Bv9ARM-book.xml revision 56f1285ca5d97d3205b74c32dc4de1ea7b69fea1
7d32c065c7bb56f281651ae3dd2888f32ce4f1d9Bob Halley<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<!-- File: $Id: Bv9ARM-book.xml,v 1.44 2000/11/21 18:12:34 mws Exp $ -->
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews to specify the names of entities in the Internet in a hierarchical
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews manner, the rules used for delegating authority over names, and the
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews system implementation that actually maps names to Internet
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews addresses. <acronym>DNS</acronym> data is maintained in a group of distributed
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews hierarchical databases.</para>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews Internet nameserver for a number of operating systems. This
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews document provides basic information about the installation and
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews care of the Internet Software Consortium (<acronym>ISC</acronym>) <acronym>BIND</acronym> version 9
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews software package for system administrators.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <sect1><title>Organization of This Document</title>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para>In this document, <emphasis>Section 1</emphasis> introduces
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews describes resource requirements for running <acronym>BIND</acronym> in various
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews environments. Information in <emphasis>Section 3</emphasis> is
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <emphasis>task-oriented</emphasis> in its presentation and is
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson organized functionally, to aid in the process of installing the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <emphasis>Section 4</emphasis>, which contains more advanced
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews concepts that the system administrator may need for implementing
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews certain options. Section 5 describes the <acronym>BIND</acronym> 9 lightweight
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews resolver. The contents of <emphasis>Section 6</emphasis> are
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews organized as in a reference manual to aid in the ongoing
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews maintenance of the software. <emphasis>Section 7
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews </emphasis>addresses security considerations, and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <emphasis>Section 8</emphasis> contains troubleshooting help. The
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson main body of the document is followed by several
90880946803188d7c6b3ca7dea69761eb21241c2Mark Andrews <emphasis>Appendices</emphasis> which contain useful reference
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews information, such as a <emphasis>Bibliography</emphasis> and
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews historic information related to <acronym>BIND</acronym> and the Domain Name
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews System.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <sect1><title>Conventions Used in This Document</title>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <para>In this document, we use the following general typographic
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews conventions:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<informaltable colsep = "0" frame = "all" rowsep = "0">
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews tgroupstyle = "2Level-table">
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <colspec colname = "1" colnum = "1" colsep = "0"
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews colwidth = "3.000in"/>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <colspec colname = "2" colnum = "2" colsep = "0"
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews colwidth = "2.625in"/>
62e22bc7a5497d759583693ba22d3ef4d9a042afAndreas Gustafsson <entry colname = "1" colsep = "1" rowsep = "1">
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para><emphasis>We use the style:</emphasis></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <entry colname = "1" colsep = "1" rowsep = "1">
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>a pathname, filename, URL, hostname,
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundssonmailing list name, or new term or concept</para></entry>
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundsson <entry colname = "2" rowsep = "1"><para><filename>Italic</filename></para></entry>
4cf7efa59de8828a306f20392196ee3b30bc7452Andreas Gustafsson <entry colname = "1" colsep = "1" rowsep = "1"><para>literal user
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundsson <entry colname = "2" rowsep = "1"><para><userinput>Fixed Width Bold</userinput></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "1" colsep = "1" rowsep = "1"><para>variable user
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <entry colname = "2" rowsep = "1"><para><optional>Fixed Width Italic</optional></para></entry>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <entry colname = "1" colsep = "1"><para>program output</para></entry>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <entry colname = "2"><para><computeroutput>Fixed Width Bold</computeroutput></para></entry>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson</informaltable>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>The following conventions are used in descriptions of the
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <tgroup cols = "2" colsep = "0" rowsep = "0"
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson tgroupstyle = "2Level-table">
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "2" rowsep = "1"><para><literal>Sans Serif Bold</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <entry colname = "2" rowsep = "1"><para><varname>Sans Serif Italic</varname></para></entry>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<entry colname = "1" colsep = "1" rowsep = "1"><para>"meta-syntactic"
68c703dd71d220ef8c47e713a3a0d255fb9c3983Andreas Gustafssoninformation (within brackets when optional)</para></entry>
68c703dd71d220ef8c47e713a3a0d255fb9c3983Andreas Gustafsson<entry colname = "2" rowsep = "1"><para><optional>Fixed Width Italic</optional></para></entry>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<entry colname = "1" colsep = "1" rowsep = "1"><para>Command line
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews<entry colname = "2" rowsep = "1"><para><userinput>Fixed Width Bold</userinput></para></entry>
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews<entry colname = "1" colsep = "1" rowsep = "1"><para>Program output</para></entry>
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews <entry colname = "2" rowsep = "1"><para><computeroutput>Fixed Width</computeroutput></para></entry>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
c1bfdd299587e790f59378351df66f6168f1e09eAndreas Gustafsson<sect1><title>Discussion of Domain Name System (<acronym>DNS</acronym>) Basics and
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews<para>The purpose of this document is to explain the installation
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsand basic upkeep of the <acronym>BIND</acronym> software package, and we begin by reviewing
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsthe fundamentals of the domain naming system as they relate to <acronym>BIND</acronym>.
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<acronym>BIND</acronym> consists of a <emphasis>nameserver</emphasis> (or "daemon")
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewscalled <command>named</command> and a <command>resolver</command> library.
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark AndrewsThe <acronym>BIND</acronym> server runs in the background, servicing queries on a well
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafssonknown network port. The standard port for the User Datagram Protocol
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews(UDP) and Transmission Control Protocol (TCP), usually port 53,
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffis specified in <filename>/etc/services</filename>.
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark AndrewsThe <emphasis>resolver</emphasis> is a set of routines residing
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsin a system library that provides the interface that programs can
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsuse to access the domain name services.</para>
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews<para>A nameserver (NS) is a program that stores information about
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsnamed resources and responds to queries from programs called <emphasis>resolvers</emphasis> which
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsact as client processes. The basic function of an NS is to provide
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafssoninformation about network objects by answering queries.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>With the nameserver, the network can be broken into a hierarchy
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyof domains. The name space is organized as a tree according to organizational
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyor administrative boundaries. Each node of the tree, called a domain,
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyis given a label. The name of the domain is the concatenation of
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyall the labels of the domains from the root to the current domain.
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael GraffThis is represented in written form as a string of labels listed
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewsfrom right to left and separated by dots. A label need only be unique
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffwithin its domain. The whole name space is partitioned into areas
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewscalled <emphasis>zones</emphasis>, each starting at a domain and
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsextending down to the leaf domains or to domains where other zones
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonstart. Zones usually represent administrative boundaries. For example,
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssona domain name for a host at the company <emphasis>Example, Inc.</emphasis> would
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para><systemitem class="systemname">ourhost.example.com</systemitem></para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para>where <systemitem class="systemname">com</systemitem> is the top level domain to which
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<systemitem class="systemname">ourhost.example.com</systemitem> belongs,
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<systemitem class="systemname">example</systemitem> is
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssona subdomain of <systemitem class="systemname">com</systemitem>, and
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<systemitem class="systemname">ourhost</systemitem> is the
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graffname of the host.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>The specifications for the domain nameserver are defined in
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleythe RFC 1034, RFC 1035 and RFC 974. These documents can be found
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<filename>/usr/src/etc/named/doc</filename> in 4.4BSD or are available
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsvia File Transfer Protocol (FTP) from
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halley<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/</ulink>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halleyor via the Web at <ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson(See Appendix C for complete information on finding and retrieving
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsRFCs.) It is also recommended that you read the related man pages:
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<command>named</command> and <command>resolver</command>.</para></sect2>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<para>As we stated previously, a zone is a point of delegation in
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe <acronym>DNS</acronym> tree. A zone consists of those contiguous parts of the domain
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewstree for which a domain server has complete information and over which
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsit has authority. It contains all domain names from a certain point
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsdownward in the domain tree except those which are delegated to
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrewsother zones. A delegation point has one or more NS records in the
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsparent zone, which should be matched by equivalent NS records at
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsthe root of the delegated zone.</para>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews<para>To properly operate a nameserver, it is important to understand
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe difference between a <emphasis>zone</emphasis> and a <emphasis>domain</emphasis>.</para>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<para>For instance, consider the <systemitem class="systemname">example.com</systemitem> domain
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewswhich includes names such as <systemitem class="systemname">host.aaa.example.com</systemitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsand <systemitem class="systemname">host.bbb.example.com</systemitem> even
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthough the <systemitem class="systemname">example.com</systemitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewszone includes only delegations for the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<systemitem class="systemname">aaa.example.com</systemitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsand <systemitem class="systemname">bbb.example.com</systemitem> zones.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsA zone can map exactly to a single domain, but could also include
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsonly part of a domain, the rest of which could be delegated to other
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsnameservers. Every name in the <acronym>DNS</acronym> tree is a <emphasis>domain</emphasis>,
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewseven if it is <emphasis>terminal</emphasis>, that is, has no <emphasis>subdomains</emphasis>.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsEvery subdomain is a domain and every domain except the root is
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsalso a subdomain. The terminology is not intuitive and we suggest
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthat you read RFCs 1033, 1034 and 1035 to gain a complete understanding
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsof this difficult and subtle topic.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Though <acronym>BIND</acronym> is a Domain Nameserver, it deals primarily in
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsterms of zones. The master and slave declarations in the <filename>named.conf</filename> file
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsspecify zones, not domains. When you ask some other site if it is willing
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsto be a slave server for your <emphasis>domain</emphasis>, you are
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsactually asking for slave service for some collection of zones.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>Each zone will have one <emphasis>primary master</emphasis> (also
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewscalled <emphasis>primary</emphasis>) server which loads the zone
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewscontents from some local file edited by humans or perhaps generated
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrewsmechanically from some other local file which is edited by humans.
3ff55a3111fe09f517218905248974b8319b2c59Mark AndrewsThere there will be some number of <emphasis>slave</emphasis> (also
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewscalled <emphasis>secondary) </emphasis>servers, which load the zone
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewscontents using the <acronym>DNS</acronym> protocol (that is, the secondary servers
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewswill contact the primary and fetch the zone data using TCP). This
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyset of servers — the primary and all of its secondaries — should be
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrewslisted in the NS records in the parent zone and will constitute a <emphasis>delegation</emphasis>.
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark AndrewsThis set of servers must also be listed in the zone file itself,
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsusually under the <command>@</command> name which indicates the <emphasis>top
a01f52a731f03c9d61357ac872f3d228db56a0afBob Halleylevel</emphasis> or <emphasis>root</emphasis> of the current zone.
fdd04623a6a36aad8449ef0877d8801a558873b8Mark AndrewsYou can list servers in the zone's top-level <command>@</command> NS
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsrecords that are not in the parent's NS delegation, but you cannot
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewslist servers in the parent's delegation that are not present in
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<para>Any servers listed in the NS records must be configured as <emphasis>authoritative</emphasis> for
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsthe zone. A server is authoritative for a zone when it has been
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsconfigured to answer questions for that zone with authority, which
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsit does by setting the "authoritative answer" (AA) bit in reply
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewspackets. A server may be authoritative for more than one zone. The
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsauthoritative data for a zone is composed of all of the Resource
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsRecords (RRs) — the data associated with names in a tree-structured
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsname space — attached to all of the nodes from the top node of the
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewszone down to leaf nodes or nodes above cuts around the bottom edge
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewsof the zone.</para>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews<para>Adding a zone as a type master or type slave will tell the
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewsserver to answer questions for the zone authoritatively. If the
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewsserver is able to load the zone into memory without any errors it
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewswill set the AA bit when it replies to queries for the zone. See
3ff55a3111fe09f517218905248974b8319b2c59Mark AndrewsRFCs 1034 and 1035 for more information about the AA bit.</para></sect2>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>A <acronym>DNS</acronym> server can be master for some zones and slave for others
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsor can be only a master, or only a slave, or can serve no zones
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsand just answer queries via its <emphasis>cache</emphasis>. Master
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsservers are often also called <emphasis>primaries</emphasis> and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsslave servers are often also called <emphasis>secondaries</emphasis>.
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael GraffBoth master/primary and slave/secondary servers are authoritative
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsfor a zone.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>All servers keep data in their cache until the data expires,
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrencebased on a Time To Live (TTL) field which is maintained for all
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsresource records.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>The <emphasis>primary master server</emphasis> is the ultimate
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewssource of information about a domain. The primary master is an authoritative
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsserver configured to be the source of zone transfer for one or more
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewssecondary servers. The primary master server obtains data for the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>A <emphasis>slave server</emphasis>, also called a <emphasis>secondary
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsserver</emphasis>, is an authoritative server that uses zone transfers from
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe primary master server to retrieve the zone data. Optionally,
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe slave server obtains zone data from a cache on disk. Slave servers
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsprovide necessary redundancy. All secondary/slave servers are named
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<para>Some servers are <emphasis>caching only servers</emphasis>.
0c67279acb4a6ac356879498b220645755d77cc9Mark AndrewsThis means that the server caches the information that it receives
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsand uses it until the data expires. A caching only server is a server
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsthat is not authoritative for any zone. This server services queries
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsand asks other servers, who have the authority, for the information
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<para>Instead of interacting with the nameservers for the root and
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafssonother domains, a <emphasis>forwarding server</emphasis> always forwards
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyqueries it cannot satisfy from its authoritative data or cache to
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleya fixed list of other servers. The forwarded queries are also known
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsas <emphasis>recursive queries</emphasis>, the same type as a client would
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewssend to a server. There may be one or more servers forwarded to,
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsand they are queried in turn until the list is exhausted or an answer
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsis found. A forwarding server is typically used when you do not
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewswish all the servers at a given site to interact with the rest of
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe Internet servers. A typical scenario would involve a number
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsof internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsto pass packets through the firewall would forward to the server
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsthat can do it, and that server would query the Internet <acronym>DNS</acronym> servers
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewson the internal server's behalf. An added benefit of using the forwarding
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsfeature is that the central machine develops a much more complete
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewscache of information that all the workstations can take advantage
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>There is no prohibition against declaring a server to be a
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsforwarder even though it has master and/or slave zones as well;
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrewsthe effect will still be that anything in the local server's cache
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrewsor zones will be answered, and anything else will be forwarded using
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews<para>A <emphasis>stealth server</emphasis> is a server that answers
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsauthoritatively for a zone, but is not listed in that zone's NS
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsrecords. Stealth servers can be used as a way to centralize distribution
6314cd33383fbf3e10a7eb458177e98e775b0944Mark Andrewsof a zone, without having to edit the zone on a remote nameserver.
6314cd33383fbf3e10a7eb458177e98e775b0944Mark AndrewsWhere the master file for a zone resides on a stealth server in
6314cd33383fbf3e10a7eb458177e98e775b0944Mark Andrewsthis way, it is often referred to as a "hidden primary" configuration.
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas GustafssonStealth servers can also be a way to keep a local copy of a zone
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Grafffor rapid access to the zone's records, even if all "official" nameservers
6314cd33383fbf3e10a7eb458177e98e775b0944Mark Andrewsfor the zone are inaccessible.</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <chapter id="ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<sect1><title>Hardware requirements</title>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas GustafssonFor many installations, servers that have been pensioned off from
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonactive duty have performed admirably as <acronym>DNS</acronym> servers.</para>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
e68714fd954e82d3ff157c85f623c76657b7ae35Mark AndrewsCPU intensive however, so organizations that make heavy use of these
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsfeatures may wish to consider larger systems for these applications.
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews<acronym>BIND</acronym> 9 is now fully multithreaded, allowing full utilization of
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonmultiprocessor systems for installations that need it.</para></sect1>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonfor serving of static zones without caching, to enterprise-class
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleymachines if you intend to process many dynamic updates and DNSSEC
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonsigned zones, serving many thousands of queries per second.</para></sect1>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<sect1><title>Memory Requirements </title>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<para>The memory of the server has to be large enough to fit the
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewscache and zones loaded off disk. Future releases of <acronym>BIND</acronym> 9 will
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsprovide methods to limit the amount of memory used by the cache,
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsat the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewstraffic. It is still good practice to have enough memory to load
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrewsall zone and cache data into memory — unfortunately, the best way
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsto determine this for a given installation is to watch the nameserver
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffin operation. After a few weeks the server process should reach
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsa relatively stable size where entries are expiring from the cache as
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsfast as they are being inserted. Ideally, the resource limits should
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsbe set higher than this stable size.</para></sect1>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews<sect1><title>Nameserver Intensive Environment Issues</title>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews<para>For nameserver intensive environments, there are two alternative
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonconfigurations that may be used. The first is where clients and
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonany second-level internal nameservers query a main nameserver, which
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonhas enough memory to build a large cache. This approach minimizes
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonthe bandwidth used by external name lookups. The second alternative
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonis to set up second-level internal nameservers to make queries independently.
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas GustafssonIn this configuration, none of the individual machines needs to
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonhave as much memory or CPU power as in the first alternative, but
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonthis has the disadvantage of making many more external queries,
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonas none of the nameservers share their cached data.</para></sect1>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<sect1><title>Supported Operating Systems</title>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para>ISC <acronym>BIND</acronym> 9 compiles and runs on the following operating
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonsystems:</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <itemizedlist>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews <simpara>Compaq Digital/Tru64 UNIX 4.0D</simpara>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson <simpara>Red Hat Linux 6.0, 6.1</simpara>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson <simpara>Sun Solaris 2.6, 7, 8 (beta)</simpara>
619fb9349b7f65ab599e8ae91056e9613a4a42feDavid Lawrence <simpara>NetBSD-current with "unproven" pthreads</simpara>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson </itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<para>In this section we provide some suggested configurations along
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonwith guidelines for their use. We also address the topic of reasonable
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonoption setting.</para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson <para>The following sample configuration is appropriate for a caching-only
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonname server for use by clients internal to a corporation. All queries
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafssonfrom outside clients are refused.</para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson <programlisting>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson// Two corporate subnets we wish to allow queries from.
3a36d3d7e6a88a8f83c6c8735a96b2ca1c7d7713Olafur Gudmundssonacl "corpnets" { 192.168.4.0/24; 192.168.7.0/24; };
3a36d3d7e6a88a8f83c6c8735a96b2ca1c7d7713Olafur Gudmundsson directory "/etc/namedb"; // Working directory
4cc66f2516f5b520732412b391eea80020c68fbbAndreas Gustafsson pid-file "named.pid"; // Put pid file in working dir
4cc66f2516f5b520732412b391eea80020c68fbbAndreas Gustafsson allow-query { "corpnets"; };
3a36d3d7e6a88a8f83c6c8735a96b2ca1c7d7713Olafur Gudmundsson// Root server hints
3a36d3d7e6a88a8f83c6c8735a96b2ca1c7d7713Olafur Gudmundssonzone "." { type hint; file "root.hint"; };
3a36d3d7e6a88a8f83c6c8735a96b2ca1c7d7713Olafur Gudmundsson// Provide a reverse mapping for the loopback address 127.0.0.1
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews type master;
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews</programlisting>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews <title>An Authoritative-only Nameserver</title>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews <para>This sample configuration is for an authoritative-only server
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsthat is the master server for "<filename>example.com</filename>"
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsand a slave for the subdomain "<filename>eng.example.com</filename>".</para>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence <programlisting>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence pid-file "named.pid"; // Put pid file in working dir
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { any; }; // This is the default
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews recursion no; // Do not provide recursive service
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews// Root server hints
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewszone "." { type hint; file "root.hint"; };
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews// Provide a reverse mapping for the loopback address 127.0.0.1
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews type master;
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews// We are the master server for example.com
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews type master;
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews // IP addresses of slave servers allowed to transfer example.com
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson allow-transfer {
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews 192.168.4.14;
89140b7f746e3e33c5a5a750f2802cf21b8d2c79Mark Andrews 192.168.5.53;
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson// We are a slave server for eng.example.com
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson // IP address of eng.example.com master server
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson masters { 192.168.4.12; };
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson</programlisting>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews <para>Primitive load balancing can be achieved in <acronym>DNS</acronym> using multiple
e68714fd954e82d3ff157c85f623c76657b7ae35Mark AndrewsA records for one name.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>For example, if you have three WWW servers with network addresses
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsof 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsfollowing means that clients will connect to each machine one third
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsof the time:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews tgroupstyle = "2Level-table">
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
0d46301a6e5219f5ffd1aa5102eb84bc6fbd9495Mark Andrews<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "1"><para><literal>www</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "2"><para><literal>600</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "3"><para><literal>IN</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "4"><para><literal>A</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<entry colname = "2"><para><literal>600</literal></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<entry colname = "3"><para><literal>IN</literal></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<entry colname = "4"><para><literal>A</literal></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "2"><para><literal>600</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "3"><para><literal>IN</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "4"><para><literal>A</literal></para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews </informaltable>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews them and respond to the query with the records in a different
82d05588933a3c765aa8518fe455d6477d640b99Mark Andrews order. In the example above, clients will randomly receive
82d05588933a3c765aa8518fe455d6477d640b99Mark Andrews records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley will use the first record returned and discard the rest.</para>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff <para>For more detail on ordering responses, check the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <command>rrset-order</command> substatement in the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews This substatement is not supported in
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews <acronym>BIND</acronym> 9, and only the ordering scheme described above is
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews available.</para>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews <para><acronym>DNS</acronym> Notify is a mechanism that allows master nameservers to
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence notify their slave servers of changes to a zone's data. In
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews response to a <command>NOTIFY</command> from a master server, the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews slave will check to see that its version of the zone is the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews current version and, if not, initiate a transfer.</para> <para><acronym>DNS</acronym>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews Notify is fully documented in RFC 1996. See also the description
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafsson of the zone option <command>also-notify</command>, see <xref
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley linkend="zone_transfers"/>. For more information about
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <title>Tools for Use With the Nameserver Daemon</title>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <para>There are several indispensable diagnostic, administrative
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsand monitoring tools available to the system administrator for controlling
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsand debugging the nameserver daemon. We describe several in this
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewssection </para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <variablelist>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <varlistentry>
90880946803188d7c6b3ca7dea69761eb21241c2Mark Andrews <para>The domain information groper (<command>dig</command>) is
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsa command line tool that can be used to gather information from
90880946803188d7c6b3ca7dea69761eb21241c2Mark Andrewsthe Domain Name System servers. Dig has two modes: simple interactive
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsmode for a single query, and batch mode which executes a query for
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffeach in a list of several query lines. All query options are accessible
90880946803188d7c6b3ca7dea69761eb21241c2Mark Andrewsfrom the command line.</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <arg choice="plain"><replaceable>domain</replaceable></arg>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <arg><replaceable>query-type</replaceable></arg>
8ba076755dff7083c0487e4974e62572da8e8ba4Andreas Gustafsson <arg><replaceable>query-class</replaceable></arg>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley <arg>+<replaceable>query-option</replaceable></arg>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <arg>-<replaceable>dig-option</replaceable></arg>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <arg>%<replaceable>comment</replaceable></arg>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <!-- one of (SBR GROUP ARG COMMAND) -->
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews </cmdsynopsis>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>The usual simple use of dig will take the form</para>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews <simpara><command>dig @server domain query-type query-class</command></simpara>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>For more information and a list of available commands and
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsoptions, see the <command>dig</command> man page.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews </varlistentry>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <varlistentry>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsprovides a simple <acronym>DNS</acronym> lookup using a command-line interface for
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewslooking up Internet hostnames. By default, the utility converts
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsbetween host names and Internet addresses, but its functionality
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssoncan be extended with the use of options.</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <!-- one of (SBR GROUP ARG COMMAND) -->
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <arg>-W <replaceable>timeout</replaceable></arg>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <arg>-R <replaceable>retries</replaceable></arg>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <arg choice="plain"><replaceable>hostname</replaceable></arg>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews </cmdsynopsis>
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafsson <para>For more information and a list of available commands and
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffoptions, see the <command>host</command> man page.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews </varlistentry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <varlistentry>
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halley <para><command>nslookup</command> is a program used to query Internet
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graffdomain nameservers. <command>nslookup</command> has two modes: interactive
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrewsand non-interactive. Interactive mode allows the user to query nameservers
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsfor information about various hosts and domains or to print a list
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsof hosts in a domain. Non-interactive mode is used to print just
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsthe name and requested information for a host or domain.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <arg><replaceable>host-to-find</replaceable></arg>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff </cmdsynopsis>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Interactive mode is entered when no arguments are given (the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsdefault nameserver will be used) or when the first argument is a
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewshyphen (`-') and the second argument is the host name or Internet address
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsof a nameserver.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>Non-interactive mode is used when the name or Internet address
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsof the host to be looked up is given as the first argument. The
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleyoptional second argument specifies the host name or address of a nameserver.</para>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<para>Due to its arcane user interface and frequently inconsistent
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsbehavior, we do not recommend the use of <command>nslookup</command>.
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews </varlistentry>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews </variablelist>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <para>Administrative tools play an integral part in the management
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsof a server.</para>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <variablelist>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence <para>The remote name daemon control
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews (<command>rndc</command>) program allows the system
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence administrator to control the operation of a nameserver.
d44cd3fc3abd78fbe387715077a784201f7f0874Mark Andrews If you run <command>rndc</command> without any options
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff it will display a usage message as follows:</para>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <arg>-c <replaceable>config</replaceable></arg>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff <arg>-s <replaceable>server</replaceable></arg>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews <arg choice="plain"><replaceable>command</replaceable></arg>
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafsson <arg rep="repeat"><replaceable>command</replaceable></arg>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley </cmdsynopsis>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley <para><command>command</command> is one of the following
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews <colspec colname = "2" colnum = "2" colsep = "0"
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews colwidth = "3.000in"/>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<para><userinput>status</userinput><footnote id="nyi1">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<entry colname = "2"><para>Display ps(1) status of named.</para></entry>
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halley<entry colname = "1"><para><userinput>dumpdb</userinput><footnoteref linkend="nyi1"/></para></entry>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<entry colname = "2"><para>Dump database and cache to /var/tmp/named_dump.db.</para></entry>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<entry colname = "1"><para><userinput>refresh</userinput></para></entry>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<entry colname = "2"><para>Forced refresh of specified zone.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "1"><para><userinput>reload</userinput></para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Reload configuration file and zones.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "1"><para><userinput>stats</userinput></para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Dump statistics to /var/tmp/named.stats.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "1"><para><userinput>trace</userinput><footnoteref linkend="nyi1"/></para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Increment debugging level by one.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<para><userinput>notrace</userinput><footnoteref linkend="nyi1"/>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Set debugging level to 0.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley <entry colname =
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff "1"><para><userinput>querylog</userinput><footnoteref linkend="nyi1"/></para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Toggle query logging.</para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley <entry colname =
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley "1"><para><userinput>stop</userinput><footnoteref linkend="nyi1"/></para></entry>
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<entry colname = "2"><para>Stop the server.</para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <entry colname =
62e22bc7a5497d759583693ba22d3ef4d9a042afAndreas Gustafsson "1"><para><userinput>restart</userinput><footnoteref linkend="nyi1"/></para></entry>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<entry colname = "2"><para>Restart the server.</para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews </informaltable>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para>As noted above, only a limited number of commands are
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews available for <acronym>BIND</acronym> 9.0.0. The other
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews commands, and more, are planned to be implemented for
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley future releases.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para>A configuration file is required, since all
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews communication with the server is authenticated with
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews digital signatures that rely on a shared secret, and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews there is no way to provide that secret other than with a
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews configuration file. The default location for the
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <filename>/etc/rndc.conf</filename>, but an alternate
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews location can be specified with the <option>-c</option>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews option.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para>The format of the configuration file is similar to
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews that of <filename>named.conf</filename>, but limited to
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews only three statements, the <command>options{}</command>,
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff <command>key{}</command> and <command>server{}</command>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews statements. These statements are what associate the
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews secret keys to the servers with which they are meant to
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews be shared. The order of statements is not
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews significant.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>The <command>options{}</command> statement has two clauses: <command>default-server</command> and <command>default-key</command>. <command>default-server</command> takes a
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewshost name or address argument and represents the server that will
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleyoption is provided on the command line. <command>default-key</command> takes
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonthe name of key as its argument, as defined by a <command>key{}</command> statement.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews In the future a <command>default-port</command> clause will be
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsadded to specify the port to which <command>rndc</command> should
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsconnect.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>The <command>key{}</command> statement names a key with its
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsstring argument. The string is required by the server to be a valid
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsdomain name, though it need not actually be hierarchical; thus,
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssona string like "<userinput>rndc_key</userinput>" is a valid name.
fdd04623a6a36aad8449ef0877d8801a558873b8Mark AndrewsThe <command>key{}</command> statement has two clauses: <command>algorithm</command> and <command>secret</command>.
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafsson While the configuration parser will accept any string as the argument
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto algorithm, currently only the string "<userinput>hmac-md5</userinput>"
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyhas any meaning. The secret is a base-64 encoded string, typically
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewsgenerated with either <command>dnssec-keygen</command> or <command>mmencode</command>.</para>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<para>The <command>server{}</command> statement uses the key clause
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonto associate a <command>key{}</command>-defined key with a server.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews The argument to the <command>server{}</command> statement is a
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrewshost name or address (addresses must be double quoted). The argument
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsto the key clause is the name of the key as defined by the <command>key{}</command> statement.
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews A <command>port</command> clause will be added to a future release
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsto specify the port to which <command>rndc</command> should connect
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewson the given server.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>A sample minimal configuration file is as follows:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <programlisting>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewskey rndc_key {
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews algorithm "hmac-md5";
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews default-server localhost;
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews default-key rndc_key;
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews</programlisting>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewswould allow the command:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>to connect to 127.0.0.1 port 953 and cause the nameserver
82d05588933a3c765aa8518fe455d6477d640b99Mark Andrewsto reload, if a nameserver on the local machine were running with
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleyfollowing controls statements:</para>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff <programlisting>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff</programlisting>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrews<para>and it had an identical key statement for
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews </varlistentry>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews </variablelist>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Certain UNIX signals cause the name server to take specific
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsactions, as described in the following table. These signals can
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsbe sent using the <command>kill</command> command.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<entry colname = "1"><para><command>SIGHUP</command></para></entry>
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
fdd04623a6a36aad8449ef0877d8801a558873b8Mark Andrews<entry colname = "1"><para><command>SIGTERM</command></para></entry>
3a7a4eb1a5ad2deb50031e37e031190a7f581f57Andreas Gustafsson<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews </informaltable>
e68714fd954e82d3ff157c85f623c76657b7ae35Mark Andrews <para>Dynamic update is the term used for the ability under
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews certain specified conditions to add, modify or delete records or
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews RRsets in the master zone files. Dynamic update is fully described
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews in RFC 2136.</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>Dynamic update is enabled on a zone-by-zone basis, by
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson including an <command>allow-update</command> or
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <command>update-policy</command> clause in the
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <command>zone</command> statement.</para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>Updating of secure zones (zones using DNSSEC) is modelled
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson after the <emphasis>simple-secure-update</emphasis> proposal, a
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley work in progress in the DNS Extensions working group of the IETF.
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley url="http://www.ietf.org/html.charters/dnsext-charter.html">http://www.ietf.org/html.charters/dnsext-charter.html</ulink>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley for information about the DNS Extensions working group.) SIG and
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley NXT records affected by updates are automatically regenerated by
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley the server using an online zone key. Update authorization is based
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundsson on transaction signatures and an explicit server policy.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley <para>The zone files of dynamic zones must not be edited by hand.
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley The zone file on disk at any given time may not contain the latest
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley changes performed by dynamic update. The zone file is written to
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley disk only periodically, and changes that have occurred since the
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley zone file was last written to disk are stored only in the zone's
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley journal (<filename>.jnl</filename>) file. <acronym>BIND</acronym> 9 currently does
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley not update the zone file when it exits as <acronym>BIND</acronym> 8 does, so editing
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley the zone file manually is unsafe even when the server has been
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halley shut down. </para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <title>Incremental Zone Transfers (IXFR)</title>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson <para>The incremental zone transfer (IXFR) protocol is a way for
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson slave servers to transfer only changed data, instead of having to
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson transfer the entire zone. The IXFR protocol is documented in RFC
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson 1995. See <xref linkend="proposed_standards"/></para>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para>When acting as a master, <acronym>BIND</acronym> 9 supports IXFR for those zones
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonwhere the necessary change history information is available. These
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssoninclude master zones maintained by dynamic update and slave zones
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonwhose data was obtained by IXFR, but not manually maintained master
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonzones nor slave zones obtained by performing a full zone transfer
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para>When acting as a slave, <acronym>BIND</acronym> 9 will attempt to use IXFR unless
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyit is explicitly disabled. For more information about disabling
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob HalleyIXFR, see the description of the <command>request-ixfr</command> clause
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonof the <command>server</command> statement.</para></sect1>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>Setting up different views, or visibility, of DNS space to
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyinternal and external resolvers is usually referred to as a <emphasis>Split
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob HalleyDNS</emphasis> setup. There are several reasons an organization
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleywould want to set up its DNS this way.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>One common reason for setting up a DNS system this way is
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto hide "internal" DNS information from "external" clients on the
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob HalleyInternet. There is some debate as to whether or not this is actually useful.
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas GustafssonInternal DNS information leaks out in many ways (via email headers,
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyfor example) and most savvy "attackers" can find the information
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleythey need using other means.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>Another common reason for setting up a Split DNS system is
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonto allow internal networks that are behind filters or in RFC 1918
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonspace (reserved IP space, as documented in RFC 1918) to resolve DNS
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundssonon the Internet. Split DNS can also be used to allow mail from outside
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyback in to the internal network.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>Here is an example of a split DNS setup:</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>Let's say a company named <emphasis>Example, Inc.</emphasis> (example.com)
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyhas several corporate sites that have an internal network with reserved
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob HalleyInternet Protocol (IP) space and an external demilitarized zone (DMZ),
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyor "outside" section of a network, that is available to the public.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para><emphasis>Example, Inc.</emphasis> wants its internal clients
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto be able to resolve external hostnames and to exchange mail with
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleypeople on the outside. The company also wants its internal resolvers
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyto have access to certain internal-only zones that are not available
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonat all outside of the internal network.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>In order to accomplish this, the company will set up two sets
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyof nameservers. One set will be on the inside network (in the reserved
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael GraffIP space) and the other set will be on bastion hosts, which are "proxy"
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyhosts that can talk to both sides of its network, in the DMZ.</para>
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halley<para>The internal servers will be configured to forward all queries,
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyexcept queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halleyand <filename>site2.example.com</filename>, to the servers in the
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob HalleyDMZ. These internal servers will have complete sets of information
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyfor <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonthe internal nameservers must be configured to disallow all queries
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto these domains from any external hosts, including the bastion
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyhosts.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>The external servers, which are on the bastion hosts, will
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafssonbe configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas GustafssonThis could include things such as the host records for public servers
81cc8efc642898394bf27b05442c95bf28856886Olafur Gudmundsson(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyand mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyshould have special MX records that contain wildcard (`*') records
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleypointing to the bastion hosts. This is needed because external mail
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyservers do not have any other way of looking up how to deliver mail
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto those internal hosts. With the wildcard records, the mail will
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleybe delivered to the bastion host, which can then forward it on to
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyinternal hosts.</para>
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halley<para>Here's an example of a wildcard MX record:</para>
b9fd2590a7e8b788f5efe4c721b83e9d2dca3625Bob Halley<programlisting><literal>* IN MX 10 external1.example.com.</literal></programlisting>
64b42acc5f74d82e7023fa79a8703afeb8b82ffcAndreas Gustafsson<para>Now that they accept mail on behalf of anything in the internal
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleynetwork, the bastion hosts will need to know how to deliver mail
aeb1ccee6a436c5b709f12d33d1b64838d2c85cbBob Halleyto internal hosts. In order for this to work properly, the resolvers on
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsthe bastion hosts will need to be configured to point to the internal
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsnameservers for DNS resolution.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>Queries for internal hostnames will be answered by the internal
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsservers, and queries for external hostnames will be forwarded back
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsout to the DNS servers on the bastion hosts.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>In order for all this to work properly, internal clients will
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsneed to be configured to query <emphasis>only</emphasis> the internal
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsnameservers for DNS queries. This could also be enforced via selective
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsfiltering on the network.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsinternal clients will now be able to:</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Look up any hostnames in the <systemitem class="systemname">site1</systemitem> and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<systemitem class="systemname">site2.example.com</systemitem> zones.</simpara></listitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Look up any hostnames in the <systemitem class="systemname">site1.internal</systemitem> and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<systemitem class="systemname">site2.internal</systemitem> domains.</simpara></listitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Look up any hostnames on the Internet.</simpara></listitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Hosts on the Internet will be able to:</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Look up any hostnames in the <systemitem class="systemname">site1</systemitem> and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<systemitem class="systemname">site2.example.com</systemitem> zones.</simpara></listitem>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <simpara>Exchange mail with anyone in the <systemitem class="systemname">site1</systemitem> and
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<systemitem class="systemname">site2.example.com</systemitem> zones.</simpara></listitem></itemizedlist>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para>Here is an example configuration for the setup we just
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews described above. Note that this is only configuration information;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews for information on how to configure your zone files, see <xref
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<programlisting>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsacl externals { <varname>bastion-ips-go-here</varname>; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forward only;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forwarders { // forward to external servers
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { none; }; // sample allow-transfer (no one)
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { internals; externals; }; // restrict query access
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews allow-recursion { internals; }; // restrict recursion
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewszone "site1.example.com" { // sample slave zone
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews type master;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forwarders { }; // do normal iterative
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews // resolution (do not forward)
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { internals; externals; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { internals; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews masters { 172.16.72.3; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forwarders { };
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews allow-query { internals; externals; };
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews allow-transfer { internals; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews type master;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forwarders { };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { internals; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { internals; }
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews masters { 172.16.72.3; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews forwarders { };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { internals };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { internals; }
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews</programlisting>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews <para>External (bastion host) DNS server config:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<programlisting>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsacl internals { 172.16.72.0/24; 192.168.1.0/24; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsacl externals { bastion-ips-go-here; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { none; }; // sample allow-transfer (no one)
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { internals; externals; }; // restrict query access
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-recursion { internals; externals; }; // restrict recursion
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewszone "site1.example.com" { // sample slave zone
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews type master;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-query { any; };
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews allow-transfer { internals; externals; };
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews masters { another_bastion_host_maybe; };
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews allow-query { any; };
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff allow-transfer { internals; externals; }
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley</programlisting>
0c67279acb4a6ac356879498b220645755d77cc9Mark Andrews<para>In the <filename>resolv.conf</filename> (or equivalent) on
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe bastion host(s):</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<programlisting>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleynameserver 172.16.72.2
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsnameserver 172.16.72.3
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleynameserver 172.16.72.4
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley</programlisting>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley<para>This is a short guide to setting up Transaction SIGnatures
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleyto the configuration file as well as what changes are required for
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleydifferent features, including the process of creating transaction
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewskeys and using transaction signatures with <acronym>BIND</acronym>.</para>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob HalleyThis includes zone transfer, notify, and recursive query messages.
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob HalleyResolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halleyfor TSIG.</para>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley <para>TSIG might be most useful for dynamic update. A primary
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley server for a dynamic zone should use access control to control
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley updates, but IP-based access control is insufficient. Key-based
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff access control is far superior, see <xref
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley linkend="proposed_standards"/>. The <command>nsupdate</command>
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley program supports TSIG via the <option>-k</option> and
f1e96dc67f690f49aefdb4e90891bad02e7c06efBob Halley<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsAn arbitrary key name is chosen: "host1-host2.". The key name must
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsbe the same on both hosts.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewskey as described above. Longer keys are better, but shorter keys
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsare easier to read. Note that the maximum key length is 512 bits;
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewskeys longer than that will be digested with MD5 to produce a 128
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsbit key.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark AndrewsNothing directly uses this file, but the base-64 encoded string
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewscan be extracted from the file and used as a shared secret:</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>The shared secret is simply a random sequence of bits, encoded
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsin base-64. Most ASCII strings are valid base-64 strings (assuming
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsthe length is a multiple of 4 and only valid characters are used),
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsso the shared secret can be manually generated.</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Also, a known string can be run through <command>mmencode</command> or
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsa similar program to generate base-64 encoded data.</para></sect3></sect2>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<sect2><title>Copying the Shared Secret to Both Machines</title>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>This is beyond the scope of DNS. A secure transport mechanism
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsshould be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<sect2><title>Informing the Servers of the Key's Existence</title>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrewsboth servers. The following is added to each server's <filename>named.conf</filename> file:</para>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<programlisting>
3ff55a3111fe09f517218905248974b8319b2c59Mark Andrewskey host1-host2. {
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews algorithm hmac-md5;
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews</programlisting>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark AndrewsThe secret is the one generated above. Since this is a secret, it
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsis recommended that either <filename>named.conf</filename> be non-world
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsreadable, or the key directive be added to a non-world readable
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsfile that is included by <filename>named.conf</filename>.</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>At this point, the key is recognized. This means that if the
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsserver receives a message signed by this key, it can verify the
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewssignature. If the signature succeeds, the response is signed by
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<sect2><title>Instructing the Server to Use the Key</title>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<para>Since keys are shared between two hosts only, the server must
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsbe told when keys are to be used. The following is added to the <filename>named.conf</filename> file
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsfor <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews10.1.2.3:</para>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrews<programlisting>
dd082cc554adc1f639e74b0a2eacb52ca3b5c06cMark Andrewsserver 10.1.2.3 {
that the tools shipped with BIND 9.0.x are not fully compatible
<para><userinput>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
<para><userinput>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
<para>Unlike in <acronym>BIND</acronym> 8, data is not verified on load in <acronym>BIND</acronym> 9,
$ORIGIN example.com.
$ORIGIN example.com.
$ORIGIN example.com.
host 3600 IN A6 64 0:0:0:0:42::1 company.example1.net.
host 3600 IN A6 64 0:0:0:0:42::1 company.example2.net.
$ORIGIN example1.net.
$ORIGIN example2.net.
$ORIGIN example.com.
1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
$ORIGIN example.com.
host A6 64 ::1234:5678:1212:5675 cust1.example.net.
A6 64 ::1234:5678:1212:5675 subnet5.example2.net.
$ORIGIN example.net.
cust1 A6 48 0:0:0:dddd:: ipv6net.example.net.
$ORIGIN example2.net.
subnet5 A6 48 0:0:0:1:: ipv6net2.example2.net.
$ORIGIN ipv6-rev.example.com.
<para><acronym>BIND</acronym> 9 configuration is broadly similar to <acronym>BIND</acronym> 8.x; however,
<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, <varname>ip_prefix</varname>, <varname>key_id</varname>, or <varname>acl_name</varname> elements, see
a DNS name, for example "<systemitem class="systemname">my.test.domain</systemitem>".</para></entry>
255 separated only by dots (`.'), such as <command>123</command>, <command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
<entry colname = "2"><para>An IPv6 address, such as <command>fe80::200:f8ff:fe01:9742</command>.</para></entry>
<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
access is denied. The clauses <command>allow-query</command>, <command>allow-transfer</command>, <command>allow-update</command> and <command>blackhole</command> all
<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
inet ( ip_addr | * ) <optional> port ip_port </optional> allow <replaceable> address_match_list </replaceable>
[ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
[ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
<option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
are kept by default; any existing log file is simply appended. The <command>unlimited</command> keyword
file "example.log" versions 3 size 20m;
<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
on, then the severity level of the message will be logged. The <command>print-</command> options may
order: time, category, severity. Here is an example where all three <command>print-</command> options
// of "named.run"
<optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional>
<optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
<optional> forwarders { <optional> <replaceable>in_addr</replaceable> ; <optional> <replaceable>in_addr</replaceable> ; ... </optional> </optional> }; </optional>
<optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable> response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
<optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
<optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
<optional> transfer-source <replaceable>ip4_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> transfer-source-v6 <replaceable>ip6_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> topology <optional>{ <replaceable>address_match_list</replaceable> }</optional>; </optional>
<optional> sortlist <optional>{ <replaceable>address_match_list</replaceable> }</optional>; </optional>
<optional> rrset-order <optional>{ <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> }</optional>;
It was used in <acronym>BIND</acronym> 8 to specify the pathname to the <command>named-xfer</command> program.
(<command>ndc dumpdb</command>). If not specified, the default is <filename>named_dump.db</filename>.</para><note>
usage statistics to on exit. If not specified, the default is <filename>named.memstats</filename>.</para><note>
the obsolete DNS query type IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.</para></entry>
the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput> and <command>rfc2308-type1</command> <userinput>no</userinput> instead.</para></entry>
The <command>notify</command> option may also be specified in the <command>zone</command> statement,
<para><command>check-names</command> may also be specified in the <command>zone</command> statement,
from these addresses will not be responded to. The default is <userinput>none</userinput>.</para></entry>
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
<entry colname = "2"><para>The server supports two zone transfer methods. <command>one-answer</command> uses
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
8.x and patched versions of <acronym>BIND</acronym> 4.9.5. The default is <command>many-answers</command>. <command>transfer-format</command> may
be overridden on a per-server basis by using the <command>server</command> statement.</para></entry>
to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.</para></entry>
records, or <varname>RRset</varname>, you must use the <command>sortlist</command> statement.</para>
<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
class IN type A name "host.example.com" order random;
have "<systemitem class="systemname">host.example.com</systemitem>" as a suffix, to always be returned
<optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
<sect2 id="server_statement_definition_and_usage"><title><command>server</command> Statement Definition
of <command>yes</command> should always work. The purpose of the <command>provide-ixfr</command> and <command>request-ixfr</command> clauses is
more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
<replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
<optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
<programlisting>view <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> {
match the <varname>address_match_list</varname> of the view's <command>match-clients</command> clause.
client query will be resolved in the context of the first <command>view</command> whose <command>match-clients</command> list
are present, all <command>zone</command> statements must occur inside <command>view</command> statements.</para>
// Provide a complete view of the example.com zone
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com zone
zone "example.com" {
file "example-external.db";
<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{
<optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> ; <optional> <replaceable>ip_addr</replaceable> ; <optional>...</optional></optional></optional> } ; </optional>
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { <replaceable>ip_addr</replaceable> ; <optional><replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional>...</optional></optional> } ; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
they are a peculiarity of <acronym>BIND</acronym> 4 and <acronym>BIND</acronym> 8 that relies heavily
<acronym>BIND</acronym> 9 attempts to emulate the <acronym>BIND</acronym> 4/8 stub zone feature for backwards compatibility,
of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
<entry colname = "2"><para>See the description of <command>allow-transfer</command> in <xref linkend="access_control"/>.</para></entry>
the right to perform dynamic updates to a zone, configured by the <command>allow-update</command> and <command>update-policy</command> option,
option, and are only meaningful for master zones. When the <command>update-policy</command> statement
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
nametype field has 4 values: <varname>name</varname>, <varname>subdomain</varname>, <varname>wildcard</varname>,
<entry colname = "2"><para>(x) representation of X.25 network addresses. Experimental.</para></entry>
<para>This example shows two addresses for <systemitem class="systemname">XX.LCS.MIT.EDU</systemitem>,
<para>Mail delivery will be attempted to <systemitem class="systemname">mail.example.com</systemitem> and <systemitem class="systemname">mail2.example.com</systemitem> (in
any order), and if neither of those succeed, delivery to <systemitem class="systemname">mail.backup.org</systemitem> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
in there is an implicit <command>$ORIGIN</command> <<varname>zone-name</varname>><command>.</command> The
<programlisting><literal>WWW.EXAMPLE.COM CNAME MAIN-SERVER.EXAMPLE.COM.</literal></programlisting></sect3>
<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
<sect2><title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
<para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>hs</replaceable> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
you can set up and nickname for future use in <command>allow-query</command>, <command>allow-recursion</command>, <command>blackhole</command>, <command>allow-transfer</command>,
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
zone "example.com" {
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
ability to run the daemon as a nonprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
<acronym>BIND</acronym> needs to run. From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is