS</acronym>
12861
Implementation</title>
12862
<biblioentry>
12863
<abbrev>RFC1535</abbrev>
12864
<author>
12865
<surname>Gavron</surname>
12866
<firstname>E.</firstname>
12867
</author>
12868
<title>A Security Problem and Proposed Correction With Widely
12869
Deployed <acronym>DNS</acronym> Software.</title>
12870
<pubdate>October 1993</pubdate>
12871
</biblioentry>
12872
<biblioentry>
12873
<abbrev>RFC1536</abbrev>
12874
<authorgroup>
12875
<author>
12876
<surname>Kumar</surname>
12877
<firstname>A.</firstname>
12878
</author>
12879
<author>
12880
<firstname>J.</firstname>
12881
<surname>Postel</surname>
12882
</author>
12883
<author>
12884
<firstname>C.</firstname>
12885
<surname>Neuman</surname>
12886
</author>
12887
<author>
12888
<firstname>P.</firstname>
12889
<surname>Danzig</surname>
12890
</author>
12891
<author>
12892
<firstname>S.</firstname>
12893
<surname>Miller</surname>
12894
</author>
12895
</authorgroup>
12896
<title>Common <acronym>DNS</acronym> Implementation
12897
Errors and Suggested Fixes</title>
12898
<pubdate>October 1993</pubdate>
12899
</biblioentry>
12900
<biblioentry>
12901
<abbrev>RFC1982</abbrev>
12902
<authorgroup>
12903
<author>
12904
<surname>Elz</surname>
12905
<firstname>R.</firstname>
12906
</author>
12907
<author>
12908
<firstname>R.</firstname>
12909
<surname>Bush</surname>
12910
</author>
12911
</authorgroup>
12912
<title>Serial Number Arithmetic</title>
12913
<pubdate>August 1996</pubdate>
12914
</biblioentry>
12915
<biblioentry>
12916
<abbrev>RFC4074</abbrev>
12917
<authorgroup>
12918
<author>
12919
<surname>Morishita</surname>
12920
<firstname>Y.</firstname>
12921
</author>
12922
<author>
12923
<firstname>T.</firstname>
12924
<surname>Jinmei</surname>
12925
</author>
12926
</authorgroup>
12927
<title>Common Misbehaviour Against <acronym>DNS</acronym>
12928
Queries for IPv6 Addresses</title>
12929
<pubdate>May 2005</pubdate>
12930
</biblioentry>
12931
</bibliodiv>
12932
<bibliodiv>
12933
<title>Resource Record Types</title>
12934
<biblioentry>
12935
<abbrev>RFC1183</abbrev>
12936
<authorgroup>
12937
<author>
12938
<surname>Everhart</surname>
12939
<firstname>C.F.</firstname>
12940
</author>
12941
<author>
12942
<firstname>L. A.</firstname>
12943
<surname>Mamakos</surname>
12944
</author>
12945
<author>
12946
<firstname>R.</firstname>
12947
<surname>Ullmann</surname>
12948
</author>
12949
<author>
12950
<firstname>P.</firstname>
12951
<surname>Mockapetris</surname>
12952
</author>
12953
</authorgroup>
12954
<title>New <acronym>DNS</acronym> RR Definitions</title>
12955
<pubdate>October 1990</pubdate>
12956
</biblioentry>
12957
<biblioentry>
12958
<abbrev>RFC1706</abbrev>
12959
<authorgroup>
12960
<author>
12961
<surname>Manning</surname>
12962
<firstname>B.</firstname>
12963
</author>
12964
<author>
12965
<firstname>R.</firstname>
12966
<surname>Colella</surname>
12967
</author>
12968
</authorgroup>
12969
<title><acronym>DNS</acronym> NSAP Resource Records</title>
12970
<pubdate>October 1994</pubdate>
12971
</biblioentry>
12972
<biblioentry>
12973
<abbrev>RFC2168</abbrev>
12974
<authorgroup>
12975
<author>
12976
<surname>Daniel</surname>
12977
<firstname>R.</firstname>
12978
</author>
12979
<author>
12980
<firstname>M.</firstname>
12981
<surname>Mealling</surname>
12982
</author>
12983
</authorgroup>
12984
<title>Resolution of Uniform Resource Identifiers using
12985
the Domain Name System</title>
12986
<pubdate>June 1997</pubdate>
12987
</biblioentry>
12988
<biblioentry>
12989
<abbrev>RFC1876</abbrev>
12990
<authorgroup>
12991
<author>
12992
<surname>Davis</surname>
12993
<firstname>C.</firstname>
12994
</author>
12995
<author>
12996
<firstname>P.</firstname>
12997
<surname>Vixie</surname>
12998
</author>
12999
<author>
13000
<firstname>T.</firstname>
13001
<firstname>Goodwin</firstname>
13002
</author>
13003
<author>
13004
<firstname>I.</firstname>
13005
<surname>Dickinson</surname>
13006
</author>
13007
</authorgroup>
13008
<title>A Means for Expressing Location Information in the
13009
Domain
13010
Name System</title>
13011
<pubdate>January 1996</pubdate>
13012
</biblioentry>
13013
<biblioentry>
13014
<abbrev>RFC2052</abbrev>
13015
<authorgroup>
13016
<author>
13017
<surname>Gulbrandsen</surname>
13018
<firstname>A.</firstname>
13019
</author>
13020
<author>
13021
<firstname>P.</firstname>
13022
<surname>Vixie</surname>
13023
</author>
13024
</authorgroup>
13025
<title>A <acronym>DNS</acronym> RR for Specifying the
13026
Location of
13027
Services.</title>
13028
<pubdate>October 1996</pubdate>
13029
</biblioentry>
13030
<biblioentry>
13031
<abbrev>RFC2163</abbrev>
13032
<author>
13033
<surname>Allocchio</surname>
13034
<firstname>A.</firstname>
13035
</author>
13036
<title>Using the Internet <acronym>DNS</acronym> to
13037
Distribute MIXER
13038
Conformant Global Address Mapping</title>
13039
<pubdate>January 1998</pubdate>
13040
</biblioentry>
13041
<biblioentry>
13042
<abbrev>RFC2230</abbrev>
13043
<author>
13044
<surname>Atkinson</surname>
13045
<firstname>R.</firstname>
13046
</author>
13047
<title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
13048
<pubdate>October 1997</pubdate>
13049
</biblioentry>
13050
<biblioentry>
13051
<abbrev>RFC2536</abbrev>
13052
<author>
13053
<surname>Eastlake</surname>
13054
<firstname>D.</firstname>
13055
<lineage>3rd</lineage>
13056
</author>
13057
<title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
13058
<pubdate>March 1999</pubdate>
13059
</biblioentry>
13060
<biblioentry>
13061
<abbrev>RFC2537</abbrev>
13062
<author>
13063
<surname>Eastlake</surname>
13064
<firstname>D.</firstname>
13065
<lineage>3rd</lineage>
13066
</author>
13067
<title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
13068
<pubdate>March 1999</pubdate>
13069
</biblioentry>
13070
<biblioentry>
13071
<abbrev>RFC2538</abbrev>
13072
<authorgroup>
13073
<author>
13074
<surname>Eastlake</surname>
13075
<firstname>D.</firstname>
13076
<lineage>3rd</lineage>
13077
</author>
13078
<author>
13079
<surname>Gudmundsson</surname>
13080
<firstname>O.</firstname>
13081
</author>
13082
</authorgroup>
13083
<title>Storing Certificates in the Domain Name System (DNS)</title>
13084
<pubdate>March 1999</pubdate>
13085
</biblioentry>
13086
<biblioentry>
13087
<abbrev>RFC2539</abbrev>
13088
<authorgroup>
13089
<author>
13090
<surname>Eastlake</surname>
13091
<firstname>D.</firstname>
13092
<lineage>3rd</lineage>
13093
</author>
13094
</authorgroup>
13095
<title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
13096
<pubdate>March 1999</pubdate>
13097
</biblioentry>
13098
<biblioentry>
13099
<abbrev>RFC2540</abbrev>
13100
<authorgroup>
13101
<author>
13102
<surname>Eastlake</surname>
13103
<firstname>D.</firstname>
13104
<lineage>3rd</lineage>
13105
</author>
13106
</authorgroup>
13107
<title>Detached Domain Name System (DNS) Information</title>
13108
<pubdate>March 1999</pubdate>
13109
</biblioentry>
13110
<biblioentry>
13111
<abbrev>RFC2782</abbrev>
13112
<author>
13113
<surname>Gulbrandsen</surname>
13114
<firstname>A.</firstname>
13115
</author>
13116
<author>
13117
<surname>Vixie</surname>
13118
<firstname>P.</firstname>
13119
</author>
13120
<author>
13121
<surname>Esibov</surname>
13122
<firstname>L.</firstname>
13123
</author>
13124
<title>A DNS RR for specifying the location of services (DNS SRV)</title>
13125
<pubdate>February 2000</pubdate>
13126
</biblioentry>
13127
<biblioentry>
13128
<abbrev>RFC2915</abbrev>
13129
<author>
13130
<surname>Mealling</surname>
13131
<firstname>M.</firstname>
13132
</author>
13133
<author>
13134
<surname>Daniel</surname>
13135
<firstname>R.</firstname>
13136
</author>
13137
<title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
13138
<pubdate>September 2000</pubdate>
13139
</biblioentry>
13140
<biblioentry>
13141
<abbrev>RFC3110</abbrev>
13142
<author>
13143
<surname>Eastlake</surname>
13144
<firstname>D.</firstname>
13145
<lineage>3rd</lineage>
13146
</author>
13147
<title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
13148
<pubdate>May 2001</pubdate>
13149
</biblioentry>
13150
<biblioentry>
13151
<abbrev>RFC3123</abbrev>
13152
<author>
13153
<surname>Koch</surname>
13154
<firstname>P.</firstname>
13155
</author>
13156
<title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
13157
<pubdate>June 2001</pubdate>
13158
</biblioentry>
13159
<biblioentry>
13160
<abbrev>RFC3596</abbrev>
13161
<authorgroup>
13162
<author>
13163
<surname>Thomson</surname>
13164
<firstname>S.</firstname>
13165
</author>
13166
<author>
13167
<firstname>C.</firstname>
13168
<surname>Huitema</surname>
13169
</author>
13170
<author>
13171
<firstname>V.</firstname>
13172
<surname>Ksinant</surname>
13173
</author>
13174
<author>
13175
<firstname>M.</firstname>
13176
<surname>Souissi</surname>
13177
</author>
13178
</authorgroup>
13179
<title><acronym>DNS</acronym> Extensions to support IP
13180
version 6</title>
13181
<pubdate>October 2003</pubdate>
13182
</biblioentry>
13183
<biblioentry>
13184
<abbrev>RFC3597</abbrev>
13185
<author>
13186
<surname>Gustafsson</surname>
13187
<firstname>A.</firstname>
13188
</author>
13189
<title>Handling of Unknown DNS Resource Record (RR) Types</title>
13190
<pubdate>September 2003</pubdate>
13191
</biblioentry>
13192
</bibliodiv>
13193
<bibliodiv>
13194
<title><acronym>DNS</acronym> and the Internet</title>
13195
<biblioentry>
13196
<abbrev>RFC1101</abbrev>
13197
<author>
13198
<surname>Mockapetris</surname>
13199
<firstname>P. V.</firstname>
13200
</author>
13201
<title><acronym>DNS</acronym> Encoding of Network Names
13202
and Other Types</title>
13203
<pubdate>April 1989</pubdate>
13204
</biblioentry>
13205
<biblioentry>
13206
<abbrev>RFC1123</abbrev>
13207
<author>
13208
<surname>Braden</surname>
13209
<surname>R.</surname>
13210
</author>
13211
<title>Requirements for Internet Hosts - Application and
13212
Support</title>
13213
<pubdate>October 1989</pubdate>
13214
</biblioentry>
13215
<biblioentry>
13216
<abbrev>RFC1591</abbrev>
13217
<author>
13218
<surname>Postel</surname>
13219
<firstname>J.</firstname>
13220
</author>
13221
<title>Domain Name System Structure and Delegation</title>
13222
<pubdate>March 1994</pubdate>
13223
</biblioentry>
13224
<biblioentry>
13225
<abbrev>RFC2317</abbrev>
13226
<authorgroup>
13227
<author>
13228
<surname>Eidnes</surname>
13229
<firstname>H.</firstname>
13230
</author>
13231
<author>
13232
<firstname>G.</firstname>
13233
<surname>de Groot</surname>
13234
</author>
13235
<author>
13236
<firstname>P.</firstname>
13237
<surname>Vixie</surname>
13238
</author>
13239
</authorgroup>
13240
<title>Classless IN-ADDR.ARPA Delegation</title>
13241
<pubdate>March 1998</pubdate>
13242
</biblioentry>
13243
<biblioentry>
13244
<abbrev>RFC2826</abbrev>
13245
<authorgroup>
13246
<author>
13247
<surname>Internet Architecture Board</surname>
13248
</author>
13249
</authorgroup>
13250
<title>IAB Technical Comment on the Unique DNS Root</title>
13251
<pubdate>May 2000</pubdate>
13252
</biblioentry>
13253
<biblioentry>
13254
<abbrev>RFC2929</abbrev>
13255
<authorgroup>
13256
<author>
13257
<surname>Eastlake</surname>
13258
<firstname>D.</firstname>
13259
<lineage>3rd</lineage>
13260
</author>
13261
<author>
13262
<surname>Brunner-Williams</surname>
13263
<firstname>E.</firstname>
13264
</author>
13265
<author>
13266
<surname>Manning</surname>
13267
<firstname>B.</firstname>
13268
</author>
13269
</authorgroup>
13270
<title>Domain Name System (DNS) IANA Considerations</title>
13271
<pubdate>September 2000</pubdate>
13272
</biblioentry>
13273
</bibliodiv>
13274
<bibliodiv>
13275
<title><acronym>DNS</acronym> Operations</title>
13276
<biblioentry>
13277
<abbrev>RFC1033</abbrev>
13278
<author>
13279
<surname>Lottor</surname>
13280
<firstname>M.</firstname>
13281
</author>
13282
<title>Domain administrators operations guide.</title>
13283
<pubdate>November 1987</pubdate>
13284
</biblioentry>
13285
<biblioentry>
13286
<abbrev>RFC1537</abbrev>
13287
<author>
13288
<surname>Beertema</surname>
13289
<firstname>P.</firstname>
13290
</author>
13291
<title>Common <acronym>DNS</acronym> Data File
13292
Configuration Errors</title>
13293
<pubdate>October 1993</pubdate>
13294
</biblioentry>
13295
<biblioentry>
13296
<abbrev>RFC1912</abbrev>
13297
<author>
13298
<surname>Barr</surname>
13299
<firstname>D.</firstname>
13300
</author>
13301
<title>Common <acronym>DNS</acronym> Operational and
13302
Configuration Errors</title>
13303
<pubdate>February 1996</pubdate>
13304
</biblioentry>
13305
<biblioentry>
13306
<abbrev>RFC2010</abbrev>
13307
<authorgroup>
13308
<author>
13309
<surname>Manning</surname>
13310
<firstname>B.</firstname>
13311
</author>
13312
<author>
13313
<firstname>P.</firstname>
13314
<surname>Vixie</surname>
13315
</author>
13316
</authorgroup>
13317
<title>Operational Criteria for Root Name Servers.</title>
13318
<pubdate>October 1996</pubdate>
13319
</biblioentry>
13320
<biblioentry>
13321
<abbrev>RFC2219</abbrev>
13322
<authorgroup>
13323
<author>
13324
<surname>Hamilton</surname>
13325
<firstname>M.</firstname>
13326
</author>
13327
<author>
13328
<firstname>R.</firstname>
13329
<surname>Wright</surname>
13330
</author>
13331
</authorgroup>
13332
<title>Use of <acronym>DNS</acronym> Aliases for
13333
Network Services.</title>
13334
<pubdate>October 1997</pubdate>
13335
</biblioentry>
13336
</bibliodiv>
13337
<bibliodiv>
13338
<title>Internationalized Domain Names</title>
13339
<biblioentry>
13340
<abbrev>RFC2825</abbrev>
13341
<authorgroup>
13342
<author>
13343
<surname>IAB</surname>
13344
</author>
13345
<author>
13346
<surname>Daigle</surname>
13347
<firstname>R.</firstname>
13348
</author>
13349
</authorgroup>
13350
<title>A Tangled Web: Issues of I18N, Domain Names,
13351
and the Other Internet protocols</title>
13352
<pubdate>May 2000</pubdate>
13353
</biblioentry>
13354
<biblioentry>
13355
<abbrev>RFC3490</abbrev>
13356
<authorgroup>
13357
<author>
13358
<surname>Faltstrom</surname>
13359
<firstname>P.</firstname>
13360
</author>
13361
<author>
13362
<surname>Hoffman</surname>
13363
<firstname>P.</firstname>
13364
</author>
13365
<author>
13366
<surname>Costello</surname>
13367
<firstname>A.</firstname>
13368
</author>
13369
</authorgroup>
13370
<title>Internationalizing Domain Names in Applications (IDNA)</title>
13371
<pubdate>March 2003</pubdate>
13372
</biblioentry>
13373
<biblioentry>
13374
<abbrev>RFC3491</abbrev>
13375
<authorgroup>
13376
<author>
13377
<surname>Hoffman</surname>
13378
<firstname>P.</firstname>
13379
</author>
13380
<author>
13381
<surname>Blanchet</surname>
13382
<firstname>M.</firstname>
13383
</author>
13384
</authorgroup>
13385
<title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
13386
<pubdate>March 2003</pubdate>
13387
</biblioentry>
13388
<biblioentry>
13389
<abbrev>RFC3492</abbrev>
13390
<authorgroup>
13391
<author>
13392
<surname>Costello</surname>
13393
<firstname>A.</firstname>
13394
</author>
13395
</authorgroup>
13396
<title>Punycode: A Bootstring encoding of Unicode
13397
for Internationalized Domain Names in
13398
Applications (IDNA)</title>
13399
<pubdate>March 2003</pubdate>
13400
</biblioentry>
13401
</bibliodiv>
13402
<bibliodiv>
13403
<title>Other <acronym>DNS</acronym>-related RFCs</title>
13404
<note>
13405
<para>
13406
Note: the following list of RFCs, although
13407
<acronym>DNS</acronym>-related, are not
13408
concerned with implementing software.
13409
</para>
13410
</note>
13411
<biblioentry>
13412
<abbrev>RFC1464</abbrev>
13413
<author>
13414
<surname>Rosenbaum</surname>
13415
<firstname>R.</firstname>
13416
</author>
13417
<title>Using the Domain Name System To Store Arbitrary String
13418
Attributes</title>
13419
<pubdate>May 1993</pubdate>
13420
</biblioentry>
13421
<biblioentry>
13422
<abbrev>RFC1713</abbrev>
13423
<author>
13424
<surname>Romao</surname>
13425
<firstname>A.</firstname>
13426
</author>
13427
<title>Tools for <acronym>DNS</acronym> Debugging</title>
13428
<pubdate>November 1994</pubdate>
13429
</biblioentry>
13430
<biblioentry>
13431
<abbrev>RFC1794</abbrev>
13432
<author>
13433
<surname>Brisco</surname>
13434
<firstname>T.</firstname>
13435
</author>
13436
<title><acronym>DNS</acronym> Support for Load
13437
Balancing</title>
13438
<pubdate>April 1995</pubdate>
13439
</biblioentry>
13440
<biblioentry>
13441
<abbrev>RFC2240</abbrev>
13442
<author>
13443
<surname>Vaughan</surname>
13444
<firstname>O.</firstname>
13445
</author>
13446
<title>A Legal Basis for Domain Name Allocation</title>
13447
<pubdate>November 1997</pubdate>
13448
</biblioentry>
13449
<biblioentry>
13450
<abbrev>RFC2345</abbrev>
13451
<authorgroup>
13452
<author>
13453
<surname>Klensin</surname>
13454
<firstname>J.</firstname>
13455
</author>
13456
<author>
13457
<firstname>T.</firstname>
13458
<surname>Wolf</surname>
13459
</author>
13460
<author>
13461
<firstname>G.</firstname>
13462
<surname>Oglesby</surname>
13463
</author>
13464
</authorgroup>
13465
<title>Domain Names and Company Name Retrieval</title>
13466
<pubdate>May 1998</pubdate>
13467
</biblioentry>
13468
<biblioentry>
13469
<abbrev>RFC2352</abbrev>
13470
<author>
13471
<surname>Vaughan</surname>
13472
<firstname>O.</firstname>
13473
</author>
13474
<title>A Convention For Using Legal Names as Domain Names</title>
13475
<pubdate>May 1998</pubdate>
13476
</biblioentry>
13477
<biblioentry>
13478
<abbrev>RFC3071</abbrev>
13479
<authorgroup>
13480
<author>
13481
<surname>Klensin</surname>
13482
<firstname>J.</firstname>
13483
</author>
13484
</authorgroup>
13485
<title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
13486
<pubdate>February 2001</pubdate>
13487
</biblioentry>
13488
<biblioentry>
13489
<abbrev>RFC3258</abbrev>
13490
<authorgroup>
13491
<author>
13492
<surname>Hardie</surname>
13493
<firstname>T.</firstname>
13494
</author>
13495
</authorgroup>
13496
<title>Distributing Authoritative Name Servers via
13497
Shared Unicast Addresses</title>
13498
<pubdate>April 2002</pubdate>
13499
</biblioentry>
13500
<biblioentry>
13501
<abbrev>RFC3901</abbrev>
13502
<authorgroup>
13503
<author>
13504
<surname>Durand</surname>
13505
<firstname>A.</firstname>
13506
</author>
13507
<author>
13508
<firstname>J.</firstname>
13509
<surname>Ihren</surname>
13510
</author>
13511
</authorgroup>
13512
<title>DNS IPv6 Transport Operational Guidelines</title>
13513
<pubdate>September 2004</pubdate>
13514
</biblioentry>
13515
</bibliodiv>
13516
<bibliodiv>
13517
<title>Obsolete and Unimplemented Experimental RFC</title>
13518
<biblioentry>
13519
<abbrev>RFC1712</abbrev>
13520
<authorgroup>
13521
<author>
13522
<surname>Farrell</surname>
13523
<firstname>C.</firstname>
13524
</author>
13525
<author>
13526
<firstname>M.</firstname>
13527
<surname>Schulze</surname>
13528
</author>
13529
<author>
13530
<firstname>S.</firstname>
13531
<surname>Pleitner</surname>
13532
</author>
13533
<author>
13534
<firstname>D.</firstname>
13535
<surname>Baldoni</surname>
13536
</author>
13537
</authorgroup>
13538
<title><acronym>DNS</acronym> Encoding of Geographical
13539
Location</title>
13540
<pubdate>November 1994</pubdate>
13541
</biblioentry>
13542
<biblioentry>
13543
<abbrev>RFC2673</abbrev>
13544
<authorgroup>
13545
<author>
13546
<surname>Crawford</surname>
13547
<firstname>M.</firstname>
13548
</author>
13549
</authorgroup>
13550
<title>Binary Labels in the Domain Name System</title>
13551
<pubdate>August 1999</pubdate>
13552
</biblioentry>
13553
<biblioentry>
13554
<abbrev>RFC2874</abbrev>
13555
<authorgroup>
13556
<author>
13557
<surname>Crawford</surname>
13558
<firstname>M.</firstname>
13559
</author>
13560
<author>
13561
<surname>Huitema</surname>
13562
<firstname>C.</firstname>
13563
</author>
13564
</authorgroup>
13565
<title>DNS Extensions to Support IPv6 Address Aggregation
13566
and Renumbering</title>
13567
<pubdate>July 2000</pubdate>
13568
</biblioentry>
13569
</bibliodiv>
13570
<bibliodiv>
13571
<title>Obsoleted DNS Security RFCs</title>
13572
<note>
13573
<para>
13574
Most of these have been consolidated into RFC4033,
13575
RFC4034 and RFC4035 which collectively describe DNSSECbis.
13576
</para>
13577
</note>
13578
<biblioentry>
13579
<abbrev>RFC2065</abbrev>
13580
<authorgroup>
13581
<author>
13582
<surname>Eastlake</surname>
13583
<lineage>3rd</lineage>
13584
<firstname>D.</firstname>
13585
</author>
13586
<author>
13587
<firstname>C.</firstname>
13588
<surname>Kaufman</surname>
13589
</author>
13590
</authorgroup>
13591
<title>Domain Name System Security Extensions</title>
13592
<pubdate>January 1997</pubdate>
13593
</biblioentry>
13594
<biblioentry>
13595
<abbrev>RFC2137</abbrev>
13596
<author>
13597
<surname>Eastlake</surname>
13598
<lineage>3rd</lineage>
13599
<firstname>D.</firstname>
13600
</author>
13601
<title>Secure Domain Name System Dynamic Update</title>
13602
<pubdate>April 1997</pubdate>
13603
</biblioentry>
13604
<biblioentry>
13605
<abbrev>RFC2535</abbrev>
13606
<authorgroup>
13607
<author>
13608
<surname>Eastlake</surname>
13609
<lineage>3rd</lineage>
13610
<firstname>D.</firstname>
13611
</author>
13612
</authorgroup>
13613
<title>Domain Name System Security Extensions</title>
13614
<pubdate>March 1999</pubdate>
13615
</biblioentry>
13616
<biblioentry>
13617
<abbrev>RFC3008</abbrev>
13618
<authorgroup>
13619
<author>
13620
<surname>Wellington</surname>
13621
<firstname>B.</firstname>
13622
</author>
13623
</authorgroup>
13624
<title>Domain Name System Security (DNSSEC)
13625
Signing Authority</title>
13626
<pubdate>November 2000</pubdate>
13627
</biblioentry>
13628
<biblioentry>
13629
<abbrev>RFC3090</abbrev>
13630
<authorgroup>
13631
<author>
13632
<surname>Lewis</surname>
13633
<firstname>E.</firstname>
13634
</author>
13635
</authorgroup>
13636
<title>DNS Security Extension Clarification on Zone Status</title>
13637
<pubdate>March 2001</pubdate>
13638
</biblioentry>
13639
<biblioentry>
13640
<abbrev>RFC3445</abbrev>
13641
<authorgroup>
13642
<author>
13643
<surname>Massey</surname>
13644
<firstname>D.</firstname>
13645
</author>
13646
<author>
13647
<surname>Rose</surname>
13648
<firstname>S.</firstname>
13649
</author>
13650
</authorgroup>
13651
<title>Limiting the Scope of the KEY Resource Record (RR)</title>
13652
<pubdate>December 2002</pubdate>
13653
</biblioentry>
13654
<biblioentry>
13655
<abbrev>RFC3655</abbrev>
13656
<authorgroup>
13657
<author>
13658
<surname>Wellington</surname>
13659
<firstname>B.</firstname>
13660
</author>
13661
<author>
13662
<surname>Gudmundsson</surname>
13663
<firstname>O.</firstname>
13664
</author>
13665
</authorgroup>
13666
<title>Redefinition of DNS Authenticated Data (AD) bit</title>
13667
<pubdate>November 2003</pubdate>
13668
</biblioentry>
13669
<biblioentry>
13670
<abbrev>RFC3658</abbrev>
13671
<authorgroup>
13672
<author>
13673
<surname>Gudmundsson</surname>
13674
<firstname>O.</firstname>
13675
</author>
13676
</authorgroup>
13677
<title>Delegation Signer (DS) Resource Record (RR)</title>
13678
<pubdate>December 2003</pubdate>
13679
</biblioentry>
13680
<biblioentry>
13681
<abbrev>RFC3755</abbrev>
13682
<authorgroup>
13683
<author>
13684
<surname>Weiler</surname>
13685
<firstname>S.</firstname>
13686
</author>
13687
</authorgroup>
13688
<title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
13689
<pubdate>May 2004</pubdate>
13690
</biblioentry>
13691
<biblioentry>
13692
<abbrev>RFC3757</abbrev>
13693
<authorgroup>
13694
<author>
13695
<surname>Kolkman</surname>
13696
<firstname>O.</firstname>
13697
</author>
13698
<author>
13699
<surname>Schlyter</surname>
13700
<firstname>J.</firstname>
13701
</author>
13702
<author>
13703
<surname>Lewis</surname>
13704
<firstname>E.</firstname>
13705
</author>
13706
</authorgroup>
13707
<title>Domain Name System KEY (DNSKEY) Resource Record
13708
(RR) Secure Entry Point (SEP) Flag</title>
13709
<pubdate>April 2004</pubdate>
13710
</biblioentry>
13711
<biblioentry>
13712
<abbrev>RFC3845</abbrev>
13713
<authorgroup>
13714
<author>
13715
<surname>Schlyter</surname>
13716
<firstname>J.</firstname>
13717
</author>
13718
</authorgroup>
13719
<title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
13720
<pubdate>August 2004</pubdate>
13721
</biblioentry>
13722
</bibliodiv>
13723
</bibliography>
13724
</sect2>
13725
<sect2 id="internet_drafts">
13726
<title>Internet Drafts</title>
13727
<para>
13728
Internet Drafts (IDs) are rough-draft working documents of
13729
the Internet Engineering Task Force. They are, in essence, RFCs
13730
in the preliminary stages of development. Implementors are
13731
cautioned not
13732
to regard IDs as archival, and they should not be quoted or cited
13733
in any formal documents unless accompanied by the disclaimer that
13734
they are "works in progress." IDs have a lifespan of six months
13735
after which they are deleted unless updated by their authors.
13736
</para>
13737
</sect2>
13738
<sect2>
13739
<title>Other Documents About <acronym>BIND</acronym></title>
13740
<para/>
13741
<bibliography>
13742
<biblioentry>
13743
<authorgroup>
13744
<author>
13745
<surname>Albitz</surname>
13746
<firstname>Paul</firstname>
13747
</author>
13748
<author>
13749
<firstname>Cricket</firstname>
13750
<surname>Liu</surname>
13751
</author>
13752
</authorgroup>
13753
<title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
13754
<copyright>
13755
<year>1998</year>
13756
<holder>Sebastopol, CA: O'Reilly and Associates</holder>
13757
</copyright>
13758
</biblioentry>
13759
</bibliography>
13760
</sect2>
13761
</sect1>
13762
</appendix>
13763
13764
<reference id="Bv9ARM.ch10">
13765
<title>Manual pages</title>
13766
<xi:include href="../../bin/dig/dig.docbook"/>
13767
<xi:include href="../../bin/dig/host.docbook"/>
13768
<xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
13769
<xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
13770
<xi:include href="../../bin/check/named-checkconf.docbook"/>
13771
<xi:include href="../../bin/check/named-checkzone.docbook"/>
13772
<xi:include href="../../bin/named/named.docbook"/>
13773
<!-- named.conf.docbook and others? -->
13774
<!-- nsupdate gives db2latex indigestion, markup problems? -->
13775
<xi:include href="../../bin/rndc/rndc.docbook"/>
13776
<xi:include href="../../bin/rndc/rndc.conf.docbook"/>
13777
<xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
13778
</reference>
13779
13780
</book>
13781
13782
<!--
13783
- Local variables:
13784
- mode: sgml
13785
- End:
13786
-->
Loggerhead is a web-based interface for Breezy
Version: 2.0.1