doc/arm/Bv9ARM-book.xml

	Bv9ARM-book.xml revision 90168d6aae2ab84a0880afb761be5ebfedc2260d
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
3827c16dceef0d16ac877f5aae5e66affdc1fcceEric Luce<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
3827c16dceef0d16ac877f5aae5e66affdc1fcceEric Luce
90168d6aae2ab84a0880afb761be5ebfedc2260dBrian Wellington<!-- File: $Id: Bv9ARM-book.xml,v 1.87 2001/01/17 02:42:51 bwelling Exp $ -->
3827c16dceef0d16ac877f5aae5e66affdc1fcceEric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<book>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  <chapter id="ch01">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <title>Introduction </title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  to specify the names of entities in the Internet in a hierarchical
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  manner, the rules used for delegating authority over names, and the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  system implementation that actually maps names to Internet
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  addresses.  <acronym>DNS</acronym> data is maintained in a group of distributed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  hierarchical databases.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Scope of Document</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson    domain name server for a number of operating systems. This
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    document provides basic information about the installation and
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson    care of the Internet Software Consortium (<acronym>ISC</acronym>)
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson    <acronym>BIND</acronym> version 9 software package for system
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson    administrators.</para>
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson    <para>This version of the manual corresponds to BIND version 9.1.</para>
476b122633468e6b0b9d4afc28c4b7abf11a61d9Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1><title>Organization of This Document</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>In this document, <emphasis>Section 1</emphasis> introduces
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    describes resource requirements for running <acronym>BIND</acronym> in various
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    environments. Information in <emphasis>Section 3</emphasis> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <emphasis>task-oriented</emphasis> in its presentation and is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    organized functionally, to aid in the process of installing the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <emphasis>Section 4</emphasis>, which contains more advanced
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    concepts that the system administrator may need for implementing
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson    certain options. <emphasis>Section 5</emphasis>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson    describes the <acronym>BIND</acronym> 9 lightweight
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    resolver.  The contents of <emphasis>Section 6</emphasis> are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    organized as in a reference manual to aid in the ongoing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    maintenance of the software. <emphasis>Section 7
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </emphasis>addresses security considerations, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <emphasis>Section 8</emphasis> contains troubleshooting help. The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    main body of the document is followed by several
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <emphasis>Appendices</emphasis> which contain useful reference
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    information, such as a <emphasis>Bibliography</emphasis> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    historic information related to <acronym>BIND</acronym> and the Domain Name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    System.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1><title>Conventions Used in This Document</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>In this document, we use the following general typographic
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    conventions:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" frame = "all" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "1" colnum = "1" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                   colwidth = "3.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "2" colnum = "2" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                   colwidth = "2.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><emphasis>To
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedescribe:</emphasis></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "2" rowsep = "1">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><emphasis>We use the style:</emphasis></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>a pathname, filename, URL, hostname,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemailing list name, or new term or concept</para></entry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson              <entry colname = "2" rowsep = "1"><para><filename>Fixed width</filename></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1"><para>literal user
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinput</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "2" rowsep = "1"><para><userinput>Fixed Width Bold</userinput></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1"><para>program output</para></entry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson              <entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </tgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The following conventions are used in descriptions of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedescribe:</emphasis></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson              <entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson              <entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></para></sect1>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The purpose of this document is to explain the installation
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonand upkeep of the <acronym>BIND</acronym> software package, and we
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonbegin by reviewing the fundamentals of the Domain Name System
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<title>DNS Fundamentals</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The Domain Name System (DNS) is the hierarchical, distributed
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondatabase.  It stores information for mapping Internet host names to IP
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonaddresses and vice versa, mail routing information, and other data
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonused by Internet applications.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Clients look up information in the DNS by calling a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>resolver</emphasis> library, which sends queries to one or
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonmore <emphasis>name servers</emphasis> and interprets the responses.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonThe <acronym>BIND 9</acronym> software distribution contains both a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonname server and a resolver library.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect2><sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<title>Domains and Domain Names</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The data stored in the DNS is identified by <emphasis>domain
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonnames</emphasis> that are organized as a tree according to
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonorganizational or administrative boundaries. Each node of the tree,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncalled a <emphasis>domain</emphasis>, is given a label. The domain name of the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonnode is the concatenation of all the labels on the path from the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonnode to the <emphasis>root</emphasis> node.  This is represented
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonin written form as a string of labels listed from right to left and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonseparated by dots. A label need only be unique within its parent
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondomain.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>For example, a domain name for a host at the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncompany <emphasis>Example, Inc.</emphasis> could be
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>mail.example.net</literal>,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonwere <literal>com</literal> is the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssontop level domain to which
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>ourhost.example.com</literal> belongs,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>example</literal> is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona subdomain of <literal>com</literal>, and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>ourhost</literal> is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename of the host.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>For administrative purposes, the name space is partitioned into
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonareas called <emphasis>zones</emphasis>, each starting at a node and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonextending down to the leaf nodes or to nodes where other zones start.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonThe data for each zone is stored in a <emphasis>name
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonserver</emphasis>, which answers queries about the zone using the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>DNS protocol</emphasis>.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The data associated with each domain name is stored in the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonform of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonSome of the supported resource record types are described in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>For more detailed information about the design of the DNS and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe DNS protocol, please refer to the standards documents listed in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<xref linkend="rfcs"/>.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect2><title>Zones</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>To properly operate a name server, it is important to understand
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe difference between a <emphasis>zone</emphasis>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonand a <emphasis>domain</emphasis>.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>As we stated previously, a zone is a point of delegation in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe <acronym>DNS</acronym> tree. A zone consists of
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthose contiguous parts of the domain
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssontree for which a a name server has complete information and over which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit has authority. It contains all domain names from a certain point
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedownward in the domain tree except those which are delegated to
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonother zones. A delegation point is marked by one or more
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>NS records</emphasis> in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceparent zone, which should be matched by equivalent NS records at
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe root of the delegated zone.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>For instance, consider the <literal>example.com</literal>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondomain which includes names
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonsuch as <literal>host.aaa.example.com</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>host.bbb.example.com</literal> even though
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe <literal>example.com</literal> zone includes
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssononly delegations for the <literal>aaa.example.com</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>bbb.example.com</literal> zones.  A zone can map
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonexactly to a single domain, but could also include only part of a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondomain, the rest of which could be delegated to other
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonname servers. Every name in the <acronym>DNS</acronym> tree is a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>domain</emphasis>, even if it is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>terminal</emphasis>, that is, has no
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>subdomains</emphasis>.  Every subdomain is a domain and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonevery domain except the root is also a subdomain. The terminology is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonnot intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssongain a complete understanding of this difficult and subtle
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssontopic.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Though <acronym>BIND</acronym> is called a "domain name server",
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonit deals primarily in terms of zones. The master and slave
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondeclarations in the <filename>named.conf</filename> file specify
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonzones, not domains. When you ask some other site if it is willing to
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonbe a slave server for your <emphasis>domain</emphasis>, you are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceactually asking for slave service for some collection of zones.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect2><title>Authoritative Name Servers</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Each zone is served by at least
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonone <emphasis>authoritative name server</emphasis>,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonwhich contains the complete data for the zone.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonTo make the DNS tolerant of server and network failures,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonmost zones have two or more authoritative servers.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Responses from authoritative servers have the the "authoritative
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonanswer" (AA) bit set in the response packets.  This makes them
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoneasy to identify when debugging DNS configurations using tools like
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect3><title>The Primary Master</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonThe authoritative server where the master copy of the zone data is maintained is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncalled the <emphasis>primary master</emphasis> server, or simply the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>primary</emphasis>.  It loads the zone contents from some
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonlocal file edited by humans or perhaps generated mechanically from
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonsome other local file which is edited by humans.  This file is called
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect3>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect3><title>Slave Servers</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The other authoritative servers, the <emphasis>slave</emphasis>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonservers (also known as <emphasis>secondary</emphasis> servers) load
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe zone contents from another server using a replication process
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonknown as a <emphasis>zone transfer</emphasis>.  Typically the data are
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssontransferred directly from the primary master, but it is also possible
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonto transfer it from another slave.  In other words, a slave server
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonmay itself act as a master to a subordinate slave server.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect3>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect3><title>Stealth Servers</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Usually all of the zone's authoritative servers are listed in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonNS records in the parent zone.  These NS records constitute
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona <emphasis>delegation</emphasis> of the zone from the parent.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonThe authoritative servers are also listed in the zone file itself,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonat the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonof the zone.  You can list servers in the zone's top-level NS
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerecords that are not in the parent's NS delegation, but you cannot
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonlist servers in the parent's delegation that are not present at
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe zone's top level.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>A <emphasis>stealth server</emphasis> is a server that is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonauthoritative for a zone but is not listed in that zone's NS
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonrecords.  Stealth servers can be used for keeping a local copy of a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonzone to speed up access to the zone's records or to make sure that the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonzone is available even if all the "official" servers for the zone are
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoninaccessible.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>A configuration where the primary master server itself is a
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonstealth server is often referred to as a "hidden primary"
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonconfiguration.  One use for this configuration is when the primary master
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonis behind a firewall and therefore unable to communicate directly
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonwith the outside world.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect3>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<title>Caching Name Servers</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The resolver libraries provided by most operating systems are
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonperforming the full DNS resolution process by themselves by talking
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondirectly to the authoritative servers.  Instead, they rely on a local
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonname server to perform the resolution on their behalf.  Such a server
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonis called a <emphasis>recursive</emphasis> name server; it performs
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>recursive lookups</emphasis> for local clients.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>To improve performance, recursive servers cache the results of
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe lookups they perform.  Since the processes of recursion and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncaching are intimately connected, the terms
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>recursive server</emphasis> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>caching server</emphasis> are often used synonymously.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The length of time for which a record may be retained in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonin the cache of a caching name server is controlled by the
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonTime To Live (TTL) field associated with each resource record.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect3><title>Forwarding</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Even a caching name server does not necessarily perform
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe complete recursive lookup itself.  Instead, it can
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<emphasis>forward</emphasis> some or all of the queries
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthat it cannot satisfy from its cache to another caching name server,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncommonly referred to as a <emphasis>forwarder</emphasis>.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>There may be one or more forwarders,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand they are queried in turn until the list is exhausted or an answer
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonis found. Forwarders are typically used when you do not
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonwish all the servers at a given site to interact directly with the rest of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe Internet servers. A typical scenario would involve a number
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto pass packets through the firewall would forward to the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat can do it, and that server would query the Internet <acronym>DNS</acronym> servers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the internal server's behalf. An added benefit of using the forwarding
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefeature is that the central machine develops a much more complete
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssoncache of information that all the clients can take advantage
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect3>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</sect2>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<sect2><title>Name Servers in Multiple Roles</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The <acronym>BIND</acronym> name server can simultaneously act as
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona master for some zones, a slave for other zones, and as a caching
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson(recursive) server for a set of local clients.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>However, since the functions of authoritative name service
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonand caching/recursive name service are logically separate, it is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonoften advantageous to run them on separate server machines.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonA server that only provides authoritative name service
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson(an <emphasis>authoritative-only</emphasis> server) can run with
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonrecursion disabled, improving reliability and security.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas GustafssonA server that is not authoritative for any zones and only provides
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonrecursive service to local
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonclients (a <emphasis>caching-only</emphasis> server)
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssondoes not need to be reachable from the Internet at large and can
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonbe placed inside a firewall.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  <chapter id="ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>Hardware requirements</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceFor many installations, servers that have been pensioned off from
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceactive duty have performed admirably as <acronym>DNS</acronym> servers.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceCPU intensive however, so organizations that make heavy use of these
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefeatures may wish to consider larger systems for these applications.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<acronym>BIND</acronym> 9 is now fully multithreaded, allowing full utilization of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemultiprocessor systems for installations that need it.</para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>CPU Requirements</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor serving of static zones without caching, to enterprise-class
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemachines if you intend to process many dynamic updates and DNSSEC
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesigned zones, serving many thousands of queries per second.</para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>Memory Requirements </title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The memory of the server has to be large enough to fit the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecache and zones loaded off disk. Future releases of <acronym>BIND</acronym> 9 will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceprovide methods to limit the amount of memory used by the cache,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceat the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetraffic. It is still good practice to have enough memory to load
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceall zone and cache data into memory &mdash; unfortunately, the best way
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto determine this for a given installation is to watch the nameserver
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein operation. After a few weeks the server process should reach
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea relatively stable size where entries are expiring from the cache as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefast as they are being inserted. Ideally, the resource limits should
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe set higher than this stable size.</para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>Nameserver Intensive Environment Issues</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For nameserver intensive environments, there are two alternative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconfigurations that may be used. The first is where clients and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceany second-level internal nameservers query a main nameserver, which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehas enough memory to build a large cache. This approach minimizes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe bandwidth used by external name lookups. The second alternative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis to set up second-level internal nameservers to make queries independently.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIn this configuration, none of the individual machines needs to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehave as much memory or CPU power as in the first alternative, but
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethis has the disadvantage of making many more external queries,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas none of the nameservers share their cached data.</para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>Supported Operating Systems</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>ISC <acronym>BIND</acronym> 9 compiles and runs on the following operating
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesystems:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <itemizedlist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>IBM AIX 4.3</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>Compaq Digital/Tru64 UNIX 4.0D</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>HP HP-UX 11</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>IRIX64 6.5</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>Red Hat Linux 6.0, 6.1</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>Sun Solaris 2.6, 7, 8 (beta)</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>FreeBSD 3.4-STABLE</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>NetBSD-current with "unproven" pthreads</simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </itemizedlist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  <chapter id="ch03">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <title>Nameserver Configuration</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In this section we provide some suggested configurations along
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith guidelines for their use. We also address the topic of reasonable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoption setting.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="sample_configuration">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Sample Configurations</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>A Caching-only Nameserver</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following sample configuration is appropriate for a caching-only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename server for use by clients internal to a corporation.  All queries
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefrom outside clients are refused.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Two corporate subnets we wish to allow queries from.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceacl "corpnets" { 192.168.4.0/24; 192.168.7.0/24; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     directory "/etc/namedb";       // Working directory
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     pid-file "named.pid";      // Put pid file in working dir
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     allow-query { "corpnets"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Root server hints
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "." { type hint; file "root.hint"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Provide a reverse mapping for the loopback address 127.0.0.1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "0.0.127.in-addr.arpa" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     file "localhost.rev";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     notify no;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>An Authoritative-only Nameserver</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>This sample configuration is for an authoritative-only server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat is the master server for "<filename>example.com</filename>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand a slave for the subdomain "<filename>eng.example.com</filename>".</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     directory "/etc/namedb";       // Working directory
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     pid-file "named.pid";      // Put pid file in working dir
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     allow-query { any; };      // This is the default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     recursion no;          // Do not provide recursive service
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Root server hints
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "." { type hint; file "root.hint"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Provide a reverse mapping for the loopback address 127.0.0.1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "0.0.127.in-addr.arpa" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     file "localhost.rev";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     notify no;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// We are the master server for example.com
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     file "example.com.db";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     // IP addresses of slave servers allowed to transfer example.com
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     allow-transfer {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          192.168.4.14;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          192.168.5.53;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// We are a slave server for eng.example.com
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "eng.example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     type slave;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     file "eng.example.com.bk";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     // IP address of eng.example.com master server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     masters { 192.168.4.12; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Load Balancing</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Primitive load balancing can be achieved in <acronym>DNS</acronym> using multiple
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceA records for one name.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For example, if you have three WWW servers with network addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefollowing means that clients will connect to each machine one third
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the time:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <informaltable colsep = "0" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tgroup cols = "5" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>Name</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>TTL</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>CLASS</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para>TYPE</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>www</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>600</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>600</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>600</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </tgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    them and respond to the query with the records in a different
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    order.  In the example above, clients will randomly receive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    will use the first record returned and discard the rest.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>For more detail on ordering responses, check the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>rrset-order</command> substatement in the
c9cc73cbc8100d9f4afda3d145407991beb06a57Andreas Gustafsson    <command>options</command> statement, see
c9cc73cbc8100d9f4afda3d145407991beb06a57Andreas Gustafsson    <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
c9cc73cbc8100d9f4afda3d145407991beb06a57Andreas Gustafsson    This substatement is not supported in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <acronym>BIND</acronym> 9, and only the ordering scheme described above is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    available.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="notify">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Notify</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><acronym>DNS</acronym> Notify is a mechanism that allows master nameservers to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    notify their slave servers of changes to a zone's data. In
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    response to a <command>NOTIFY</command> from a master server, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    slave will check to see that its version of the zone is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    current version and, if not, initiate a transfer.</para> <para><acronym>DNS</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    Notify is fully documented in RFC 1996. See also the description
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson    of the zone option <command>also-notify</command>, see
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson    <xref linkend="zone_transfers"/>. For more information about
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    <command>notify</command>, see <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    linkend="boolean_options"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Nameserver Operations</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Tools for Use With the Nameserver Daemon</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>There are several indispensable diagnostic, administrative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand monitoring tools available to the system administrator for controlling
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand debugging the nameserver daemon. We describe several in this
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesection </para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <sect3 id="diagnostic_tools">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Diagnostic Tools</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <variablelist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <varlistentry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson            <term id="dig"><command>dig</command></term>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>The domain information groper (<command>dig</command>) is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea command line tool that can be used to gather information from
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe Domain Name System servers. Dig has two modes: simple interactive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemode for a single query, and batch mode which executes a query for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceeach in a list of several query lines. All query options are accessible
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefrom the command line.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <cmdsynopsis label="Usage">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <command>dig</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg>@<replaceable>server</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg choice="plain"><replaceable>domain</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg><replaceable>query-type</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg><replaceable>query-class</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg>+<replaceable>query-option</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg>-<replaceable>dig-option</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                        <arg>%<replaceable>comment</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <!-- one of (SBR GROUP ARG COMMAND) -->
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </cmdsynopsis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>The usual simple use of dig will take the form</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <simpara><command>dig @server domain query-type query-class</command></simpara>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>For more information and a list of available commands and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions, see the <command>dig</command> man page.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </varlistentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <varlistentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <term><command>host</command></term>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>The <command>host</command> utility
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceprovides a simple <acronym>DNS</acronym> lookup using a command-line interface for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelooking up Internet hostnames. By default, the utility converts
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebetween host names and Internet addresses, but its functionality
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecan be extended with the use of options.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <cmdsynopsis label="Usage">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <!-- one of (SBR GROUP ARG COMMAND) -->
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <command>host</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-aCdlrTwv</arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-c <replaceable>class</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-N <replaceable>ndots</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-t <replaceable>type</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-W <replaceable>timeout</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-R <replaceable>retries</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg choice="plain"><replaceable>hostname</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg><replaceable>server</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </cmdsynopsis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>For more information and a list of available commands and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions, see the <command>host</command> man page.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </varlistentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <varlistentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <term><command>nslookup</command></term>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para><command>nslookup</command> is a program used to query Internet
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedomain nameservers. <command>nslookup</command> has two modes: interactive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand non-interactive. Interactive mode allows the user to query nameservers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor information about various hosts and domains or to print a list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof hosts in a domain. Non-interactive mode is used to print just
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe name and requested information for a host or domain.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <cmdsynopsis label="Usage">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <command>nslookup</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg rep="repeat">-option</arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <group>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                  <arg><replaceable>host-to-find</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                  <arg>- <arg>server</arg></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                </group>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </cmdsynopsis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Interactive mode is entered when no arguments are given (the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedefault nameserver will be used) or when the first argument is a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehyphen (`-') and the second argument is the host name or Internet address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof a nameserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Non-interactive mode is used when the name or Internet address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the host to be looked up is given as the first argument. The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptional second argument specifies the host name or address of a nameserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Due to its arcane user interface and frequently inconsistent
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebehavior, we do not recommend the use of <command>nslookup</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUse <command>dig</command> instead.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </varlistentry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        </variablelist>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      </sect3>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <sect3 id="admin_tools">
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <title>Administrative Tools</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <para>Administrative tools play an integral part in the management
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonof a server.</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <variablelist>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <varlistentry id="check-conf" xreflabel="Named Configuration Checking application">
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson            <term><command>check-conf</command></term>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews            <listitem>
f23afaac0949a3bca923a7c50ad706cfffe50ee3Andreas Gustafsson          <para>The <command>check-conf</command> program
f23afaac0949a3bca923a7c50ad706cfffe50ee3Andreas Gustafsson          checks the syntax of a <filename>named.conf</filename> file.</para>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews              <cmdsynopsis label="Usage">
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson                <command>check-conf</command>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews                <arg><replaceable>filename</replaceable></arg>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews              </cmdsynopsis>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews            </listitem>
ddc9b4f5f7999b8b5f7398c838d84f24d7727ec1Mark Andrews      </varlistentry>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <varlistentry id="check-zone" xreflabel="Zone Checking application">
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson            <term><command>check-zone</command></term>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews            <listitem>
f23afaac0949a3bca923a7c50ad706cfffe50ee3Andreas Gustafsson          <para>The <command>check-zone</command> program checks a master file for
f23afaac0949a3bca923a7c50ad706cfffe50ee3Andreas Gustafsson          syntax and consistency.</para>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews              <cmdsynopsis label="Usage">
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson                <command>check-zone</command>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews                <arg>-dq</arg>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews                <arg>-c <replaceable>class</replaceable></arg>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews                <arg choice="plain"><replaceable>zone</replaceable></arg>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews                <arg><replaceable>filename</replaceable></arg>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews              </cmdsynopsis>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews            </listitem>
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrews      </varlistentry>
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce          <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce            <term><command>rndc</command></term>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>The remote name daemon control
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              (<command>rndc</command>) program allows the system
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              administrator to control the operation of a nameserver.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              If you run <command>rndc</command> without any options
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              it will display a usage message as follows:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <cmdsynopsis label="Usage">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <command>rndc</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-c <replaceable>config</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-s <replaceable>server</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-p <replaceable>port</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg>-y <replaceable>key</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg choice="plain"><replaceable>command</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <arg rep="repeat"><replaceable>command</replaceable></arg>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </cmdsynopsis>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson              <para><command>command</command> is one of the following:</para>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<informaltable colsep = "0" rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson    <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson    <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson        <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.000in"/>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson        <tbody>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><userinput>reload</userinput></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Reload configuration file and zones.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "2"><para>Reload the given zone.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "2"><para>Schedule zone maintenance for the given zone.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>stats</userinput></para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "2"><para>Write server statistics to the statistics file.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>querylog</userinput></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Toggle query logging.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>stop</userinput></para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "2"><para>Stop the server, making sure any recent changes
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonmade through dynamic update or IXFR are first saved to the master files
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonof the updated zones.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "1"><para><userinput>halt</userinput></para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<entry colname = "2"><para>Stop the server immediately.  Recent changes
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonmade through dynamic update or IXFR are not saved to the master files,
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonbut will be rolled forward from the journal files when the server
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonis restarted.</para></entry>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson</row>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson</tbody>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson</tgroup>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson</informaltable>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson<para>In <acronym>BIND</acronym> 9.1, <command>rndc</command> does not
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonyet support all the commands of the BIND 8 <command>ndc</command>
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafssonutility.  Additonal commands will be added in future releases.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>A configuration file is required, since all
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              communication with the server is authenticated with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              digital signatures that rely on a shared secret, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              there is no way to provide that secret other than with a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              configuration file.  The default location for the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <command>rndc</command> configuration file is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <filename>/etc/rndc.conf</filename>, but an alternate
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              location can be specified with the <option>-c</option>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              option.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para>The format of the configuration file is similar to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              that of <filename>named.conf</filename>, but limited to
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson              only three statements, the <command>options</command>,
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson              <command>key</command> and <command>server</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              statements.  These statements are what associate the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              secret keys to the servers with which they are meant to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              be shared.  The order of statements is not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              significant.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson<para>The <command>options</command> statement has two clauses: <command>default-server</command> and <command>default-key</command>. <command>default-server</command> takes a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehost name or address argument  and represents the server that will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe contacted if no <option>-s</option>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoption is provided on the command line.  <command>default-key</command> takes
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafssonthe name of key as its argument, as defined by a <command>key</command> statement.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce In the future a <command>default-port</command> clause will be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceadded to specify the port to which <command>rndc</command> should
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconnect.</para>
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson<para>The <command>key</command> statement names a key with its
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestring argument. The string is required by the server to be a valid
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedomain name, though it need not actually be hierarchical; thus,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea string like "<userinput>rndc_key</userinput>" is a valid name.
23825d19563895462148b7bf5c38f7b94b300441Andreas GustafssonThe <command>key</command> statement has two clauses: <command>algorithm</command> and <command>secret</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce While the configuration parser will accept any string as the argument
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto algorithm, currently only the string "<userinput>hmac-md5</userinput>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehas any meaning.  The secret is a base-64 encoded string, typically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucegenerated with either <command>dnssec-keygen</command> or <command>mmencode</command>.</para>
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson<para>The <command>server</command> statement uses the key clause
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafssonto associate a <command>key</command>-defined key with a server.
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafsson The argument to the <command>server</command> statement is a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehost name or address (addresses must be double quoted).  The argument
23825d19563895462148b7bf5c38f7b94b300441Andreas Gustafssonto the key clause is the name of the key as defined by the <command>key</command> statement.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce A <command>port</command> clause will be added to a future release
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto specify the port to which <command>rndc</command> should connect
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the given server.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>A sample minimal configuration file is as follows:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey rndc_key {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     algorithm "hmac-md5";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     default-server localhost;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     default-key    rndc_key;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewould allow the command:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>to connect to 127.0.0.1 port 953 and cause the nameserver
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto reload, if a nameserver on the local machine were running with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefollowing controls statements:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecontrols {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>and it had an identical key statement for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<literal>rndc_key</literal>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </varlistentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </variablelist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Signals</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Certain UNIX signals cause the name server to take specific
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceactions, as described in the following table.  These signals can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe sent using the <command>kill</command> command.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>SIGHUP</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucereload the database. </para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>SIGTERM</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>SIGINT</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </tgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  <chapter id="ch04">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <title>Advanced Concepts</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="dynamic_update">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Dynamic Update</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Dynamic update is the term used for the ability under
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    certain specified conditions to add, modify or delete records or
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    RRsets in the master zone files. Dynamic update is fully described
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    in RFC 2136.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Dynamic update is enabled on a zone-by-zone basis, by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    including an <command>allow-update</command> or
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>update-policy</command> clause in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>zone</command> statement.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Updating of secure zones (zones using DNSSEC) is modelled
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    after the <emphasis>simple-secure-update</emphasis> proposal, a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    work in progress in the DNS Extensions working group of the IETF.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    (See <ulink
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    url="http://www.ietf.org/html.charters/dnsext-charter.html">http://www.ietf.org/html.charters/dnsext-charter.html</ulink>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    for information about the DNS Extensions working group.) SIG and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    NXT records affected by updates are automatically regenerated by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the server using an online zone key. Update authorization is based
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    on transaction signatures and an explicit server policy.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The zone files of dynamic zones must not be edited by hand.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    The zone file on disk at any given time may not contain the latest
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    changes performed by dynamic update. The zone file is written to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    disk only periodically, and changes that have occurred since the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    zone file was last written to disk are stored only in the zone's
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    journal (<filename>.jnl</filename>) file. <acronym>BIND</acronym> 9 currently does
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    not update the zone file when it exits as <acronym>BIND</acronym> 8 does, so editing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the zone file manually is unsafe even when the server has been
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    shut down. </para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="incremental_zone_transfers">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Incremental Zone Transfers (IXFR)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The incremental zone transfer (IXFR) protocol is a way for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    slave servers to transfer only changed data, instead of having to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    transfer the entire zone. The IXFR protocol is documented in RFC
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    1995. See <xref linkend="proposed_standards"/></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When acting as a master, <acronym>BIND</acronym> 9 supports IXFR for those zones
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhere the necessary change history information is available. These
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinclude master zones maintained by dynamic update and slave zones
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhose data was obtained by IXFR, but not manually maintained master
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezones nor slave zones obtained by performing a full zone transfer
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(AXFR).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When acting as a slave, <acronym>BIND</acronym> 9 will attempt to use IXFR unless
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit is explicitly disabled. For more information about disabling
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIXFR, see the description of the <command>request-ixfr</command> clause
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the <command>server</command> statement.</para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>Split DNS</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Setting up different views, or visibility, of DNS space to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinternal and external resolvers is usually referred to as a <emphasis>Split
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNS</emphasis> setup. There are several reasons an organization
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewould want to set up its DNS this way.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>One common reason for setting up a DNS system this way is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto hide "internal" DNS information from "external" clients on the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceInternet. There is some debate as to whether or not this is actually useful.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceInternal DNS information leaks out in many ways (via email headers,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor example) and most savvy "attackers" can find the information
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethey need using other means.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Another common reason for setting up a Split DNS system is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto allow internal networks that are behind filters or in RFC 1918
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespace (reserved IP space, as documented in RFC 1918) to resolve DNS
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the Internet. Split DNS can also be used to allow mail from outside
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceback in to the internal network.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Here is an example of a split DNS setup:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Let's say a company named <emphasis>Example, Inc.</emphasis> (example.com)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehas several corporate sites that have an internal network with reserved
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceInternet Protocol (IP) space and an external demilitarized zone (DMZ),
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor "outside" section of a network, that is available to the public.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><emphasis>Example, Inc.</emphasis> wants its internal clients
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be able to resolve external hostnames and to exchange mail with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepeople on the outside. The company also wants its internal resolvers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto have access to certain internal-only zones that are not available
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceat all outside of the internal network.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In order to accomplish this, the company will set up two sets
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof nameservers. One set will be on the inside network (in the reserved
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIP space) and the other set will be on bastion hosts, which are "proxy"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehosts that can talk to both sides of its network, in the DMZ.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The internal servers will be configured to forward all queries,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexcept queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand <filename>site2.example.com</filename>, to the servers in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDMZ. These internal servers will have complete sets of information
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand <filename>site2.internal</filename>.</para>
450025a0d1a279a0fdb400764c6baa876bad9d5eAndreas Gustafsson<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe internal nameservers must be configured to disallow all queries
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto these domains from any external hosts, including the bastion
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehosts.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The external servers, which are on the bastion hosts, will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThis could include things such as the host records for public servers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceshould have special MX records that contain wildcard (`*') records
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepointing to the bastion hosts. This is needed because external mail
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceservers do not have any other way of looking up how to deliver mail
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto those internal hosts. With the wildcard records, the mail will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe delivered to the bastion host, which can then forward it on to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinternal hosts.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Here's an example of a wildcard MX record:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><literal>*   IN MX 10 external1.example.com.</literal></programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Now that they accept mail on behalf of anything in the internal
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetwork, the bastion hosts will need to know how to deliver mail
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto internal hosts. In order for this to work properly, the resolvers on
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe bastion hosts will need to be configured to point to the internal
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameservers for DNS resolution.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Queries for internal hostnames will be answered by the internal
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceservers, and queries for external hostnames will be forwarded back
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceout to the DNS servers on the bastion hosts.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In order for all this to work properly, internal clients will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceneed to be configured to query <emphasis>only</emphasis> the internal
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameservers for DNS queries. This could also be enforced via selective
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefiltering on the network.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinternal clients will now be able to:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<itemizedlist><listitem>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <simpara>Look up any hostnames in the <literal>site1</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>site2.example.com</literal> zones.</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <simpara>Look up any hostnames in the <literal>site1.internal</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>site2.internal</literal> domains.</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>Look up any hostnames on the Internet.</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Hosts on the Internet will be able to:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<itemizedlist><listitem>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <simpara>Look up any hostnames in the <literal>site1</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>site2.example.com</literal> zones.</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <simpara>Exchange mail with anyone in the <literal>site1</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Here is an example configuration for the setup we just
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    described above. Note that this is only configuration information;
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    for information on how to configure your zone files, see <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    linkend="sample_configuration"/></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Internal DNS server config:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceacl externals { <varname>bastion-ips-go-here</varname>; };
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    forward only;
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson    forwarders {                // forward to external servers
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson        <varname>bastion-ips-go-here</varname>;
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson    };
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson    allow-transfer { none; };           // sample allow-transfer (no one)
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson    allow-query { internals; externals; };  // restrict query access
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson    allow-recursion { internals; };     // restrict recursion
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonzone "site1.example.com" {          // sample slave zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "m/site1.example.com";
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson  forwarders { };               // do normal iterative
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson                        // resolution (do not forward)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { internals; externals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "site2.example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type slave;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "s/site2.example.com";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  masters { 172.16.72.3; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  forwarders { };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { internals; externals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "site1.internal" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "m/site1.internal";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  forwarders { };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { internals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; }
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "site2.internal" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type slave;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "s/site2.internal";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  masters { 172.16.72.3; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  forwarders { };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { internals };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; }
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>External (bastion host) DNS server config:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonacl internals { 172.16.72.0/24; 192.168.1.0/24; };
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceacl externals { bastion-ips-go-here; };
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson  allow-transfer { none; };         // sample allow-transfer (no one)
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson  allow-query { internals; externals; };    // restrict query access
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson  allow-recursion { internals; externals; };    // restrict recursion
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonzone "site1.example.com" {          // sample slave zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "m/site1.foo.com";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; externals; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "site2.example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type slave;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "s/site2.foo.com";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  masters { another_bastion_host_maybe; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-transfer { internals; externals; }
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In the <filename>resolv.conf</filename> (or equivalent) on
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe bastion host(s):</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesearch ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameserver 172.16.72.2
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameserver 172.16.72.3
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameserver 172.16.72.4
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1 id="tsig"><title>TSIG</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This is a short guide to setting up Transaction SIGnatures
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto the configuration file as well as what changes are required for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedifferent features, including the process of creating transaction
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekeys and using transaction signatures with <acronym>BIND</acronym>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThis includes zone transfer, notify, and recursive query messages.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceResolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor TSIG.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>TSIG might be most useful for dynamic update. A primary
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    server for a dynamic zone should use access control to control
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    updates, but IP-based access control is insufficient. Key-based
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    access control is far superior, see <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    linkend="proposed_standards"/>. The <command>nsupdate</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    program supports TSIG via the <option>-k</option> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <option>-y</option> command line options.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceAn arbitrary key name is chosen: "host1-host2.". The key name must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe the same on both hosts.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Automatic Generation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey as described above. Longer keys are better, but shorter keys
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare easier to read. Note that the maximum key length is 512 bits;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekeys longer than that will be digested with MD5 to produce a 128
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebit key.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceNothing directly uses this file, but the base-64 encoded string
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefollowing "<literal>Key:</literal>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecan be extracted from the file and used as a shared secret:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe used as the shared secret.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Manual Generation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The shared secret is simply a random sequence of bits, encoded
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein base-64. Most ASCII strings are valid base-64 strings (assuming
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe length is a multiple of 4 and only valid characters are used),
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceso the shared secret can be manually generated.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Also, a known string can be run through <command>mmencode</command> or
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea similar program to generate base-64 encoded data.</para></sect3></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Copying the Shared Secret to Both Machines</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This is beyond the scope of DNS. A secure transport mechanism
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceshould be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Informing the Servers of the Key's Existence</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceboth servers. The following is added to each server's <filename>named.conf</filename> file:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey host1-host2. {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  algorithm hmac-md5;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  secret "La/E5CjG9O+os1jq0a2jdA==";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe secret is the one generated above. Since this is a secret, it
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis recommended that either <filename>named.conf</filename> be non-world
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucereadable, or the key directive be added to a non-world readable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefile that is included by <filename>named.conf</filename>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>At this point, the key is recognized. This means that if the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver receives a message signed by this key, it can verify the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesignature. If the signature succeeds, the response is signed by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe same key.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Instructing the Server to Use the Key</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Since keys are shared between two hosts only, the server must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe told when keys are to be used. The following is added to the <filename>named.conf</filename> file
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce10.1.2.3:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver 10.1.2.3 {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  keys { host1-host2. ;};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Multiple keys may be present, but only the first is used.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThis directive does not contain any secrets, so it may be in a world-readable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefile.</para>
c38ed920e31114105bb4832e912b096ea121004fBrian Wellington<para>If <emphasis>host1</emphasis> sends a message that is a request
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexpect any responses to signed messages to be signed with the same
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>A similar statement must be present in <emphasis>host2</emphasis>'s
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconfiguration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
c38ed920e31114105bb4832e912b096ea121004fBrian Wellingtonsign request messages to <emphasis>host1</emphasis>.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>TSIG Key Based Access Control</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedefinitions and
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<command>allow-{ query | transfer | update }</command> directives.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThis has been extended to allow TSIG keys also. The above key would
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe denoted <command>key host1-host2.</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>An example of an allow-update directive would be:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceallow-update { key host1-host2. ;};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>This allows dynamic updates to succeed only if the request
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      was signed by a key named
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce      "<command>host1-host2.</command>".</para> <para>You may want to read about the more
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce      powerful <command>update-policy</command> statement in <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      linkend="dynamic_update_policies"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Errors</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The processing of TSIG signed messages can result in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      several errors. If a signed message is sent to a non-TSIG aware
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      server, a FORMERR will be returned, since the server will not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      understand the record. This is a result of misconfiguration,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      since the server must be explicitly configured to send a TSIG
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      signed message to a specific server.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>If a TSIG aware server receives a message signed by an
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      unknown key, the response will be unsigned with the TSIG
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      extended error code set to BADKEY. If a TSIG aware server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      receives a message with a signature that does not validate, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      response will be unsigned with the TSIG extended error code set
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      to BADSIG. If a TSIG aware server receives a message with a time
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      outside of the allowed range, the response will be signed with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the TSIG extended error code set to BADTIME, and the time values
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      will be adjusted so that the response can be successfully
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      verified. In any of these cases, the message's rcode is set to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      NOTAUTH.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>TKEY</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><command>TKEY</command> is a mechanism for automatically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    generating a shared secret between two hosts.  There are several
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    "modes" of <command>TKEY</command> that specify how the key is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    generated or assigned.  <acronym>BIND</acronym> implements only one of these modes,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the Diffie-Hellman key exchange.  Both hosts are required to have
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    a Diffie-Hellman KEY record (although this record is not required
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    to be present in a zone).  The <command>TKEY</command> process
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    must use signed messages, signed either by TSIG or SIG(0).  The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    result of <command>TKEY</command> is a shared secret that can be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    used to sign messages with TSIG.  <command>TKEY</command> can also
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    be used to delete shared secrets that it had previously
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    generated.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The <command>TKEY</command> process is initiated by a client
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    or server by sending a signed <command>TKEY</command> query
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    (including any appropriate KEYs) to a TKEY-aware server.  The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    server response, if it indicates success, will contain a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>TKEY</command> record and any appropriate keys.  After
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    this exchange, both participants have enough information to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    determine the shared secret; the exact process depends on the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>TKEY</command> mode.  When using the Diffie-Hellman
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    and the shared secret is derived by both participants.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>SIG(0)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0) transaction
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    signatures as specified in RFC 2535.  SIG(0) uses public/private
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    keys to authenticate messages.  Access control is performed in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    same manner as TSIG keys; privileges can be granted or denied
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    based on the key name.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>When a SIG(0) signed message is received, it will only be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    verified if the key is known and trusted by the server; the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    will not attempt to locate and/or validate the key.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
c10ee77c299cda002f7e28a2af420392b1f0b78fAndreas Gustafsson    <para>SIG(0) signing of multiple-message TCP streams is not
05eb8dbcb2dde7e96babcc3455788b35a2d5c525Andreas Gustafsson    supported.</para>
c10ee77c299cda002f7e28a2af420392b1f0b78fAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><acronym>BIND</acronym> 9 does not ship with any tools that generate SIG(0)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    signed messages.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="DNSSEC">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>DNSSEC</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Cryptographic authentication of DNS information is possible
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    through the DNS Security (<emphasis>DNSSEC</emphasis>) extensions,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    defined in RFC 2535. This section describes the creation and use
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    of DNSSEC signed zones.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>In order to set up a DNSSEC secure zone, there are a series
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington    of steps which must be followed.  <acronym>BIND</acronym> 9 ships
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington    with several tools
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    that are used in this process, which are explained in more detail
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    below.  In all cases, the "<option>-h</option>" option prints a
52d93f16f78667e485457ae8fc81456db5f580c2Brian Wellington    full list of parameters.  Note that the DNSSEC tools require the
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington    keyset and signedkey files to be in the working directory, and
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington    that the tools shipped with BIND 9.0.x are not fully compatible
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington    with the current ones.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>There must also be communication with the administrators of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the parent and/or child zone to transmit keys and signatures.  A
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    zone's security status must be indicated by the parent zone for a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    DNSSEC capable resolver to trust its data.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>For other servers to trust data in this zone, they must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    either be statically configured with this zone's zone key or the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    zone key of another zone above this one in the DNS tree.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Generating Keys</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>dnssec-keygen</command> program is used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      generate keys.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>A secure zone must contain one or more zone keys.  The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      zone keys will sign all other records in the zone, as well as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the zone keys of any secure delegated zones.  Zone keys must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      have the same name as the zone, a name type of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>ZONE</command>, and must be usable for authentication.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      It is recommended that zone keys be mandatory to implement a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      cryptographic algorithm; currently the only key mandatory to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      implement an algorithm is DSA.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following command will generate a 768 bit DSA key for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the <filename>child.example</filename> zone:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Two output files will be produced:
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>Kchild.example.+003+12345.key</filename> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>Kchild.example.+003+12345.private</filename> (where
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      12345 is an example of a key tag).  The key file names contain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the key name (<filename>child.example.</filename>), algorithm (3
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      The private key (in the <filename>.private</filename> file) is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      used to generate signatures, and the public key (in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>.key</filename> file) is used for signature
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      verification.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>To generate another key with the same properties (but with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      a different key tag), repeat the above command.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The public keys should be inserted into the zone file with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>$INCLUDE</command> statements, including the
450025a0d1a279a0fdb400764c6baa876bad9d5eAndreas Gustafsson      <filename>.key</filename> files.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Creating a Keyset</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>dnssec-makekeyset</command> program is used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      to create a key set from one or more keys.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Once the zone keys have been generated, a key set must be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      built for transmission to the administrator of the parent zone,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      so that the parent zone can sign the keys with its own zone key
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      and correctly indicate the security status of this zone.  When
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      building a key set, the list of keys to be included and the TTL
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      of the set must be specified, and the desired signature validity
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      period of the parent's signature may also be specified.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The list of keys to be inserted into the key set may also
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      included non-zone keys present at the top of the zone.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>dnssec-makekeyset</command> may also be used at other
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      names in the zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following command generates a key set containing the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      above key and another key similarly generated, with a TTL of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      3600 and a signature validity period of 10 days starting from
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      now.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington<para><userinput>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>One output file is produced:
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington      <filename>keyset-child.example.</filename>.  This file should be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      transmitted to the parent to be signed.  It includes the keys,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      as well as signatures over the key set generated by the zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      keys themselves, which are used to prove ownership of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      private keys and encode the desired validity period.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Signing the Child's Keyset</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>dnssec-signkey</command> program is used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      sign one child's keyset.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>If the <filename>child.example</filename> zone has any
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      delegations which are secure, for example,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>grand.child.example</filename>, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>child.example</filename> administrator should receive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      keyset files for each secure subzone.  These keys must be signed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      by this zone's zone keys.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following command signs the child's key set with the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      zone keys:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington<para><userinput>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>One output file is produced:
bfb69095ae36154a6440ce89b972c17fd0e4c692Brian Wellington      <filename>signedkey-grand.child.example.</filename>.  This file
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      should be both transmitted back to the child and retained.  It
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      includes all keys (the child's keys) from the keyset file and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      signatures generated by this zone's zone keys.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Signing the Zone</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>dnssec-signzone</command> program is used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      sign a zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Any <filename>signedkey</filename> files corresponding to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      secure subzones should be present, as well as a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>signedkey</filename> file for this zone generated by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the parent (if there is one). The zone signer will generate
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <literal>NXT</literal> and <literal>SIG</literal> records for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the zone, as well as incorporate the zone key signature from the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      parent and indicate the security status at all delegation
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      points.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following command signs the zone, assuming it is in a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      file called <filename>zone.child.example</filename>.  By
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      default, all zone keys which have an available private key are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      used to generate signatures.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>One output file is produced:
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <filename>zone.child.example.signed</filename>.  This file
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      should be referenced by <filename>named.conf</filename> as the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      input file for the zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2><title>Configuring Servers</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Unlike in <acronym>BIND</acronym> 8, data is not verified on load in <acronym>BIND</acronym> 9,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      so zone keys for authoritative zones do not need to be specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      in the configuration file.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The public key for any security root must be present in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the configuration file's <command>trusted-keys</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      statement, as described later in this document. </para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    name to address and address to name lookups.  It will also use
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    IPv6 addresses to make queries when running on an IPv6 capable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    system.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>For forward lookups, <acronym>BIND</acronym> 9 supports both A6 and AAAA
894ae8603829064f5bd3ec9a8a7bcf21d465a12eAndreas Gustafsson    records.  The use of AAAA records is deprecated, but it is still
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    useful for hosts to have both AAAA and A6 records to maintain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    backward compatibility with installations where AAAA records are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    still used.  In fact, the stub resolvers currently shipped with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    most operating system support only AAAA lookups, because following
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    A6 chains is much harder than doing A or AAAA lookups.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports the new
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    "bitstring" format used in the <emphasis>ip6.arpa</emphasis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    domain, as well as the older, deprecated "nibble" format used in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the <emphasis>ip6.int</emphasis> domain.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para><acronym>BIND</acronym> 9 includes a new lightweight resolver library and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    resolver daemon which new applications may choose to use to avoid
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    the complexities of A6 chain following and bitstring labels, see <xref
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    linkend="ch05"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Address Lookups Using AAAA Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The AAAA record is a parallel to the IPv4 A record.  It
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      specifies the entire address in a single record.  For
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      example,</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonhost        3600    IN  AAAA    3ffe:8050:201:1860:42::1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>While their use is deprecated, they are useful to support
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      older IPv6 applications.  They should not be added where they
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      are not absolutely necessary.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Address Lookups Using A6 Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The A6 record is more flexible than the AAAA record, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      is therefore more complicated.  The A6 record can be used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      form a chain of A6 records, each specifying part of the IPv6
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      address. It can also be used to specify the entire record as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      well.  For example, this record supplies the same data as the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      AAAA record in the previous example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonhost        3600    IN  A6  0 3ffe:8050:201:1860:42::1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>A6 Chains</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>A6 records are designed to allow network
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        renumbering. This works when an A6 record only specifies the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        part of the address space the domain owner controls.  For
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        example, a host may be at a company named "company."  It has
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        two ISPs which provide IPv6 address space for it.  These two
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        ISPs fully specify the IPv6 prefix they supply.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>In the company's address space:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonhost        3600    IN  A6  64 0:0:0:0:42::1 company.example1.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonhost        3600    IN  A6  64 0:0:0:0:42::1 company.example2.net.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>ISP1 will use:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example1.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssoncompany     3600    IN  A6  0 3ffe:8050:201:1860::
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>ISP2 will use:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example2.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssoncompany     3600    IN  A6  0 1234:5678:90ab:fffa::
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson        <para>When <literal
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson       >host.example.com</literal> is looked up,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        the resolver (in the resolver daemon or caching name server)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        will find two partial A6 records, and will use the additional
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        name to find the remainder of the data.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>A6 Records for DNS Servers</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>When an A6 record specifies the address of a name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        server, it should use the full address rather than specifying
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        a partial address.  For example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson@       14400       IN  NS      ns0
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson        14400       IN  NS      ns1
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonns0     14400       IN  A6      0 3ffe:8050:201:1860:42::1
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonns1     14400       IN  A       192.168.42.1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>It is recommended that IPv4-in-IPv6 mapped addresses not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        be used.  If a host has an IPv4 address, use an A record, not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        an A6, with <literal>::ffff:192.168.42.1</literal> as the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        address.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Address to Name Lookups Using Nibble Format</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>While the use of nibble format to look up names is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      deprecated, it is supported for backwards compatiblity with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      existing IPv6 applications.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>When looking up an address in nibble format, the address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      components are simply reversed, just as in IPv4, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <literal>ip6.int.</literal> is appended to the resulting name.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      For example, the following would provide reverse name lookup for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      a host with address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <literal>3ffe:8050:201:1860:42::1</literal>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.int.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0   14400 IN  PTR host.example.com.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Address to Name Lookups Using Bitstring Format</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Bitstring labels can start and end on any bit boundary,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      rather than on a multiple of 4 bits as in the nibble
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      format. They also use <emphasis>ip6.arpa</emphasis> rather than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <emphasis>ip6.int</emphasis>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>To replicate the previous example using bitstrings:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN \[x3ffe805002011860/64].ip6.arpa.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson\[x0042000000000001/64]     14400   IN  PTR host.example.com.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Using DNAME for Delegation of IPv6 Reverse Addresses</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>In IPV6, the same host may have many addresses from many
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      network providers.  Since the trailing portion of the address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      usually remains constant, <command>DNAME</command> can help
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      reduce the number of zone files used for reverse mapping that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      need to be maintained.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>For example, consider a host which has two providers
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      (<literal>example.net</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <literal>example2.net</literal>) and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      therefore two IPv6 addresses.  Since the host chooses its own 64
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      bit host address portion, the provider address is the only part
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      that changes:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonhost            A6  64  ::1234:5678:1212:5675 cust1.example.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson            A6  64  ::1234:5678:1212:5675 subnet5.example2.net.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssoncust1           A6  48  0:0:0:dddd:: ipv6net.example.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonipv6net         A6  0   aa:bb:cccc::
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN example2.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonsubnet5         A6  48  0:0:0:1:: ipv6net2.example2.net.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafssonipv6net2        A6  0   6666:5555:4::
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This sets up forward lookups.  To handle the reverse lookups,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe provider <literal>example.net</literal>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewould have:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN \[x00aa00bbcccc/48].ip6.arpa.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson\[xdddd/16]     DNAME       ipv6-rev.example.com.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <para>and <literal
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson     >example2.net</literal> would have:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN \[x666655550004/48].ip6.arpa.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson\[x0001/16]     DNAME       ipv6-rev.example.com.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      <para><literal>example.com</literal>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      needs only one zone file to handle both of these reverse
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      mappings:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$ORIGIN ipv6-rev.example.com.
3f6d7a2044d1a23dbf6ffde00813585719abd693Andreas Gustafsson\[x1234567812125675/64] PTR     host.example.com.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  <chapter id="ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title>The Lightweight Resolver Library</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Traditionally applications have been linked with a stub resolver
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelibrary that sends recursive DNS queries to a local caching name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>IPv6 introduces new complexity into the resolution process,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesuch as following A6 chains and DNAME records, and simultaneous
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelookup of IPv4 and IPv6 addresses.  These are hard or impossible
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto implement in a traditional stub resolver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceusing a combination of a lightweight resolver library and a resolver
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedaemon process running on the local host.  These communicate using
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea simple UDP-based protocol, the "lightweight resolver protocol"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat is distinct from and simpler than the full DNS protocol.</para></sect1>
6cde91f60818bb5b86e1b347b82f305e2902452fAndreas Gustafsson<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>To use the lightweight resolver interface, the system must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerun the resolver daemon <command>lwresd</command>.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<para>By default, applications using the lightweight resolver library will make
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian WellingtonUDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonaddress can be overriden by <command>lwserver</command> lines in
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<filename>/etc/resolv.conf</filename>.
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian WellingtonThe daemon will try to find the answer to the questions "what are the
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonaddresses for host
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>foo.example.com</literal>?" and "what are
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonthe names for IPv4 address 10.1.2.3?"</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The daemon currently only looks in the DNS, but in the future
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonit may use other sources such as <filename>/etc/hosts</filename>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceNIS, etc.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<para>The <command>lwresd</command> daemon is essentially a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecaching-only name server that answers requests using the lightweight
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceresolver protocol rather than the DNS protocol.  Because it needs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto run on each host, it is designed to require no or minimal configuration.
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian WellingtonUnless configured otherwise, it uses the name servers listed on
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonas forwarders, but is also capable of doing the resolution autonomously if
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonnone are specified.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<para>The <command>lwresd</command> daemon may also be configured with a
6cde91f60818bb5b86e1b347b82f305e2902452fAndreas Gustafsson<filename>named.conf</filename> style configuration file, in
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington<filename>/etc/lwresd.conf</filename> by default.  A name server may also
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellingtonbe configured to act as a lightweight resolver daemon using the
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<command>lwres</command> statement in <filename>named.conf</filename>.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington</sect1></chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<chapter id="ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> 9 configuration is broadly similar to <acronym>BIND</acronym> 8.x; however,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethere are a few new areas of configuration, such as views. <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce8.x configuration files should work with few alterations in <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce9, although more complex configurations should be reviewed to check
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif they can be more efficiently implemented using the new features
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefound in <acronym>BIND</acronym> 9.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceusing the shell script
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefile documentation:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>acl_name</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedefined by the <command>acl</command> statement.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, <varname>ip_prefix</varname>, <varname>key_id</varname>, or <varname>acl_name</varname> elements, see
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<xref linkend="address_match_lists"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>domain_name</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A quoted string which will be used as
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>One or more integers valued 0 through
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce255 separated only by dots (`.'), such as <command>123</command>, <command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>An IPv4 address with exactly four elements
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein <varname>dotted_decimal</varname> notation.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>An IPv6 address, such as <command>fe80::200:f8ff:fe01:9742</command>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>ip_port</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>An IP port <varname>number</varname>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce <varname>number</varname> is limited to 0 through 65535, with values
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebelow 1024 typically restricted to root-owned processes. In some
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecases an asterisk (`*') character can be used as a placeholder to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceselect a random high-numbered port.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefollowed by a slash (`/') and then the number of bits in the netmask.
2868291ab5d4deba4d61c110f92dc397807702c7Mark AndrewsTrailing zeros in a <varname>ip_addr</varname> may omitted.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceFor example, <command>127/8</command> is the network <command>127.0.0.0</command> with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetwork <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>key_id</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A <varname>domain_name</varname> representing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe name of a shared key, to be used for transaction security.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>key_list</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceseparated by semicolons and ending with a semicolon.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>number</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A non-negative integer with an entire
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerange limited by the range of a C language signed integer (2,147,483,647
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon a machine with 32 bit integers). Its acceptable value might further
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe limited by the context in which it is used.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>path_name</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A quoted string which will be used as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>size_spec</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor the word <userinput>default</userinput>.</para><para>The maximum
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevalue of <varname>size_spec</varname> is that of unsigned long integers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the machine. An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuse, or the maximum available amount. A <varname>default size_spec</varname> uses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe limit that was in force when the server was started.</para><para>A <varname>number</varname> can
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonoptionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemegabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para><para>Integer
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestorage overflow is currently silently ignored during conversion
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof scaled values, resulting in values less than intended, possibly
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceeven negative. Using <varname>unlimited</varname> is the best way
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto safely set a really large number.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe words <userinput>true</userinput> and <userinput>false</userinput> are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucealso accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<row rowsep = "0">
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<entry colname = "2"><para>One of <userinput>yes</userinput>,
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<userinput>no</userinput>, <userinput>notify</userinput>,
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<userinput>passive</userinput>.
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas GustafssonWhen used in a zone, <userinput>notify-passive</userinput>,
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafsson<userinput>refresh</userinput>, and <userinput>passive</userinput>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewsare restricted to slave and stub zones.</para></entry>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2 id="address_match_lists"><title>Address Match Lists</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Syntax</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <programlisting><varname>address_match_list</varname> = address_match_list_element ;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <optional> address_match_list_element; ... </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   key key_id | acl_name | { address_match_list } )
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Definition and Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Address match lists are primarily used to determine access
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecontrol for various server operations. They are also used to define
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepriorities for querying other nameservers and to set the addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon which <command>named</command> will listen for queries. The elements
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich constitute an address match list can be any of the following:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<itemizedlist><listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>an IP prefix (in the `/'-notation)</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>a key ID, as defined by the key statement</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>the name of an address match list previously defined with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe <command>acl</command> statement</simpara></listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<listitem>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Elements can be negated with a leading exclamation mark (`!')
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand the match list names "any," "none," "localhost" and "localnets"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare predefined. More information on those names can be found in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe description of the acl statement.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The addition of the key clause made the name of this syntactic
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceelement something of a misnomer, since security keys can be used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto validate access without regard to a host or network address. Nonetheless,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe term "address match list" is still used throughout the documentation.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When a given IP address or prefix is compared to an address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucematch list, the list is traversed in order until an element matches.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe interpretation of a match depends on whether the list is being used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor access control, defining listen-on ports, or as a topology,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand whether the element was negated.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When used as an access control list, a non-negated match allows
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceaccess and a negated match denies access. If there is no match,
54f00517c59eab6eb85af378637f05075a4380a5Mark Andrewsaccess is denied. The clauses <command>allow-notify</command>,
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>allow-query</command>, <command>allow-transfer</command>,
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>allow-update</command> and <command>blackhole</command> all
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuse address match lists  this. Similarly, the listen-on option will cause
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe server to not accept queries on any of the machine's addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich do not match the list.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When used with the topology clause, a non-negated match returns
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea distance based on its position on the list (the closer the match
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis to the start of the list, the shorter the distance is between
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit and the server). A negated match will be assigned the maximum
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedistance from the server. If there is no match, the address will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceget a distance which is further than any non-negated list element,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand closer than any negated element.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Because of the first-match aspect of the algorithm, an element
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat defines a subset of another element in the list should come
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebefore the broader element, regardless of whether either is negated. For
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexample, in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecompletely useless because the algorithm will match any lookup for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce1.2.3.13 to the 1.2.3/24 element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat problem by having 1.2.3.13 blocked by the negation but all
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceother 1.2.3.* hosts fall through.</para></sect3></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Comment Syntax</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      anywhere that white space may appear in a <acronym>BIND</acronym> configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      file. To appeal to programmers of all kinds, they can be written
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      in C, C++, or shell/perl constructs.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Syntax</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Definition and Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Comments may appear anywhere that whitespace may appear in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea <acronym>BIND</acronym> configuration file.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>C-style comments start with the two characters /* (slash,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestar) and end with */ (star, slash). Because they are completely
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedelimited with these characters, they can be used to comment only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea portion of a line or to span multiple lines.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>C-style comments cannot be nested. For example, the following
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis not valid because the entire comment ends with the first */:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><programlisting>/* This is the start of a comment.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   This is still part of the comment.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce/* This is an incorrect attempt at nesting a comment. */
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   This is no longer in any comment. */
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>C++-style comments start with the two characters // (slash,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceslash) and continue to the end of the physical line. They cannot
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe continued across multiple physical lines; to have one logical
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecomment span multiple lines, each line must use the // pair.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><programlisting>// This is the start of a comment.  The next line
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// is a new comment, even though it is logically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// part of the previous comment.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Shell-style (or perl-style, if you prefer) comments start
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith the character <literal>#</literal> (number sign) and continue to the end of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucephysical line, as in C++ comments.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><programlisting># This is the start of a comment.  The next line
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce# is a new comment, even though it is logically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce# part of the previous comment.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <warning>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <para>WARNING: you cannot use the semicolon (`;') character
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          to start a comment such as you would in a zone file. The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          semicolon indicates the end of a configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          statement.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </warning>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="Configuration_File_Grammar">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Configuration File Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    Statements end with a semicolon. Statements and comments are the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    only elements that can appear without enclosing braces. Many
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    statements contain a block of substatements, which are also
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    terminated with a semicolon.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The following statements are supported:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <informaltable colsep = "0"  rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>acl</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>defines a named IP address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucematching list, for access control and other uses.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>controls</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>declares control channels to be used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby the <command>rndc</command> utility.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>include</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>includes a file.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>key</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>specifies key information for use in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceauthentication and authorization using TSIG.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>logging</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>specifies what the server logs, and where
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe log messages are sent.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>options</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>controls global server configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions and sets defaults for other statements.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>server</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>sets certain configuration options on
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea per-server basis.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>trusted-keys</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>view</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>defines a view.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "1"><para><command>zone</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <entry colname = "2"><para>defines a zone.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The <command>logging</command> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <command>options</command> statements may only occur once per
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    configuration.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>acl</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting><command>acl</command> acl-name {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    address_match_list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="acl">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>acl</command> Statement Definition and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>acl</command> statement assigns a symbolic
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      name to an address match list. It gets its name from a primary
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      use of address match lists: Access Control Lists (ACLs).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Note that an address match list's name must be defined
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      with <command>acl</command> before it can be used elsewhere; no
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      forward references are allowed.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The following ACLs are built-in:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>any</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches all hosts.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>none</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches no hosts.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>localhost</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches the IP addresses of all interfaces
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the system.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>localnets</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches any host on a network for which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe system has an interface.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>controls</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><command>controls</command> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   inet ( ip_addr | * ) <optional> port ip_port </optional> allow <replaceable> address_match_list </replaceable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                keys <replaceable> key_list </replaceable>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   <optional> inet ...; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>controls</command> Statement Definition and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>controls</command> statement declares control
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      channels to be used by system administrators to affect the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      operation of the local nameserver. These control channels are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      used by the <command>rndc</command> utility to send commands to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      and retrieve non-DNS results from a nameserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>An <command>inet</command> control channel is a TCP/IP
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      socket accessible to the Internet, created at the specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>ip_port</command> on the specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>ip_addr</command>.  If no port is specified, port 953
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      is used by default.  "*" cannot be used for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>ip_port</command>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The ability to issue commands over the control channel is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      restricted by the <command>allow</command> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>keys</command> clauses.  Connections to the control
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      channel are permitted based on the address permissions in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>address_match_list</command>. <command>key_id</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      members of the <command>address_match_list</command> are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      ignored, and instead are interpreted independently based the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <command>key_list</command>.  Each <command>key_id</command> in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      the <command>key_list</command> is allowed to be used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      authenticate commands and responses given over the control
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      channel by digitally signing each message between the server and
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson      a command client (See <xref linkend="rndc"/> in
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson      <xref linkend="admin_tools"/>). All commands to the control channel
f7c21e46c4b5fdae516b91374c24a87671f83ea3Andreas Gustafsson      must be signed by one of its specified keys to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      be honored.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      in <acronym>BIND</acronym> 9.0.0, and is not expected to be added in future
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      releases.  If it is present in the controls statement from a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <acronym>BIND</acronym> 8 configuration file, a non-fatal warning will be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      logged.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>include</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>include <replaceable>filename</replaceable>;</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>include</command> Statement Definition and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>include</command> statement inserts the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      specified file at the point that the <command>include</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      statement is encountered. The <command>include</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      statement facilitates the administration of configuration files
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      by permitting the reading or writing of some things but not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      others. For example, the statement could include private keys
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      that are readable only by a nameserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>key</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>key <replaceable>key_id</replaceable> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    algorithm <replaceable>string</replaceable>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    secret <replaceable>string</replaceable>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>key</command> Statement Definition and Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>key</command> statement defines a shared
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce      secret key for use with TSIG, see <xref linkend="tsig"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <replaceable>key_id</replaceable>, also known as the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      key name, is a domain name uniquely identifying the key. It can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      be used in a "server" statement to cause requests sent to that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      server to be signed with this key, or in address match lists to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      verify that incoming requests have been signed with a key
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      matching this name, algorithm, and secret.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <replaceable>algorithm_id</replaceable> is a string
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      that specifies a security/authentication algorithm. The only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      algorithm currently supported with TSIG authentication is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <literal>hmac-md5</literal>.  The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <replaceable>secret_string</replaceable> is the secret to be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      used by the algorithm, and is treated as a base-64 encoded
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      string.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>logging</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting><command>logging</command> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   [ <command>channel</command> <replaceable>channel_name</replaceable> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     ( <command>file</command> <replaceable>path name</replaceable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce         [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce         [ <command>size</command> <replaceable>size spec</replaceable> ]
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson       | <command>syslog</command> <replaceable>syslog_facility</replaceable>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson       | <command>stderr</command>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson       | <command>null</command> );
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   }; ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   [ <command>category</command> <replaceable>category_name</replaceable> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   }; ]
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2><title><command>logging</command> Statement Definition and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>logging</command> statement configures a wide
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevariety of logging options for the nameserver. Its <command>channel</command> phrase
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceassociates output methods, format options and severity levels with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea name that can then be used with the <command>category</command> phrase
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto select how various classes of messages are logged.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Only one <command>logging</command> statement is used to define
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas many channels and categories as are wanted. If there is no <command>logging</command> statement,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe logging configuration will be:</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<programlisting><command>logging</command> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce     category "default" { "default_syslog"; "default_debug"; };
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceestablished as soon as the <command>logging</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewas parsed. When the server is starting up, all logging messages
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceregarding syntax errors in the configuration file go to the default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucechannels, or to standard error if the "<option>-g</option>" option
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewas specified.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3><title>The <command>channel</command> Phrase</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>All log output goes to one or more <emphasis>channels</emphasis>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyou can make as many of them as you want.</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>Every channel definition must include a destination clause that
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonsays whether messages selected for the channel go to a file, to a
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonparticular syslog facility, to the standard error stream, or are
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssondiscarded. It can optionally also limit the message severity level
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonthat will be accepted by the channel (the default is
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<command>info</command>), and whether to include a
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<command>named</command>-generated time stamp, the category name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand/or severity level (the default is not to include any).</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>The <command>null</command> destination clause
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssoncauses all messages sent to the channel to be discarded;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein that case, other options for the channel are meaningless.</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>The <command>file</command> destination clause directs the channel
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonto a disk file.  It can include limitations
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceboth on how large the file is allowed to become, and how many versions
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the file will be saved each time the file is opened.</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>size</command> option for files is simply a hard
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceceiling on log growth. If the file ever exceeds the size, then <command>named</command> will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenot write anything more to it until the file is reopened; exceeding
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe size does not automatically trigger a reopen. The default behavior
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis not to limit the size of the file.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If you use the <command>version</command> log file option,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethen <command>named</command> will retain that many backup versions
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the file by renaming them when opening. For example, if you choose
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto keep 3 old versions of the file <filename>lamers.log</filename> then
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucejust before it is opened <filename>lamers.log.1</filename> is renamed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerenamed to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerenamed to <filename>lamers.log.0</filename>. No rolled versions
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare kept by default; any existing log file is simply appended. The <command>unlimited</command> keyword
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis synonymous with <command>99</command> in current <acronym>BIND</acronym> releases.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Example usage of the size and versions options:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <programlisting>channel "an_example_channel" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    file "example.log" versions 3 size 20m;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    print-time yes;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    print-category yes;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson</programlisting>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>The <command>syslog</command> destination clause directs the
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonchannel to the system log.  Its argument is a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesyslog facility as described in the <command>syslog</command> man
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepage. How <command>syslog</command> will handle messages sent to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethis facility is described in the <command>syslog.conf</command> man
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepage. If you have a system which uses a very old version of <command>syslog</command> that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceonly uses two arguments to the <command>openlog()</command> function,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethen this clause is silently ignored.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>severity</command> clause works like <command>syslog</command>'s
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce"priorities," except that they can also be used if you are writing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestraight to a file rather than using <command>syslog</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceMessages which are not at least of the severity level given will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenot be selected for the channel; messages of higher severity levels
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill be accepted.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill also determine what eventually passes through. For example,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedefining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceonly logging <command>daemon.warning</command> via <command>syslog.conf</command> will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecause messages of severity <command>info</command> and <command>notice</command> to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe dropped. If the situation were reversed, with <command>named</command> writing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemessages of only <command>warning</command> or higher, then <command>syslogd</command> would
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceprint all messages it received from the channel.</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson<para>The <command>stderr</command> destination clause directs the
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonchannel to the server's standard error stream.  This is intended for
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonuse when the server is running as a foreground process, for example
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafssonwhen debugging a configuration.</para>
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The server can supply extensive debugging information when
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit is in debugging mode. If the server's global debug level is greater
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethan zero, then debugging mode will be active. The global debug
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelevel is set either by starting the <command>named</command> server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith the <option>-d</option> flag followed by a positive integer,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor by running <command>rndc trace</command>. <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <simpara>the latter
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemethod is not yet implemented</simpara></note> The global debug level
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecan be set to zero, and debugging mode turned off, by running <command>ndc
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenotrace</command>. All debugging messages in the server have a debug
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelevel, and higher debug levels give more detailed output. Channels
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat specify a specific debug severity, for example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>channel "specific_debug_level" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    file "foo";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    severity debug 3;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>will get debugging output of level 3 or less any time the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver is in debugging mode, regardless of the global debugging
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelevel. Channels with <command>dynamic</command> severity use the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver's global level to determine what messages to print.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>If <command>print-time</command> has been turned on, then
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe date and time will be logged. <command>print-time</command> may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe specified for a <command>syslog</command> channel, but is usually
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepointless since <command>syslog</command> also prints the date and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetime. If <command>print-category</command> is requested, then the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecategory of the message will be logged as well. Finally, if <command>print-severity</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon, then the severity level of the message will be logged. The <command>print-</command> options may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe used in any combination, and will always be printed in the following
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceorder: time, category, severity. Here is an example where all three <command>print-</command> options
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare on:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>There are four predefined channels that are used for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>named</command>'s default logging as follows. How they are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused is described in <xref linkend="the_category_phrase"/>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <programlisting>channel "default_syslog" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    syslog daemon;          // end to syslog's daemon
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // facility
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    severity info;          // only send priority info
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // and higher
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucechannel "default_debug" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    file "named.run";           // write to named.run in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // the working directory
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // Note: stderr is used instead
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // of "named.run"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // if the server is started
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // with the '-f' option.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    severity dynamic            // log at the server's
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // current debug level
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucechannel "default_stderr" {      // writes to stderr
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas Gustafsson    stderr;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    severity info;          // only send priority info
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // and higher
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucechannel "null" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   null;                // toss anything sent to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    // this channel
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>default_debug</command> channel normally writes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto a file <filename>named.run</filename> in the server's working
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedirectory.  For security reasons, when the "<option>-u</option>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecommand line option is used, the <filename>named.run</filename> file
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis created only after <command>named</command> has changed to the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenew UID, and any debug output generated while <command>named</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestarting up and still running as root is discarded.  If you need
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto capture this output, you must run the server with the "<option>-g</option>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoption and redirect standard error to a file.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Once a channel is defined, it cannot be redefined. Thus you
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecannot alter the built-in channels directly, but you can modify
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe default logging by pointing categories at channels you have defined.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>There are many categories, so you can send the logs you want
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto see wherever you want, without seeing logs you don't want. If
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyou don't specify a list of channels for a category, then log messages
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein that category will be sent to the <command>default</command> category
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinstead. If you don't specify a default category, the following
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce"default default" is used:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>category "default" { "default_syslog"; "default_debug"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>As an example, let's say you want to log security events to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea file, but you also want keep the default logging behavior. You'd
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecify the following:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>channel "my_security_channel" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    file "my_security_file";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    severity info;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecategory "security" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    "my_security_channel";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    "default_syslog";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    "default_debug";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>category "xfer-out" { "null"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecategory "notify" { "null"; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Following are the available categories and brief descriptions
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the types of log information they contain. More
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecategories may be added in future <acronym>BIND</acronym> releases.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>default</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The default category defines the logging
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions for those categories where no specific configuration has been
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedefined.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>general</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The catch-all. Many things still aren't
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceclassified into categories, and they all end up here.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>database</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Messages relating to the databases used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinternally by the name server to store zone and cache data.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>security</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Approval and denial of requests.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>config</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>resolver</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>DNS resolution, such as the recursive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelookups performed on behalf of clients by a caching name server.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>xfer-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>xfer-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>notify</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>client</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Processing of client requests.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>network</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Network operations.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>update</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Dynamic updates.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
100a13ba663eb2f8eab09a96e6be8f709741ab12Andreas Gustafsson<row rowsep = "0">
100a13ba663eb2f8eab09a96e6be8f709741ab12Andreas Gustafsson<entry colname = "1"><para><command>queries</command></para></entry>
100a13ba663eb2f8eab09a96e6be8f709741ab12Andreas Gustafsson<entry colname = "2"><para>Queries.</para></entry>
100a13ba663eb2f8eab09a96e6be8f709741ab12Andreas Gustafsson</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    <sect2>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <title><command>lwres</command> Statement Grammar</title>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para> This is the grammar of the <command>lwres</command>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      statement in the <filename>named.conf</filename> file:</para>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<programlisting><command>lwres</command> {
54ce9b2e29aafe1cb5f898a0983fb66e450e9559Brian Wellington    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    <optional> view <replaceable>view_name</replaceable>; </optional>
64039dfa4834e154e3c3a90db76091a9fa8d95eaBrian Wellington    <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    <optional> ndots <replaceable>number</replaceable>; </optional>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson};
6cde91f60818bb5b86e1b347b82f305e2902452fAndreas Gustafsson</programlisting>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    </sect2>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    <sect2>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <title><command>lwres</command> Statement Definition and Usage</title>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para>The <command>lwres</command> statement configures the name
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      server to also act as a lightweight resolver server, see
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <xref linkend="lwresd"/>.  There may be be multiple
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <command>lwres</command> statements configuring
6cde91f60818bb5b86e1b347b82f305e2902452fAndreas Gustafsson      lightweight resolver servers with different properties.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para>The <command>listen-on</command> statement specifies a list of
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      addresses (and ports) that this instance of a lightweight resolver daemon
64039dfa4834e154e3c3a90db76091a9fa8d95eaBrian Wellington      should accept requests on.  If no port is specified, port 921 is used.
64039dfa4834e154e3c3a90db76091a9fa8d95eaBrian Wellington      If this statement is omitted, requests will be accepted on 127.0.0.1,
64039dfa4834e154e3c3a90db76091a9fa8d95eaBrian Wellington      port 921.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para>The <command>view</command> statement binds this instance of a
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      lightweight resolver daemon to a view in the DNS namespace, so that the
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      response will be constructed in the same manner as a normal DNS query
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      matching this view.  If this statement is omitted, the default view is
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      used, and if there is no default view, an error is triggered.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para>The <command>search</command> statement is equivalent to the
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <command>search</command> statement in
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <filename>/etc/resolv.conf</filename>.  It provides a list of domains
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      which are appended to relative names in queries.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <para>The <command>ndots</command> statement is equivalent to the
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <command>ndots</command> statement in
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      <filename>/etc/resolv.conf</filename>.  It indicates the minimum
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      number of dots in a relative domain name that should result in an
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington      exact match lookup before search path elements are appended.</para>
3dc1a039b355380451dd382b58c9b7c2e07788c2Brian Wellington    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>options</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce      <para>This is the grammar of the <command>options</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      statement in the <filename>named.conf</filename> file:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><command>options</command> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> version <replaceable>version_string</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> directory <replaceable>path_name</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> dump-file <replaceable>path_name</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> pid-file <replaceable>path_name</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyer    <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews    <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> forwarders { <optional> <replaceable>in_addr</replaceable> ; <optional> <replaceable>in_addr</replaceable> ; ... </optional> </optional> }; </optional>
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable> response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson    <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
983c852d20169afe01a6425f254cc9dd756e8c14Andreas Gustafsson    <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> tcp-clients <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> recursive-clients <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> serial-queries <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfers-in  <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfers-out <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafsson    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> files <replaceable>size_spec</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> interface-interval <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> statistics-interval <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> topology <optional>{ <replaceable>address_match_list</replaceable> }</optional>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> sortlist <optional>{ <replaceable>address_match_list</replaceable> }</optional>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> rrset-order <optional>{ <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> }</optional>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> lame-ttl <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> min-roots <replaceable>number</replaceable>; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson    <optional> port <replaceable>ip_port</replaceable>; </optional>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff    <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff    <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellington    <optional> random-device <replaceable>path_name</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2><title><command>options</command> Statement Definition and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>options</command> statement sets up global options
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be used by <acronym>BIND</acronym>. This statement may appear only once in a configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefile. If more than one occurrence is found, the first occurrence
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedetermines the actual options used, and a warning will be generated.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf there is no <command>options</command> statement, an options
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceblock with each option set to its default will be used.<informaltable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.591in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.159in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>version</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The version the server should report
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevia a query of name <filename>version.bind</filename> in class <command>chaos</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe default is the real version number of this server.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>directory</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The working directory of the server.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceAny non-absolute pathnames in the configuration file will be taken
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas relative to this directory. The default location for most server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoutput files (e.g. <filename>named.run</filename>) is this directory.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf a directory is not specified, the working directory defaults
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto `<filename>.</filename>', the directory from which the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewas started. The directory specified should be an absolute path.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>named-xfer</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                  <entry colname = "2"><para>
317870a32f6dbdb197da37ab2a7b4df422940249Andreas Gustafsson<emphasis>This option is obsolete.</emphasis>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIt was used in <acronym>BIND</acronym> 8 to specify the pathname to the <command>named-xfer</command> program.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
317870a32f6dbdb197da37ab2a7b4df422940249Andreas Gustafssonneeded; its functionality is built into the name server.</para>
317870a32f6dbdb197da37ab2a7b4df422940249Andreas Gustafsson</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>tkey-domain</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The domain appended to the names of all
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceshared keys generated with <command>TKEY</command>. When a client
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerequests a <command>TKEY</command> exchange, it may or may not specify
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe desired name for the key. If present, the name of the shared
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey will be "<varname>client specified part</varname>" + "<varname>tkey-domain</varname>".
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceOtherwise, the name of the shared key will be "<varname>random hex
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedigits</varname>" + "<varname>tkey-domain</varname>". In most cases,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe <command>domainname</command> should be the server's domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>tkey-dhkey</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The Diffie-Hellman key used by the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto generate shared keys with clients using the Diffie-Hellman mode
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof <command>TKEY</command>. The server must be able to load the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepublic and private keys from files in the working directory. In
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemost cases, the keyname should be the server's host name.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>dump-file</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The pathname of the file the server dumps
f63f9002e7d257aac95693d99d3ee9d17dee3c04Andreas Gustafssonthe database to when instructed to do so with
f63f9002e7d257aac95693d99d3ee9d17dee3c04Andreas Gustafsson<command>rndc dumpdb</command>.
f63f9002e7d257aac95693d99d3ee9d17dee3c04Andreas GustafssonIf not specified, the default is <filename>named_dump.db</filename>.</para>
ddda1ae3694bdf06832b454e9d464fc48ef59a49Brian Wellington</entry></row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>memstatistics-file</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The pathname of the file the server writes memory
f63f9002e7d257aac95693d99d3ee9d17dee3c04Andreas Gustafssonusage statistics to on exit. If not specified, the default is <filename>named.memstats</filename>.</para>
f63f9002e7d257aac95693d99d3ee9d17dee3c04Andreas Gustafsson<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>pid-file</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The pathname of the file the server writes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceits process ID in. If not specified, the default is operating system
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedependent, but is usually
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<filename>/var/run/named.pid</filename> or <filename>/etc/named.pid</filename>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe pid-file is used by programs that want to send signals to the running
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameserver.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>statistics-file</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The pathname of the file the server appends statistics
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonto when instructed to do so using <command>rndc stats</command>.
87a6678320892395c9f17154085f73e1b86f2ecfAndreas GustafssonIf not specified, the default is <filename>named.stats</filename> in the
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonserver's current directory.  The format of the file is described
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonin <xref linkend="statsfile"/></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson<row rowsep = "0">
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson<entry colname = "1"><para><command>port</command></para></entry>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson<entry colname = "2"><para>
3dcb97b199693012d12e978b8f577a339e434361Andreas GustafssonThe UDP/TCP port number the server uses for receiving and sending DNS protocol traffic.
3dcb97b199693012d12e978b8f577a339e434361Andreas GustafssonThe default is 53.  This option is mainly intended for server testing;
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssona server using a port other than 53 will not be able to communicate with
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssonthe global DNS.
3dcb97b199693012d12e978b8f577a339e434361Andreas GustafssonThe <command>port</command> option should be placed at
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssonthe beginning of the options block, before
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssonany other options that take port numbers or IP addresses,
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssonto ensure that the port value takes effect for all addresses
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafssonused by the server.</para>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson</entry>
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellington<entry colname = "1"><para><command>random-device</command></para></entry>
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellington<entry colname = "2"><para>
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian WellingtonThe source of entropy to be used by the server.  Entropy is primarily needed
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellingtonfor DNSSEC operations, such as TKEY transactions and dynamic update of signed
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellingtonzones.  This options specifies the device (or file) from which to read
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellingtonentropy.  If this is a file, operations requiring entropy will fail when the
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafssonfile has been exhausted.  If not specified, the default value is
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafsson<filename>/dev/random</filename>
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafsson(or equivalent) when present, and none otherwise.  The
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafsson<command>random-device</command> option takes effect during
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafssonthe initial configuration load at server startup time and
3c1f4ab13930983891dab785a6b8544a835c509eAndreas Gustafssonis ignored on subsequent reloads.</para>
a9ace786c98bc3c5fdc66870756aaee5bdb17a18Brian Wellington</entry>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson</row>
3dcb97b199693012d12e978b8f577a339e434361Andreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable> </para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="boolean_options"><title>Boolean Options</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "2" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.507in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.993in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>auth-nxdomain</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis always set on NXDOMAIN responses, even if the server is not actually
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceauthoritative. The default is <userinput>no</userinput>; this is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemay need to set it to <userinput>yes</userinput>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>deallocate-on-exit</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe checks.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>dialup</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>If <userinput>yes</userinput>, then the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver treats all zones as if they are doing zone transfers across
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea dial on demand dialup link, which can be brought up by traffic
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoriginating from this server. This has different effects according
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto zone type and concentrates the zone maintenance so that it all
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehappens in a short interval, once every <command>heartbeat-interval</command> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehopefully during the one call. It also suppresses some of the normal
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafssonzone maintenance traffic. The default is <userinput>no</userinput>.</para>
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafsson<para>The <command>dialup</command> option
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewsmay also be specified in the <command>view</command> and
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<command>zone</command> statements,
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafssonin which case it overrides the global <command>dialup</command>
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafssonoption.</para><para>If
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafssonthe zone is a master zone then the server will send out a NOTIFY request
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto all the slaves. This will trigger the zone serial number check
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the slave (providing it supports NOTIFY) allowing the slave to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceverify the zone while the connection is active.</para><para>If the
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafssonzone is a slave or stub zone, then the server will suppress the regular
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews"zone up to date" (refresh) queries and only perform them when the
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<command>heartbeat-interval</command> expires in addition to sending
0fc89c4ee660e825ac66774f2d4912cfc396386aMark AndrewsNOTIFY requests.</para><para>Finer control can be achieved by using
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafsson<userinput>notify</userinput> which only sends NOTIFY messages,
e205be0db3d8c7ad407371e0e844a80b6a9db48fAndreas Gustafsson<userinput>notify-passive</userinput> which sends NOTIFY messages and
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewssuppresses the normal refresh queries, <userinput>refresh</userinput>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewswhich suppresses normal refresh processing and send refresh queries
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewswhen the <command>heartbeat-interval</command> expires and
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews<userinput>passive</userinput> which just disables normal refresh
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewsprocessing.</para>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>fake-iquery</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>In <acronym>BIND</acronym> 8, this option was used to enable simulating
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe obsolete DNS query type IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>fetch-glue</command></para></entry>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<entry colname = "2"><para>This option is obsolete.
64291fce5a6b473c2b1df95ec190230fba024030Andreas GustafssonIn BIND 8, <userinput>fetch-glue yes</userinput>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssoncaused the server to attempt to fetch glue resource records it
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssondidn't have when constructing the additional
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssondata section of a response.  This is now considered a bad idea
cc831f51d59d11815253c404d0e30a3fa7a538abAndreas Gustafssonand BIND 9 never does it.</para>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>has-old-clients</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>This option was incorrectly implemented
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonin <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
64291fce5a6b473c2b1df95ec190230fba024030Andreas GustafssonTo achieve the intended effect
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<command>has-old-clients</command> <userinput>yes</userinput>, specify
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonthe two separate options <command>auth-nxdomain</command> <userinput>yes</userinput> and <command>rfc2308-type1</command> <userinput>no</userinput> instead.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>host-statistics</command></para></entry>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<entry colname = "2"><para>In BIND 8, this enables keeping of
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonstatistics for every host that the nameserver interacts with.
cc831f51d59d11815253c404d0e30a3fa7a538abAndreas GustafssonNot implemented in BIND 9.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>maintain-ixfr-base</command></para></entry>
317870a32f6dbdb197da37ab2a7b4df422940249Andreas Gustafsson<entry colname = "2"><para><emphasis>This option is obsolete</emphasis>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelog whenever possible.  If you need to disable outgoing incremental zone
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssontransfers, use <command>provide-ixfr</command> <userinput>no</userinput>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>multiple-cnames</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>This option was used in <acronym>BIND</acronym> 8 to allow
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea domain name to allow multiple CNAME records in violation of the
199268062f9c91340be67de8be99392dca373276Andreas GustafssonDNS standards.  <acronym>BIND</acronym> 9.1 always strictly
199268062f9c91340be67de8be99392dca373276Andreas Gustafssonenforces the CNAME rules both in master files and dynamic updates.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>notify</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>If <userinput>yes</userinput> (the default),
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNS NOTIFY messages are sent when a zone the server is authoritative for
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafssonchanges, see <xref linkend="notify"/>.  The messages are sent to the
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafssonservers listed in the zone's NS records (except the master server identified
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafssonin the SOA MNAME field), and to any servers listed in the
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson<command>also-notify</command> option.
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson</para><para>
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas GustafssonIf <userinput>explicit</userinput>, notifies are sent only to
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafssonservers explicitly listed using <command>also-notify</command>.
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas GustafssonIf <userinput>no</userinput>, no notifies are sent.
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson</para><para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe <command>notify</command> option may also be specified in the <command>zone</command> statement,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein which case it overrides the <command>options notify</command> statement.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIt would only be necessary to turn off this option if it caused slaves
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto crash<varname>.</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>recursion</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>If <userinput>yes</userinput>, and a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNS query requests recursion, then the server will attempt to do
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonall the work required to answer the query. If recursion is off
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonand the server does not already know the answer, it will return a
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonreferral response. The default is <userinput>yes</userinput>.
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas GustafssonNote that setting <command>recursion no;</command> does not prevent
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonclients from getting data from the server's cache; it only
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonprevents new data from being cached as an effect of client queries.
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas GustafssonCaching may still occur as an effect the server's internal
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonoperation, such as NOTIFY address lookups.
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas GustafssonSee also <command>fetch-glue</command> above.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>rfc2308-type1</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Setting this to <userinput>yes</userinput> will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecause the server to send NS records along with the SOA record for negative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceanswers. The default is <userinput>no</userinput>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    <simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>use-id-pool</command></para></entry>
317870a32f6dbdb197da37ab2a7b4df422940249Andreas Gustafsson<entry colname = "2"><para><emphasis>This option is obsolete</emphasis>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce <acronym>BIND</acronym> 9 always allocates query IDs from a pool.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyer<entry colname = "1"><para><command>zone-statistics</command></para></entry>
3ff9349f82300a2ea0241d4090d7b2c3c250dd4fAndreas Gustafsson<entry colname = "2"><para>If <userinput>yes</userinput>, the server will, by default, collect
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyerstatistical data on all zones in the server.  These statistics may be accessed
3ff9349f82300a2ea0241d4090d7b2c3c250dd4fAndreas Gustafssonusing <command>rndc stats</command>, which will dump them to the file listed
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonin the <command>statistics-file</command>.  See also <xref linkend="statsfile"/>.</para></entry>
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer</row>
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer<row rowsep = "0">
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafsson<entry colname = "1"><para><command>use-ixfr</command></para></entry>
a2984e1e5edface6d38d19dd968f8cd04c277a9aAndreas Gustafsson<entry colname = "2"><para></para><emphasis>This option is obsolete</emphasis>.
a2984e1e5edface6d38d19dd968f8cd04c277a9aAndreas GustafssonIf you need to disable IXFR to a particular server or servers see
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafssonthe information on the <command>provide-ixfr</command> option
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafssonin <xref linkend="server_statement_definition_and_usage"/>. See also
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafsson<xref linkend="incremental_zone_transfers"/>.</entry>
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafsson</row>
f83520a3d87dfd32cd0b8cecc5fd2c3ae71767b6Andreas Gustafsson<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>treat-cr-as-space</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>This option was used in <acronym>BIND</acronym> 8 to make
450025a0d1a279a0fdb400764c6baa876bad9d5eAndreas Gustafssonthe server treat carriage return ("<command>\r</command>") characters the same way
450025a0d1a279a0fdb400764c6baa876bad9d5eAndreas Gustafssonas a space or tab character,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto facilitate loading of zone files on a UNIX system that were generated
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand NT/DOS "<command>\r\n</command>" newlines are always accepted,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand the option is ignored.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>min-refresh-time</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>max-refresh-time</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>min-retry-time</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>max-retry-time</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThese options control the server's behavior on refreshing a zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(querying for SOA changes) or retrying failed transfers.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUsually the SOA values for the zone are used, but these values
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare set by the master, giving slave server administrators little
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecontrol over their contents.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para><para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThese options allow the administrator to set a minimum and maximum
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerefresh and retry time either per-zone, per-view, or per-server.
b4d70507caf8e4f1b2c2b705a4f3966b89b88ac4Andreas GustafssonThese options are valid for master, slave and stub zones, and clamp the SOA
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerefresh and retry times to the specified values.
d4c0286eff2600347a571c4c1c345b58bf2267b6Andreas Gustafsson</para>
d4c0286eff2600347a571c4c1c345b58bf2267b6Andreas Gustafsson</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff<row rowsep = "0">
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff<entry colname = "1">
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff<para><command>additional-from-auth</command></para>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff<para><command>additional-from-cache</command></para>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</entry>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff<entry colname = "2"><para>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael GraffThese options control the server's behavior when answering queries
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffwhich have additional data, or when following CNAME and DNAME
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffchains to provide additional data.
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</para><para>
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas GustafssonWhen both of these options are set to <userinput>yes</userinput>
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafsson(the default) and a
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffquery is being answered from authoratitive data (a zone
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonconfigured into the server), the additional data section of the
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffreply will be filled in using data from other authoratitive zones
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonand from the cache.  In some situations this is undesirable, such
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonas when there is concern over the correctness of the cache, or in
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonin servers where slave zones may be added and modified by
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonuntrusted third parties.  Also, avoiding
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffthe search for this additional data will speed up server operations
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffat the possible expense of additional queries to resolve what would
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graffotherwise be provided in the additional section.
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</para><para>
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas GustafssonFor example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonand the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonrecords (A, A6, and AAAA) for <literal>mail.example.net</literal> will be provided as well,
6ce3f0408e8f614d5af2991c6211863d8666bd52Andreas Gustafssonif known.  These options disable this behavior.
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</para>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</entry>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff</row>
ecc1defdac67526f7b241dc5f250f9924c1e5b97Michael Graff
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Forwarding</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The forwarding facility can be used to create a large site-wide
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecache on a few servers, reducing traffic over links to external
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenameservers. It can also be used to allow queries by servers that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedo not have direct access to the Internet, but wish to look up exterior
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenames anyway. Forwarding occurs only on those queries for which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe server is not authoritative and does not have the answer in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceits cache.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.973in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.527in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>forward</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>This option is only meaningful if the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceforwarders list is not empty. A value of <varname>first</varname>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe default, causes the server to query the forwarders first, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif that doesn't answer the question the server will then look for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe answer itself. If <varname>only</varname> is specified, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver will only query the forwarders.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>forwarders</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies the IP addresses to be used
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor forwarding. The default is the empty list (no forwarding).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Forwarding can also be configured on a per-domain basis, allowing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor the global forwarding options to be overridden in a variety
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof ways. You can set particular domains to use different forwarders,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor have a different <command>forward only/first</command> behavior,
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luceor not forward at all, see <xref linkend="zone_statement_grammar"/>.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="access_control"><title>Access Control</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Access to the server can be restricted based on the IP address
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luceof the requesting system. See <xref linkend="address_match_lists"/> for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedetails on how to specify IP address lists.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.125in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<entry colname = "1"><para><command>allow-notify</command></para></entry>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<entry colname = "2"><para>Specifies which hosts are allowed to
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrencenotify slaves of a zone change in addition to the zone masters.
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>allow-notify</command> may also be specified in the
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>zone</command> statement, in which case it overrides the
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>options allow-notify</command> statement.  It is only meaningful
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrencefor a slave zone.  If not specified, the default is to process notify messages
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrenceonly from a zone's master.</para></entry>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence</row>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>allow-query</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies which hosts are allowed to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceask ordinary questions. <command>allow-query</command> may also
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe specified in the <command>zone</command> statement, in which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecase it overrides the <command>options allow-query</command> statement. If
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenot specified, the default is to allow queries from all hosts.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>allow-recursion</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies which hosts are allowed to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemake recursive queries through this server. If not specified, the
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssondefault is to allow recursive queries from all hosts.
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas GustafssonNote that disallowing recursive queries for a host does not prevent the
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafssonhost from retrieving data that is already in the server's cache.
7beb4ba7ef8bff55974b4ed6d59bdf4f4712c623Andreas Gustafsson</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<row rowsep = "0">
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<entry colname = "1"><para><command>allow-v6-synthesis</command></para></entry>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<entry colname = "2"><para>Specifies which hosts are to receive
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonsynthetic responses to IPv6 queries as described in
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<xref linkend="synthesis"/>.
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson</para></entry>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson</row>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>allow-transfer</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies which hosts are allowed to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucereceive zone transfers from the server. <command>allow-transfer</command> may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucealso be specified in the <command>zone</command> statement, in which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecase it overrides the <command>options allow-transfer</command> statement.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf not specified, the default is to allow transfers from all hosts.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>blackhole</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies a list of addresses that the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceserver will not accept queries from or use to resolve a query. Queries
a99166d1bf49e1a4962d77a648ed246f904ddf30Brian Wellingtonfrom these addresses will not be responded to. The default is <userinput>none</userinput>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Interfaces</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The interfaces and ports that the server will answer queries
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefrom may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean optional port, and an <varname>address_match_list</varname>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe server will listen on all interfaces allowed by the address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucematch list. If a port is not specified, port 53 will be used.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Multiple <command>listen-on</command> statements are allowed.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceFor example,</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>listen-on { 5.6.7.8; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelisten-on port 1234 { !1.2.3.4; 1.2/16; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>will enable the nameserver on port 53 for the IP address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        5.6.7.8, and on port 1234 of an address on the machine in net
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        1.2 that is not 1.2.3.4.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>If no <command>listen-on</command> is specified, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        server will listen on port 53 on all interfaces.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>The <command>listen-on-v6</command> option is used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        specify the ports on which the server will listen for incoming
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        queries sent using IPv6.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>The server does not bind a separate socket to each IPv6
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        interface address as it does for IPv4. Instead, it always
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        listens on the IPv6 wildcard address. Therefore, the only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        values allowed for the <varname>address_match_list</varname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        argument to the <command>listen-on-v6</command> statement are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <programlisting>{ any; }</programlisting> and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <programlisting>{ none;}</programlisting></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>Multiple <command>listen-on-v6</command> options can be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        used to listen on multiple ports:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>listen-on-v6 port 53 { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelisten-on-v6 port 1234 { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>To make the server not listen on any IPv6 address, use</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>listen-on-v6 { none; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<para>If no <command>listen-on-v6</command> statement is specified,
f62e3d42eeedabf9c7642f16c6cda4d2f8df66bfBrian Wellingtonthe server will not listen on any IPv6 address.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Query Address</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If the server doesn't know the answer to a question, it will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucequery other nameservers. <command>query-source</command> specifies
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe address and port used for such queries. For queries sent over
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIPv6, there is a separate <command>query-source-v6</command> option.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce If <command>address</command> is <command>*</command> or is omitted,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea wildcard IP address (<command>INADDR_ANY</command>) will be used.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf <command>port</command> is <command>*</command> or is omitted,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea random unprivileged port will be used. The defaults are</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>query-source address * port *;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucequery-source-v6 address * port *
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>query-source</command> currently applies only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto UDP queries; TCP queries always use a wildcard IP address and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea random unprivileged port.</para></note></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="zone_transfers"><title>Zone Transfers</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand set limits on the amount of load that transfers place on the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesystem. The following options apply to zone transfers.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>also-notify</command></para></entry>
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson<entry colname = "2"><para>Defines a global list of IP addresses of name servers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat are also sent NOTIFY messages whenever a fresh copy of the
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafssonzone is loaded, in addition to the servers listed in the zone's NS records.
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas GustafssonThis helps to ensure that copies of the zones will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucequickly converge on stealth servers. If an <command>also-notify</command> list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis given in a <command>zone</command> statement, it will override
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe <command>options also-notify</command> statement. When a <command>zone notify</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenot be sent NOTIFY messages for that zone. The default is the empty
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelist (no global notification list).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-time-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Inbound zone transfers running longer than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethis many minutes will be terminated. The default is 120 minutes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(2 hours).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-idle-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Inbound zone transfers making no progress
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein this many minutes will be terminated. The default is 60 minutes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(1 hour).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-time-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Outbound zone transfers running longer than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethis many minutes will be terminated. The default is 120 minutes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(2 hours).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-idle-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Outbound zone transfers making no progress
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Lucein this many minutes will be terminated.  The default is 60 minutes (1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehour).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>serial-queries</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Slave servers will periodically query master
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceservers to find out if zone serial numbers have changed. Each such
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucequery uses a minute amount of the slave server's network bandwidth,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebut more importantly each query uses a small amount of memory in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe slave server while waiting for the master server to respond.
64291fce5a6b473c2b1df95ec190230fba024030Andreas GustafssonIn BIND 8, the <command>serial-queries</command> option set the maximum number
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof concurrent serial-number queries allowed to be outstanding at
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonany given time.  BIND 9 does not limit the number of outstanding
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonserial queries and ignores the The <command>serial-queries</command> option;
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssoninstead, it limits the rate at which the queries are sent.
64291fce5a6b473c2b1df95ec190230fba024030Andreas GustafssonThe maximum rate is currently fixed at 20 queries
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonper second but may become configurable in a future release.
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfer-format</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The server supports two zone transfer methods. <command>one-answer</command> uses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceone DNS message per resource record transferred. <command>many-answers</command> packs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas many resource records as possible into a message. <command>many-answers</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemore efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce8.x and patched versions of <acronym>BIND</acronym> 4.9.5. The default is <command>many-answers</command>. <command>transfer-format</command> may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe overridden on a per-server basis by using the <command>server</command> statement.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfers-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of inbound zone transfers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat can be running concurrently. The default value is <literal>10</literal>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIncreasing <command>transfers-in</command> may speed up the convergence
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof slave zones, but it also may increase the load on the local system.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfers-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of outbound zone transfers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat can be running concurrently. Zone transfer requests in excess
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the limit will be refused. The default value is <literal>10</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfers-per-ns</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of inbound zone transfers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat can be concurrently transferring from a given remote nameserver.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespeed up the convergence of slave zones, but it also may increase
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe load on the remote nameserver. <command>transfers-per-ns</command> may
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe overridden on a per-server basis by using the <command>transfers</command> phrase
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the <command>server</command> statement.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfer-source</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><command>transfer-source</command> determines
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich local address will be bound to IPv4 TCP connections used to
04c22ceaf2d3812eaab69d79958d0e0d62048cd2Mark Andrewsfetch zones transferred inbound by the server.  It also determines
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonthe source IPv4 address, and optionally the UDP port, used for the
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonrefresh queries and forwarded dynamic updates.  If not set, it defaults
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto a system controlled value which will usually be the address of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe interface "closest to" the remote end. This address must appear
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the remote end's <command>allow-transfer</command> option for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe zone being transferred, if one is specified. This statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesets the <command>transfer-source</command> for all zones, but can
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonbe overridden on a per-view or per-zone basis by including a
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>transfer-source</command> statement within the
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>view</command> or <command>zone</command> block
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the configuration file.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfer-source-v6</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The same as <command>transfer-source</command>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexcept zone transfers are performed using IPv6.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<row rowsep = "0">
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<entry colname = "1"><para><command>notify-source</command></para></entry>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<entry colname = "2"><para><command>notify-source</command> determines
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonwhich local source address, and optionally UDP port, will be used to
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonsend NOTIFY messages.
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas GustafssonThis address must appear in the slave server's <command>masters</command>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrencezone clause or in an <command>allow-notify</command> clause.
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark AndrewsThis statement sets the <command>notify-source</command> for all zones,
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrewsbut can be overridden on a per-zone / per-view basis by including a
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<command>notify-source</command> statement within the <command>zone</command>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonor <command>view</command> block in the configuration file.</para></entry>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews</row>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<row rowsep = "0">
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<entry colname = "1"><para><command>notify-source-v6</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "2"><para>Like <command>notify-source</command>,
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafssonbut applies to notify messages sent to IPv6 addresses.</para></entry>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </tgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Resource Limits</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>The server's usage of many system resources can be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        limited.  Some operating systems don't support some of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        limits. On such systems, a warning will be issued if the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        unsupported limit is used. Some operating systems don't
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        support limiting resources.</para> <para>Scaled values are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        allowed when specifying resource limits.  For example,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <command>1G</command> can be used instead of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <command>1073741824</command> to specify a limit of one
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        gigabyte. <command>unlimited</command> requests unlimited use,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        or the maximum available amount. <command>default</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        uses the limit that was in force when the server was
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        started. See the description of <command>size_spec</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        in <xref linkend="configuration_file_elements"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.500in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>coresize</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum size of a core dump. The default
8a7a714726a70b5b27a8bb23cc7addf58a4888b6David Lawrenceis <literal>default</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>datasize</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum amount of data memory the server
8a7a714726a70b5b27a8bb23cc7addf58a4888b6David Lawrencemay use. The default is <literal>default</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>files</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of files the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemay have open concurrently. The default is <literal>unlimited</literal>.
8a7a714726a70b5b27a8bb23cc7addf58a4888b6David Lawrence</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-ixfr-log-size</command></para></entry>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<entry colname = "2"><para>This option is obsolete; it is accepted
cc831f51d59d11815253c404d0e30a3fa7a538abAndreas Gustafssonand ignored for BIND 8 compatibility.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>recursive-clients</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of simultaneous recursive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelookups the server will perform on behalf of clients.  The default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis <literal>1000</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>stacksize</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum amount of stack memory the server
8a7a714726a70b5b27a8bb23cc7addf58a4888b6David Lawrencemay use. The default is <literal>default</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>tcp-clients</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The maximum number of simultaneous client TCP
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconnections that the server will accept. The default is <literal>100</literal>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Resource limits are not yet implemented in <acronym>BIND</acronym> 9.</para></note></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Periodic Task Intervals</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>cleaning-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The server will remove expired resource records
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefrom the cache every <command>cleaning-interval</command> minutes.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe default is 60 minutes.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf set to 0, no  periodic cleaning will occur.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>heartbeat-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The server will perform zone maintenance tasks
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewsfor all zones marked as <command>dialup</command> whenever this
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinterval expires. The default is 60 minutes. Reasonable values are up
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrewsto 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>interface-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The server will scan the network interface list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceevery <command>interface-interval</command> minutes. The default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis 60 minutes. If set to 0, interface scanning will only occur when
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe configuration file is  loaded. After the scan, listeners will be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestarted on any new interfaces (provided they are allowed by the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>listen-on</command> configuration). Listeners on interfaces
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat have gone away will be cleaned up.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>statistics-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Nameserver statistics will be logged
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceevery <command>statistics-interval</command> minutes. The default is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce60. If set to 0, no statistics will be logged.</para><note>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="topology"><title>Topology</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>All other things being equal, when the server chooses a nameserver
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto query from a list of nameservers, it prefers the one that is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetopologically closest to itself. The <command>topology</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetakes an <command>address_match_list</command> and interprets it
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein a special way. Each top-level list element is assigned a distance.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceNon-negated elements get a distance based on their position in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelist, where the closer the match is to the start of the list, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceshorter the distance is between it and the server. A negated match
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill be assigned the maximum distance from the server. If there
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis no match, the address will get a distance which is further than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceany non-negated list element, and closer than any negated element.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceFor example,</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>topology {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    10/8;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    !1.2.3/24;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { 1.2/16; 3/8; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>will prefer servers on network 10 the most, followed by hosts
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexception of hosts on network 1.2.3 (netmask 255.255.255.0), which
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis preferred least of all.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The default topology is</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>    topology { localhost; localnets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<note><simpara>The <command>topology</command> option
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3 id="the_sortlist_statement">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>The <command>sortlist</command> Statement</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Resource Records (RRs) are the data associated with the names
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein a  domain name space. The data is maintained in the form of sets
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof RRs. The order of RRs in a set is, by default, not significant.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceTherefore, to control the sorting of records in a set of resource
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerecords, or <varname>RRset</varname>, you must use the <command>sortlist</command> statement.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>RRs are explained more fully in <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                                                    linkend="types_of_resource_records_and_when_to_use_them"/>. Specifications for RRs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare documented in RFC 1035.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When returning multiple RRs the nameserver will normally return
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonthem in <varname>Round Robin</varname> order,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat is, after each request the first RR is put at the end of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelist. The client resolver code should rearrange the RRs as appropriate,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat is, using any addresses on the local net in preference to other addresses.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceHowever, not all resolvers can do this or are correctly configured.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceWhen a client is using a local server the sorting can be performed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the server, based on the client's address. This only requires
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconfiguring the nameservers, not all the clients.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>sortlist</command> statement (see below) takes
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonan <command>address_match_list</command> and interprets it even
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemore specifically than the <command>topology</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedoes (<xref linkend="topology"/>). Each top level statement in the <command>sortlist</command> must
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceitself be an explicit <command>address_match_list</command> with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceone or two elements. The first element (which may be an IP address,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean IP prefix, an ACL name or a nested <command>address_match_list</command>)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof each top level list is checked against the source address of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe query until a match is found.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Once the source address of the query has been matched, if
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe top level statement contains only one element, the actual primitive
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceelement that matched the source address is used to select the address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the response to move to the beginning of the response. If the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestatement is a list of two elements, then the second element is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetreated the same as the <command>address_match_list</command> in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea <command>topology</command> statement. Each top level element
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis assigned a distance and the address in the response with the minimum
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedistance is moved to the beginning of the response.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In the following example, any queries received from any of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe addresses of the host itself will get responses preferring addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon any of the locally connected networks. Next most preferred are addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon the 192.168.1/24 network, and after that either the 192.168.2/24
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce192.168.3/24 network with no preference shown between these two
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetworks. Queries received from a host on the 192.168.1/24 network
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill prefer other addresses on that network to the 192.168.2/24
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce192.168.3/24 networks. Queries received from a host on the 192.168.4/24
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor the 192.168.5/24 network will only prefer other addresses on
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetheir directly connected networks.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>sortlist {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { localhost;                   // IF   the local host
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        { localnets;                   // THEN first fit on the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            192.168.1/24;              //   following nets
7443fb7d9258a7473b601a462d948a8cb2e701c5Andreas Gustafsson            { 192.168.2/24; 192.168.3/24; }; }; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { 192.168.1/24;                // IF   on class C 192.168.1
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        { 192.168.1/24;                // THEN use .1, or .2 or .3
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            { 192.168.2/24; 192.168.3/24; }; }; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { 192.168.2/24;                // IF   on class C 192.168.2
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        { 192.168.2/24;                // THEN use .2, or .1 or .3
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            { 192.168.1/24; 192.168.3/24; }; }; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { 192.168.3/24;                // IF   on class C 192.168.3
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        { 192.168.3/24;                // THEN use .3, or .1 or .2
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            { 192.168.1/24; 192.168.2/24; }; }; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    { { 192.168.4/24; 192.168.5/24; };         // if .4 or .5, prefer that net
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The following example will give reasonable behavior for the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelocal host and hosts on directly connected networks. It is similar
b4ecb028d9df9b29613c0f9b08f6e242eaf421e0Andreas Gustafssonto the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto queries from the local host will favor any of the directly connected
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetworks. Responses sent to queries from any other hosts on a directly
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconnected network will prefer addresses on that same network. Responses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto other queries will not be sorted.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>sortlist {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce           { localhost; localnets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce           { localnets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<note><simpara>The <command>sortlist</command> option
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>When multiple records are returned in an answer it may be
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuseful to configure the order of the records placed into the response.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceFor example, the records for a zone might be configured always to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe returned in the order they are defined in the zone file. Or perhaps
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea random shuffle of the records as they are returned is wanted.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe <command>rrset-order</command> statement permits configuration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the ordering made of the records in a multiple record response.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceThe default, if no ordering is defined, is a cyclic ordering (round
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerobin).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>An <command>order_spec</command> is defined as follows:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      order <replaceable>ordering</replaceable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If no class is specified, the default is <command>ANY</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf no type is specified, the default is <command>ANY</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf no name is specified, the default is "<command>*</command>".</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The legal values for <command>ordering</command> are:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>fixed</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Records are returned in the order they
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare defined in the zone file.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>random</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Records are returned in some random order.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>cyclic</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Records are returned in a round-robin
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceorder.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>rrset-order {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   class IN type A name "host.example.com" order random;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce   order cyclic;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>will cause any responses for type A records in class IN that
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonhave "<literal>host.example.com</literal>" as a suffix, to always be returned
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein random order. All other records are returned in cyclic order.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If multiple <command>rrset-order</command> statements appear,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethey are not combined-the last one applies.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If no <command>rrset-order</command> statement is specified,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethen a default one of:
90168d6aae2ab84a0880afb761be5ebfedc2260dBrian Wellington<programlisting>rrset-order { class ANY type ANY name "*" order cyclic ; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis used.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<note><simpara>The <command>rrset-order</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect3>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<sect3 id="synthesis"><title>Synthetic IPv6 responses</title>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<para>Many existing stub resolvers support IPv6 DNS lookups as defined in
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonRFC1886, using AAAA records for forward lookups and "nibble labels" in
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonthe <literal>ip6.int</literal> domain for reverse lookups, but do not support
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonRFC2874-style lookups (using A6 records and binary labels in the
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<literal>ip6.arpa</literal> domain).</para>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<para>For those who wish to continue to use such stub resolvers rather than
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonswitching to the BIND 9 lightweight resolver, BIND 9 provides a way
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonto automatically convert RFC1886-style lookups into
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonRFC2874-style lookups and return the results as "synthetic" AAAA and
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonPTR records.</para>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<para>This feature is disabled by default and can be enabled on a per-client
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonbasis by adding a
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<command>allow-v6-synthesis { <replaceable>address_match_list</replaceable> };</command>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonclause to the <command>options</command> or <command>view</command> statement.
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson When it is enabled, recursive
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonAAAA queries cause the server to first try an A6 lookup and if that
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonfails, an AAAA lookups.  No matter which one succeeds, the results are
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonreturned as a set of synthetic AAAA records.  Similarly, recursive PTR
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonqueries in <literal>ip6.int</literal> will cause a
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonlookup in <literal>ip6.arpa</literal> using binary
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonlabels, and if that fails, another lookup in <literal>ip6.int</literal>.
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas GustafssonThe results are returned as a synthetic PTR record in
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<literal>ip6.int</literal>.</para>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson<para>The synthetic records have a TTL of zero.  DNSSEC validation of
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssonsynthetic responses is not currently supported; therefore responses
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafssoncontaining synthetic RRs will not have the AD flag set.</para>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson</sect3>
576f85e5fdb8805307f318db79dfc0d19e390d1aAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="tuning"><title>Tuning</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.250in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.250in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>lame-ttl</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Sets the number of seconds to cache a
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Lucelame server indication. 0 disables caching. (This is
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<emphasis role="bold">NOT</emphasis> recommended.)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDefault is <literal>600</literal> (10 minutes). Maximum value is
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<literal>1800</literal> (30 minutes).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-ncache-ttl</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>To reduce network traffic and increase performance
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe server stores negative answers. <command>max-ncache-ttl</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused to set a maximum retention time for these answers in the server
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein seconds. The default
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>max-ncache-ttl</command> cannot exceed 7 days and will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe silently truncated to 7 days if set to a greater value.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-cache-ttl</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><command>max-cache-ttl</command> sets
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe maximum time for which the server will cache ordinary (positive)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceanswers. The default is one week (7 days).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>min-roots</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The minimum number of root servers that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis required for a request for the root servers to be accepted. Default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis <userinput>2</userinput>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                    <simpara>Not yet implemented in <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce9.</simpara></note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>sig-validity-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Specifies the number of days into the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefuture when DNSSEC signatures automatically generated as a result
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof dynamic updates (<xref linkend="dynamic_update"/>)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill expire. The default is <literal>30</literal> days. The signature
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceinception time is unconditionally set to one hour before the current time
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto allow for a limited amount of clock skew.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></sect3>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<sect3 id="statsfile">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson        <title>The Statistics File</title>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<para>The statistics file generated by <acronym>BIND</acronym> 9
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonis similar, but not identical, to that
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssongenerated by <acronym>BIND</acronym> 8.
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</para>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<para>The statistics dump begins with the line <command>+++ Statistics Dump
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson+++ (973798949)</command>, where the number in parentheses is a standard
87a6678320892395c9f17154085f73e1b86f2ecfAndreas GustafssonUnix-style timestamp, measured as seconds since January 1, 1970.  Following
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonthat line are a series of lines containing a counter type, the value of the
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssoncounter, optionally a zone name, and optionally a view name.
87a6678320892395c9f17154085f73e1b86f2ecfAndreas GustafssonThe lines without view and zone listed are global statistics for the entire server.
87a6678320892395c9f17154085f73e1b86f2ecfAndreas GustafssonLines with a zone and view name for the given view and zone (the view name is
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonomitted for the default view).  The statistics dump ends
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonwith the line <command>--- Statistics Dump --- (973798949)</command>, where the
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonnumber is identical to the number in the beginning line.</para>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<para>The following statistics counters are maintained:</para>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<informaltable
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson    colsep = "0" rowsep = "0"><tgroup cols = "2"
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<tbody>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>success</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number of
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonsuccessful queries made to the server or zone.  A successful query
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonis defined as query which returns a NOERROR response other than
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssona referral response.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>referral</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number of queries which resulted
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonin referral responses.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>nxrrset</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number of queries which resulted in
87a6678320892395c9f17154085f73e1b86f2ecfAndreas GustafssonNOERROR responses with no data.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>nxdomain</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonof queries which resulted in NXDOMAIN responses.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>recursion</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number of queries which caused the server
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonto perform recursion in order to find the final answer.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson><row rowsep = "0">
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "1"><para><command>failure</command></para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<entry colname = "2"><para>The number of queries which resulted in a
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonfailure response other than those above.</para></entry>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</row>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</tbody>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</tgroup></informaltable>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="server_statement_grammar">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title><command>server</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceStatement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>server <replaceable>ip_addr</replaceable> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfers <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2 id="server_statement_definition_and_usage"><title><command>server</command> Statement Definition
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>server</command> statement defines the characteristics
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be associated with a remote nameserver.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If you discover that a remote server is giving out bad data,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemarking it as bogus will prevent further queries to it. The default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevalue of <command>bogus</command> is <command>no</command>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>provide-ixfr</command> clause determines whether
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe local server, acting as master, will respond with an incremental
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone transfer when the given remote server, a slave, requests it.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf set to <command>yes</command>, incremental transfer will be provided
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhenever possible. If set to <command>no</command>, all transfers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto the remote server will be nonincremental. If not set, the value
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonof the <command>provide-ixfr</command> option in the global options block
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis used as a default.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>request-ixfr</command> clause determines whether
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe local server, acting as a slave, will request incremental zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetransfers from the given remote server, a master. If not set, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevalue of the <command>request-ixfr</command> option in the global
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions block is used as a default.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>IXFR requests to servers that do not support IXFR will automatically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefall back to AXFR.  Therefore, there is no need to manually list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich servers support IXFR and which ones do not; the global default
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof <command>yes</command> should always work. The purpose of the <command>provide-ixfr</command> and <command>request-ixfr</command> clauses is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto make it possible to disable the use of IXFR even when both master
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand slave claim to support it, for example if one of the servers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis buggy and crashes or corrupts data when IXFR is used.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuses one DNS message per resource record transferred. <command>many-answers</command> packs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas many resource records as possible into a message. <command>many-answers</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemore efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonto use for a server with the <command>transfer-format</command> option.
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas GustafssonIf <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby the <command>options</command> statement will be used.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>transfers</command> is used to limit the number of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconcurrent inbound zone transfers from the specified server. If
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceno <command>transfers</command> clause is specified, the limit is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceset according to the <command>transfers-per-ns</command> option.</para>
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<para>The <command>keys</command> clause is used to identify a <command>key_id</command> defined
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby the <command>key</command> statement, to be used for transaction
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesecurity when talking to the remote server. The <command>key</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemust come before the <command>server</command> statement that references
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit. When a request is sent to the remote server, a request signature
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewill be generated using the key specified here and appended to the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemessage. A request originating from the remote server is not required
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be signed by this key.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Although the grammar of the <command>keys</command> clause
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceallows for multiple keys, only a single key per server is currently
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesupported.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><command>trusted-keys</command> Statement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>trusted-keys {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><command>trusted-keys</command> Statement Definition
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>trusted-keys</command> statement defines DNSSEC
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesecurity roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone is known, but cannot be securely obtained through DNS, either
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebecause it is the  DNS root zone or its parent zone is unsigned.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceOnce a key has been configured as a trusted key, it is treated as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif it had been validated and proven secure. The resolver attempts
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNSSEC validation on all DNS data in subdomains of a security root.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>trusted-keys</command> statement can contain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemultiple key entries, each consisting of the key's domain name,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceflags, protocol, algorithm, and the base-64 representation of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucekey data.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><command>view</command> Statement Grammar</title>
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafsson<programlisting>view <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      match-clients { <replaceable>address_match_list</replaceable> } ;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <optional> <replaceable>view_option</replaceable>; ...</optional>
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyer      <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <optional> <replaceable>zone_statement</replaceable>; ...</optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><command>view</command> Statement Definition and Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>view</command> statement is a powerful new feature
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedepending on who is asking. It is particularly useful for implementing
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesplit DNS setups without having to run multiple servers.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Each <command>view</command> statement defines a view of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNS namespace that will be seen by those clients whose IP addresses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucematch the <varname>address_match_list</varname> of the view's <command>match-clients</command> clause.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce The order of the <command>view</command> statements is significant-a
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonclient query will be resolved in the context of the first <command>view</command> whose <command>match-clients</command> list
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucematches the client's IP address.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Zones defined within a <command>view</command> statement will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe only be accessible to clients that match the <command>view</command>.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce By defining a zone of the same name in multiple views, different
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone data can be given to different clients, for example, "internal"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand "external" clients in a split DNS setup.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Many of the options given in the <command>options</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecan also be used within a <command>view</command> statement, and then
49d614accdb250389daa2805d2c096ec53932c14Brian Wellingtonapply only when resolving queries with that view.  When no view-specific
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucevalue is given, the value in the <command>options</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis used as a default.  Also, zone options can have default values specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the <command>view</command> statement; these view-specific defaults
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetake precedence over those in the <command>options</command> statement. </para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Views are class specific.  If no class is given, class IN
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonis assumed.  Note that all non-IN views must contain a hint zone,
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonsince only the IN class has compiled-in default hints.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If there are no <command>view</command> statements in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconfig file, a default view that matches any client is automatically
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecreated in class IN, and any <command>zone</command> statements
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecified on the top level of the configuration file are considered
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be part of this default view.  If any explicit <command>view</command> statements
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare present, all <command>zone</command> statements must occur inside <command>view</command> statements.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Here is an example of a typical split DNS setup implemented
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceusing <command>view</command> statements.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>view "internal" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // This should match our internal networks.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      match-clients { 10.0.0.0/8; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // Provide recursive service to internal clients only.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      recursion yes;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // Provide a complete view of the example.com zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // including addresses of internal hosts.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      zone "example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            file "example-internal.db";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceview "external" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      match-clients { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // Refuse recursive service to external clients.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      recursion no;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // Provide a restricted view of the example.com zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce               // containing only publicly accessible hosts.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      zone "example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce           type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce           file "example-external.db";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2 id="zone_statement_grammar"><title><command>zone</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceStatement Grammar</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    type ( master | slave | hint | stub | forward ) ;
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafsson    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> file <replaceable>string</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> ; <optional> <replaceable>ip_addr</replaceable> ; <optional>...</optional></optional></optional> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
65e8f6477f63fd947279de6c838764363c3cc610Andreas Gustafsson    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional>; <optional>...</optional> } ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
fda549f6c3f5b4599e30b3c366fd3ba82a3cc8ddAndreas Gustafsson    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
04c22ceaf2d3812eaab69d79958d0e0d62048cd2Mark Andrews    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
04c22ceaf2d3812eaab69d79958d0e0d62048cd2Mark Andrews    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyer    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
e54683130c25e85ab63dde3e8d14578a59479825Brian Wellington    <optional> database <replaceable>string</replaceable> ; </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce}</optional>;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><command>zone</command> Statement Definition and Usage</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Zone Types</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>master</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The server has a master copy of the data
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor the zone and will be able to provide authoritative answers for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceit.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>slave</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A slave zone is a replica of a master
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonzone. The <command>masters</command> list specifies one or more IP addresses
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonof master servers that the slave contacts to update its copy of the zone.
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas GustafssonBy default, transfers are made from port 53 on the servers; this can
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonbe changed for all servers by specifying a port number before the
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonlist of IP addresses, or on a per-server basis after the IP address.
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid LawrenceAuthentication to the master can also be done with per-server TSIG keys.
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas GustafssonIf a file is specified, then the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucereplica will be written to this file whenever the zone is changed,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand reloaded from this file on a server restart. Use of a file is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerecommended, since it often speeds server start-up and eliminates
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea needless waste of bandwidth. Note that for large numbers (in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetens or hundreds of thousands) of zones per server, it is best to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuse a two level naming scheme for zone file names. For example,
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona slave server for the zone <literal>example.com</literal> might place
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe zone contents into a file called
54cd4dbd0121796e55431c548318fdbdc64b432eAndreas Gustafsson<filename>ex/example.com</filename> where <filename>ex/</filename> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucejust the first two letters of the zone name. (Most operating systems
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebehave very slowly if you put 100K files into a single directory.)</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>stub</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A stub zone is similar to a slave zone,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexcept that it replicates only the NS records of a master zone instead
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the entire zone. Stub zones are not a standard part of the DNS;
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonthey are a feature specific to the <acronym>BIND</acronym> implementation.
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson</para>
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson<para>Stub zones can be used to eliminate the need for glue NS record
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonin a parent zone at the expense of maintaining a stub zone entry and
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssona set of name server addresses in <filename>named.conf</filename>.
af1e80226040347e609a8942fe584ec4c27dbffcAndreas GustafssonThis usage is not recommended for new configurations, and BIND 9
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonsupports it only in a limited way.
af1e80226040347e609a8942fe584ec4c27dbffcAndreas GustafssonIn <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonincluded the NS records from stub children of that zone. This meant
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonthat, in some cases, users could get away with configuring child stubs
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssononly in the master server for the parent zone. <acronym>BIND</acronym>
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson9 never mixes together zone data from different zones in this
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonway. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonzone has child stub zones configured, all the slave servers for the
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonparent zone also need to have the same child stub zones
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonconfigured.</para>
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson<para>Stub zones can also be used as a way of forcing the resolution
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonof a given domain to use a particular set of authoritative servers.
af1e80226040347e609a8942fe584ec4c27dbffcAndreas GustafssonFor example, the caching name servers on a private network using
af1e80226040347e609a8942fe584ec4c27dbffcAndreas GustafssonRFC2157 addressing may be configured with stub zones for
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson<literal>10.in-addr.arpa</literal>
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonto use a set of internal name servers as the authoritative
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafssonservers for that domain.</para>
af1e80226040347e609a8942fe584ec4c27dbffcAndreas Gustafsson</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>forward</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>A "forward zone" is a way to configure
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceforwarding on a per-domain basis.  A <command>zone</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich will apply to queries within the domain given by the zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename. If no <command>forwarders</command> statement is present or
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean empty list for <command>forwarders</command> is given, then no
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceforwarding will be done for the domain, cancelling the effects of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceany forwarders in the <command>options</command> statement. Thus
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif you want to use this type of zone to change the behavior of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceglobal <command>forward</command> option (that is, "forward first
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto", then "forward only", or vice versa, but want to use the same
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceservers as set globally) you need to respecify the global forwarders.</para>
a99166d1bf49e1a4962d77a648ed246f904ddf30Brian Wellington</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>hint</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The initial set of root nameservers is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecified using a "hint zone". When the server starts up, it uses
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe root hints to find a root nameserver and get the most recent
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelist of root nameservers. If no hint zone is specified for class
93f40401c890df4e131cd832c8bc7f261f159377Andreas GustafssonIN, the server uses a compiled-in default set of root servers hints.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceClasses other than IN have no built-in defaults hints.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Class</title>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>The zone's name may optionally be followed by a class. If
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssona class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonis assumed. This is correct for the vast majority of cases.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <literal>hesiod</literal> class is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenamed for an information service from MIT's Project Athena. It is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused to share information about various systems databases, such
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceas users, groups, printers and so on. The keyword
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<literal>HS</literal> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea synonym for hesiod.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Another MIT development is CHAOSnet, a LAN protocol created
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Zone Options</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                       rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.653in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.847in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <tbody>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence              <row rowsep = "0">
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence                <entry colname = "1"><para><command>allow-notify</command></para></entry>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence                <entry colname = "2"><para>See the description of
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>allow-notify</command> in <xref linkend="access_control"/></para></entry>
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>allow-query</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>See the description of
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce<command>allow-query</command> in <xref linkend="access_control"/></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>allow-transfer</command></para></entry>
7d7c5eee345bf4a62764cbce55868a6c09568543Eric Luce                <entry colname = "2"><para>See the description of <command>allow-transfer</command> in <xref linkend="access_control"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>allow-update</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>Specifies which hosts are allowed to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesubmit Dynamic DNS updates for master zones. The default is to deny
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceupdates from all hosts.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>update-policy</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>Specifies a "Simple Secure Update" policy. See
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<xref linkend="dynamic_update_policies"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>allow-update-forwarding</command></para></entry>
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafsson
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafsson<entry colname = "2"><para>Specifies which hosts are allowed to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesubmit Dynamic DNS updates to slave zones to be forwarded to the
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonmaster.  The default is <userinput>{ none; }</userinput>, which
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonmeans that no update forwarding will be performed.  To enable
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonupdate forwarding, specify  <userinput>allow-update-forwarding { any; };</userinput>.
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas GustafssonSpecifying values other than <userinput>{ none; }</userinput> or
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafsson<userinput>{ any; }</userinput> is usually counterproductive, since
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonthe responsibility for update access control should rest with the
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonmaster server, not the slaves.</para>
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafsson
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafsson<para>Note that enabling the update forwarding feature on a slave server
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonmay expose master servers relying on insecure IP address based
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafssonaccess control to attacks; see <xref linkend="dynamic_update_security"/>
a3e41e3c03a32b00fc243fce538a39ddc7237885Andreas Gustafssonfor more details.</para>
4ec1a96d90784f70380bdec66f8a0bd6718a5b71Mark Andrews</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "1"><para><command>also-notify</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>Only meaningful if <command>notify</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceactive for this zone. The set of machines that will receive a
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce<literal>DNS NOTIFY</literal> message
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor this zone is made up of all the listed nameservers (other than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe primary master) for the zone plus any IP addresses specified
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonwith <command>also-notify</command>. A port may be specified
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonwith each <command>also-notify</command> address to send the notify
724f98789b6fbbbf7f4e327b833d0fb404d331a8Andreas Gustafssonmessages to a port other than the default of 53.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>also-notify</command> is not meaningful for stub zones.
317870a32f6dbdb197da37ab2a7b4df422940249Andreas GustafssonThe default is the empty list.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>check-names</command></para></entry>
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafsson<entry colname = "2"><para>
9374f5f62c15ec04a61b9e92ba615da031710692Andreas GustafssonThis option was used in BIND 8 to restrict the character set of
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafssondomain names in master files and/or DNS responses received from the
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafssonnetowrk.  BIND 9 does not restrict the character set of domain names
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafssonand does not implement the <command>check-names</command> option.
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafsson</para>
9374f5f62c15ec04a61b9e92ba615da031710692Andreas Gustafsson</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
e54683130c25e85ab63dde3e8d14578a59479825Brian Wellington<entry colname = "1"><para><command>database</command></para></entry>
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafsson<entry colname = "2"><para>Specify the type of database to be used for storing the
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonzone data.  The string following the <command>database</command> keyword
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonis interpreted as a list of whitespace-delimited words.  The first word
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonidentifies the database type, and any subsequent words are passed
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonas arguments to the database to be interpreted in a way specific
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonto the database type.</para>
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafsson<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonred-black-tree database.  This database does not take arguments.</para>
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafsson<para>Other values are possible if additional database drivers
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonhave been linked into the server.  Some sample drivers are included
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafssonwith the distribution but none are linked in by default.</para>
0a479f5bfda79ccc29cd44dc6ab7e091930c385dAndreas Gustafsson</entry>
e54683130c25e85ab63dde3e8d14578a59479825Brian Wellington</row>
e54683130c25e85ab63dde3e8d14578a59479825Brian Wellington<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>dialup</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson               <entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>dialup</command> in <xref linkend="boolean_options"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>forward</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Only meaningful if the zone has a forwarders
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelist. The <command>only</command> value causes the lookup to fail
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceafter trying the forwarders and getting no answer, while <command>first</command> would
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceallow a normal lookup to be tried.</para>
a99166d1bf49e1a4962d77a648ed246f904ddf30Brian Wellington</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>forwarders</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Used to override the list of global forwarders.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIf it is not specified in a zone of type <command>forward</command>,
a99166d1bf49e1a4962d77a648ed246f904ddf30Brian Wellingtonno forwarding is done for the zone; the global options are not used.</para>
a99166d1bf49e1a4962d77a648ed246f904ddf30Brian Wellington</entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>ixfr-base</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Was used in <acronym>BIND</acronym> 8 to specify the name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the transaction log (journal) file for dynamic update and IXFR.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefile by appending ".<filename>jnl</filename>" to the name of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone file.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-time-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-idle-in</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-time-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>max-transfer-idle-out</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>notify</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>notify</command> in <xref linkend="boolean_options"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>pubkey</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea public zone key for verification of signatures in DNSSEC signed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceon loading and ignores the option.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyer<entry colname = "1"><para><command>zone-statistics</command></para></entry>
3ff9349f82300a2ea0241d4090d7b2c3c250dd4fAndreas Gustafsson<entry colname = "2"><para>If <userinput>yes</userinput>, the server will keep statistical
0b3f08631f66f2bdcac801ef021ee2bddc953efbMichael Sawyerinformation for this zone, which can be dumped to the
3ff9349f82300a2ea0241d4090d7b2c3c250dd4fAndreas Gustafsson<command>statistics-file</command> defined in the server options.</para></entry>
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer</row>
56f1285ca5d97d3205b74c32dc4de1ea7b69fea1Michael Sawyer<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>sig-validity-interval</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><command>transfer-source</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>transfer-source</command> in <xref linkend="zone_transfers"/>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "1"><para><command>transfer-source-v6</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<row rowsep = "0">
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews<entry colname = "1"><para><command>notify-source</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>notify-source</command> in <xref linkend="zone_transfers"/>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson</para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson</row>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<row rowsep = "0">
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "1"><para><command>notify-source-v6</command></para></entry>
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<entry colname = "2"><para>See the description of
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
f6ec00228a3ee9ebc6ea2581c199f94716a1ffe5Andreas Gustafsson</para></entry>
dfd7798d8b870abf03795d8095297a4b982ab6e9Mark Andrews</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe right to perform dynamic updates to a zone, configured by the <command>allow-update</command> and <command>update-policy</command> option,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucerespectively.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>allow-update</command> clause works the same
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceway as in previous versions of <acronym>BIND</acronym>. It grants given clients the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepermission to update any record of any name in the zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce9 and allows more fine-grained control over what updates are allowed.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceA set of rules is specified, where each rule either grants or denies
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepermissions for one or more names to be updated by one or more identities.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce If the dynamic update request message is signed (that is, it includes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceeither a TSIG or SIG(0) record), the identity of the signer can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe determined.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Rules are specified in the <command>update-policy</command> zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoption, and are only meaningful for master zones.  When the <command>update-policy</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis present, it is a configuration error for the <command>allow-update</command> statement
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto be present.  The <command>update-policy</command> statement only
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexamines the signer of a message; the source address is not relevant.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This is how a rule definition looks:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Each rule grants or denies privileges.  Once a message has
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesuccessfully matched a rule, the operation is immediately granted
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor denied and no further rules are examined.  A rule is matched
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhen the signer matches the identity field, the name matches the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename field, and the type is specified in the type field.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The identity field specifies a name or a wildcard name.  The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenametype field has 4 values: <varname>name</varname>, <varname>subdomain</varname>, <varname>wildcard</varname>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand <varname>self</varname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <tgroup cols = "2" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>name</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches when the updated name is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesame as the name in the name field.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>subdomain</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches when the updated name is a subdomain
c861628626be79f9477a4eec64d880539721ca9eBrian Wellingtonof the name in the name field (which includes the name itself).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>wildcard</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches when the updated name is a valid
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceexpansion of the wildcard name in the name field.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><varname>self</varname></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Matches when the updated name is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesame as the message signer. The name field is ignored.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If no types are specified, the rule matches all types except
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSIG, NS, SOA, and NXT. Types may be specified by name, including
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce"ANY" (ANY matches all types except NXT, which can never be updated).
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Zone File</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="types_of_resource_records_and_when_to_use_them">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Types of Resource Records and When to Use Them</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This section, largely borrowed from RFC 1034, describes the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceconcept of a Resource Record (RR) and explains when each is used.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSince the publication of RFC 1034, several new RRs have been identified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand implemented in the DNS. These are also included.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>Resource Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>A domain name identifies a node.  Each node has a set of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        resource information, which may be empty.  The set of resource
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        information associated with a particular name is composed of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        separate RRs. The order of RRs in a set is not significant and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        need not be preserved by nameservers, resolvers, or other
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        parts of the DNS. However, sorting of multiple RRs is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        permitted for optimization purposes, for example, to specify
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        that a particular nearby server be tried first. See <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        linkend="the_sortlist_statement"/> and <xref
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        linkend="rrset_ordering"/>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The components of a Resource Record are:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "2" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>owner name</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>type</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>an encoded 16 bit value that specifies
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe type of the resource in this resource record. Types refer to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceabstract resources.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>TTL</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>the time to live of the RR. This field
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis a 32 bit integer in units of seconds, and is primarily used by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceresolvers when they cache RRs. The TTL describes how long a RR can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe cached before it should be discarded.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>class</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>an encoded 16 bit value that identifies
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea protocol family or instance of a protocol.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>RDATA</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>the type and sometimes class-dependent
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedata that describes the resource.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The following are <emphasis>types</emphasis> of valid RRs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(some of these listed, although not obsolete, are experimental (x)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor historical (h) and no longer in general use):</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "2" colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>A</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a host address.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>A6</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>an IPv6 address.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>AAAA</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Obsolete format of IPv6 address</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>AFSDB</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) location of AFS database servers.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceExperimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>CNAME</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>identifies the canonical name of an alias.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>DNAME</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>for delegation of reverse addresses.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceReplaces the domain name specified with another name to be looked
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceup. Described in RFC 2672.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>HINFO</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>identifies the CPU and OS used by a host.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>ISDN</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) representation of ISDN addresses.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceExperimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>KEY</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>stores a public key associated with a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceDNS name.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>LOC</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) for storing GPS info. See RFC 1876.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceExperimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>MX</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>identifies a mail exchange for the domain.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce See RFC 974 for details.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>NS</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>the authoritative nameserver for the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedomain.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>NXT</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>used in DNSSEC to securely indicate that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceRRs with an owner name in a certain name interval do not exist in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea zone and indicate what RR types are present for an existing name.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSee RFC 2535 for details.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>PTR</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a pointer to another part of the domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename space.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>RP</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) information on persons responsible
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor the domain. Experimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>RT</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) route-through binding for hosts that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedo not have their own direct wide area network addresses. Experimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SIG</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>("signature") contains data authenticated
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the secure DNS. See RFC 2535 for details.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SOA</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>identifies the start of a zone of authority.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SRV</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>information about well known network
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceservices (replaces WKS).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>WKS</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(h) information about which well known
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenetwork services, such as SMTP, that a domain supports. Historical,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucereplaced by newer RR SRV.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>X25</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>(x) representation of X.25 network addresses. Experimental.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The following <emphasis>classes</emphasis> of resource records
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare currently valid in the DNS:</para><informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>IN</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>the Internet system.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry nameend = "2" namest = "1"><para>For information about other,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceolder classes of RRs, see <xref linkend="classes_of_resource_records"/>.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><emphasis>RDATA</emphasis> is the type-dependent or class-dependent
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedata that describes the resource:</para><informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>A</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>for the IN class, a 32 bit IP address.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>A6</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>maps a domain name to an IPv6 address,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith a provision for indirection for leading "prefix" bits.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>CNAME</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a domain name.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>DNAME</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>provides alternate naming to an entire
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesubtree of the domain name space, rather than to a single node.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce It causes some suffix of a queried name to be substituted with
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea name from the DNAME record's RDATA.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>MX</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a 16 bit preference value (lower is better)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefollowed by a host name willing to act as a mail exchange for the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceowner domain.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>NS</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a fully qualified domain name.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>PTR</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>a fully qualified domain name.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SOA</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>several fields.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The owner name is often implicit, rather than forming an integral
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepart of the RR.  For example, many nameservers internally form tree
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor hash structures for the name space, and chain RRs off nodes.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce The remaining RR parts are the fixed header (type, class, TTL)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhich is consistent for all RRs, and a variable part (RDATA) that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefits the needs of the resource being described.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The meaning of the TTL field is a time limit on how long an
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceRR can be kept in a cache.  This limit does not apply to authoritative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedata in zones; it is also timed out, but by the refreshing policies
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefor the zone.  The TTL is assigned by the administrator for the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone where the data originates.  While short TTLs can be used to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceminimize caching, and a zero TTL prohibits caching, the realities
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof Internet performance suggest that these times should be on the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceorder of days for the typical host.  If a change can be anticipated,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe TTL can be reduced prior to the change to minimize inconsistency
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceduring the change, and then increased back to its former value following
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe change.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The data in the RDATA section of RRs is carried as a combination
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof binary strings and domain names.  The domain names are frequently
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused as "pointers" to other data in the DNS.</para></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>Textual expression of RRs</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>RRs are represented in binary form in the packets of the DNS
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceprotocol, and are usually represented in highly encoded form when
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucestored in a nameserver or resolver.  In the examples provided in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceRFC 1034, a style similar to that used in master files was employed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein order to show the contents of RRs.  In this format, most RRs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare shown on a single line, although continuation lines are possible
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceusing parentheses.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The start of the line gives the owner of the RR.  If a line
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebegins with a blank, then the owner is assumed to be the same as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat of the previous RR.  Blank lines are often included for readability.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Following the owner, we list the TTL, type, and class of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceRR.  Class and type use the mnemonics defined above, and TTL is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean integer before the type field.  In order to avoid ambiguity in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceparsing, type and class mnemonics are disjoint, TTLs are integers,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand the type mnemonic is always last. The IN class and TTL values
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare often omitted from examples in the interests of clarity.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The resource data or RDATA section of the RR are given using
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceknowledge of the typical representation for the data.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For example, we might show the RRs carried in a message as:</para> <informaltable
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0"><tgroup cols = "3"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>MX</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>MX</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The MX RRs have an RDATA section which consists of a 16 bit
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenumber followed by a domain name.  The address RRs use a standard
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIP address format to contain a 32 bit internet address.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This example shows six RRs, with two RRs at each of three
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedomain names.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Similarly we might see:</para><informaltable colsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "4Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>CH</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceeach of a different class.</para></sect3></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Discussion of MX Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>As described above, domain servers store information as a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceseries of resource records, each of which contains a particular
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepiece of information about a given domain name (which is usually,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebut not always, a host). The simplest way to think of a RR is as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea typed pair of datum, a domain name matched with relevant data,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand stored with some additional type information to help systems determine
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhen the RR is relevant.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>MX records are used to control delivery of email. The data
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecified in the record is a priority and a domain name. The priority
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecontrols the order in which email delivery is attempted, with the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelowest number first. If two priorities are the same, a server is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucechosen randomly. If no servers at a given priority are responding,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe mail transport agent will fall back to the next largest priority.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePriority numbers do not have any absolute meaning &mdash; they are relevant
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceonly respective to other MX records for that domain name. The domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucename given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean associated A record &mdash; CNAME is not sufficient.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For a given domain, if there is both a CNAME record and an
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceMX record, the MX record is in error, and will be ignored. Instead,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe mail will be delivered to the server specified in the MX record
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucepointed to by the CNAME.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>MX</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>10</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>MX</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>10</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>MX</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>20</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para><literal>A</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable><para>For example:</para>
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<literal>mail2.example.com</literal> (in
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonany order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe attempted.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The time to live of the RR field is a 32 bit integer represented
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein units of seconds, and is primarily used by resolvers when they
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecache RRs. The TTL describes how long a RR can be cached before it
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceshould be discarded. The following three types of TTL are currently
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused in a zone file.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SOA</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The last field in the SOA is the negative
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecaching TTL. This controls how long other servers will cache no-such-domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(NXDOMAIN) responses from you.</para><para>The maximum time for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucenegative caching is 3 hours (3h).</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>$TTL</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>The $TTL directive at the top of the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone file (before the SOA) gives a default TTL for every RR without
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea specific TTL set.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>RR TTLs</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>Each RR can have a TTL as the second
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucefield in the RR, which will control how long other servers can cache
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe it.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>All of these TTLs default to units of seconds, though units
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecan be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Inverse Mapping in IPv4</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Reverse name resolution (that is, translation from IP address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand PTR records. Entries in the in-addr.arpa domain are made in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceleast-to-most significant order, read left to right. This is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceopposite order to the way IP addresses are usually written. Thus,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea machine with an IP address of 10.1.2.3 would have a corresponding
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein-addr.arpa name of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce3.2.1.10.in-addr.arpa. This name should have a PTR resource record
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhose data field is the name of the machine or, optionally, multiple
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePTR records if the machine has more than one name. For example,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the <optional>example.com</optional> domain:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tgroup cols = "2" colsep = "0" rowsep = "0"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para><literal>3</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The <command>$ORIGIN</command> lines in the examples
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceare for providing context to the examples only-they do not necessarily
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceappear in the actual usage. They are only used here to indicate
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat the example is relative to the listed origin.</para></note></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Other Zone File Directives</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The Master File Format was initially defined in RFC 1035 and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehas subsequently been extended. While the Master File Format itself
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceis class independent all records in a Master File must be of the same
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceclass.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand <command>$TTL.</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>The <command>$ORIGIN</command> Directive</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Syntax: <command>$ORIGIN
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafsson<para><command>$ORIGIN</command> sets the domain name that will
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe appended to any unqualified records. When a zone is first read
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonin there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecurrent <command>$ORIGIN</command> is appended to the domain specified
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the <command>$ORIGIN</command> argument if it is not absolute.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><literal>$ORIGIN example.com
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceWWW     CNAME   MAIN-SERVER</literal></programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>is equivalent to</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><literal>WWW.EXAMPLE.COM CNAME MAIN-SERVER.EXAMPLE.COM.</literal></programlisting></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>The <command>$INCLUDE</command> Directive</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Syntax: <command>$INCLUDE</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<replaceable>filename</replaceable> <optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Read and process the file <filename>filename</filename> as
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif it were included into the file at this point.  If <command>origin</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecified the file is processed with <command>$ORIGIN</command> set
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto that value, otherwise the current <command>$ORIGIN</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceused.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The behavior when <command>origin</command> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucespecified differs from that described in RFC 1035. The origin and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecurrent domain revert to the values they were prior to the <command>$INCLUDE</command> once
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe file has been read.</para></note></sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect3><title>The <command>$TTL</command> Directive</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Syntax: <command>$TTL</command>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<replaceable>default-ttl</replaceable> <optional>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<replaceable>comment</replaceable> </optional></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Set the default Time To Live (TTL) for subsequent records
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>hs</replaceable> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>$GENERATE</command> is used to create a series of
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonresource records that only differ from each other by an iterator. <command>$GENERATE</command> can
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebe used to easily generate the sets of records required to support
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedelegation.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><literal>$ORIGIN 0.0.192.IN-ADDR.ARPA.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce$GENERATE 1-127 $ CNAME $.0</literal></programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>is equivalent to</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting><literal>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce0.0.0.192.IN-ADDR.ARPA NS SERVER2.EXAMPLE.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce1.0.0.192.IN-ADDR.ARPA CNAME 1.0.0.0.192.IN-ADDR.ARPA
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce2.0.0.192.IN-ADDR.ARPA CNAME 2.0.0.0.192.IN-ADDR.ARPA
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce127.0.0.192.IN-ADDR.ARPA CNAME 127.0.0.0.192.IN-ADDR.ARPA
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce.</literal></programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <informaltable colsep = "0" rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "1"><para><command>range</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <entry colname = "2"><para>This can be one of two forms: start-stop
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceor start-stop/step. If the first form is used then step is set to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        1. All of start, stop and step must be positive.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "1"><para><command>lhs</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "2"><para><command>lhs</command> describes the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceowner name of the resource records to be created.      Any single <command>$</command> symbols
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewithin the <command>lhs</command> side are replaced by the iterator
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsvalue.
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark AndrewsTo get a $ in the output you need to escape the <command>$</command>
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsusing a backslash <command>\</command>,
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewse.g. <command>\$</command>. The <command>$</command> may optionally be followed
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsby modifiers which change the offset from the interator, field width and base.
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark AndrewsModifiers are introduced by a <command>{</command> immediately following the
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrews<command>$</command> as <command>${offset[,width[,base]]}</command>.
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewse.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsprints the result as a decimal in a zero padded field of with 3.  Available
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsoutput forms are decimal (<command>d</command>), octal (<command>o</command>)
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsand hexadecimal (<command>x</command> or <command>X</command> for uppercase).
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark AndrewsThe default modifier is <command>${0,0,d}</command>.
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark AndrewsIf the <command>lhs</command> is not
9349d49b7f41b2441931fe3f4ea3136ac338e3a2Andreas Gustafssonabsolute, the current <command>$ORIGIN</command> is appended to
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsthe name.</para>
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrews<para>For compatability with earlier versions <command>$$</command> is still
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsrecognised a indicating a literal $ in the output.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "1"><para><command>type</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "2"><para>At present the only supported types are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePTR, CNAME and NS.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "1"><para><command>rhs</command></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <entry colname = "2"><para>rhs is a domain name. It is processed
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesimilarly to lhs.</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
cfee234f6bbd3b9513186cde8c6d38a964f97583Mark Andrewsand not part of the standard zone file format.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</chapter>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<chapter id="ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Access Control Lists (ACLs), are address match lists that
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrenceyou can set up and nickname for future use in <command>allow-notify</command>,
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>allow-query</command>, <command>allow-recursion</command>,
10e6498d6d7b2cfd8d822788d817fc9a3e0b0c3aDavid Lawrence<command>blackhole</command>, <command>allow-transfer</command>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceetc.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Using ACLs allows you to have finer control over who can access
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyour nameserver, without cluttering up your config files with huge
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelists of IP addresses.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucecontrol access to your server. Limiting access to your server by
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoutside parties can help prevent spoofing and DoS attacks against
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyour server.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Here is an example of how to properly apply ACLs:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Set up an ACL named "bogusnets" that will block RFC1918 space,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// which is commonly used in spoofing attacks.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce// Set up an ACL called our-nets. Replace this with the real IP numbers.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceacl our-nets { x.x.x.x/24; x.x.x.x/21; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoptions {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { our-nets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-recursion { our-nets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  blackhole { bogusnets; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  ...
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucezone "example.com" {
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  type master;
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  file "m/example.com";
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  allow-query { any; };
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce};
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</programlisting>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>This allows recursive queries of the server from the outside
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceunless recursion has been previously disabled.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>For more information on how to use ACLs to protect your server,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesee the <emphasis>AUSCERT</emphasis> advisory at
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect1><title><command>chroot</command> and <command>setuid</command> (for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUNIX servers)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(<command>chroot()</command>) by specifying the "<option>-t</option>"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceoption. This can help improve system security by placing <acronym>BIND</acronym> in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea "sandbox," which will limit the damage done if a server is compromised.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceability to run the daemon as a nonprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceWe suggest running as a nonprivileged user when using the <command>chroot</command> feature.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceuser 202:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>The <command>chroot</command> Environment</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>In order for a <command>chroot()</command> environment to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucework properly in a particular directory (for example, <filename>/var/named</filename>),
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyou will need to set up an environment that includes everything
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<acronym>BIND</acronym> needs to run. From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe root of the filesystem. You will need <filename>/dev/null</filename>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand any library directories and files that <acronym>BIND</acronym> needs to run on
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceyour system. Please consult your operating system's instructions
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceif you need help figuring out which library files you need to copy
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceover to the <command>chroot()</command> sandbox.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>If you are running an operating system that supports static
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebinaries, you can also compile <acronym>BIND</acronym> statically and avoid the need
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto copy system libraries over to your <command>chroot()</command> sandbox.</para></sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<sect2><title>Using the <command>setuid</command> Function </title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>Prior to running the <command>named</command> daemon, use
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe <command>touch</command> utility (to change file access and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemodification times) or the <command>chown</command> utility (to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceset the user id and/or group id) on files to which you want <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto write.</para></sect2></sect1>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title>
cc831f51d59d11815253c404d0e30a3fa7a538abAndreas Gustafsson<para>Access to the dynamic
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonupdate facility should be strictly limited.  In earlier versions of
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<acronym>BIND</acronym> the only way to do this was based on the IP
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonaddress of the host requesting the update, by listing an IP address or
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonnetwork prefix in the <command>allow-update</command> zone option.
64291fce5a6b473c2b1df95ec190230fba024030Andreas GustafssonThis method is insecure since the source address of the update UDP packet
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonis easily forged.  Also note that if the IP addresses allowed by the
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<command>allow-update</command> option include the address of a slave
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonserver which performs forwarding of dynamic updates, the master can be
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssontrivially attacked by sending the update to the slave, which will
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonforward it to the master with its own source IP address causing the
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonmaster to approve it without question.</para>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<para>For these reasons, we strongly recommend that updates be
3d9ce7519bcb01219995c6f99ed943df21b1e653Andreas Gustafssoncryptographically authenticated by means of transaction signatures
3d9ce7519bcb01219995c6f99ed943df21b1e653Andreas Gustafsson(TSIG).  That is, the <command>allow-update</command> option should
3d9ce7519bcb01219995c6f99ed943df21b1e653Andreas Gustafssonlist only TSIG key names, not IP addresses or network
3d9ce7519bcb01219995c6f99ed943df21b1e653Andreas Gustafssonprefixes. Alternatively, the new <command>update-policy</command>
3d9ce7519bcb01219995c6f99ed943df21b1e653Andreas Gustafssonoption can be used.</para>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson<para>Some sites choose to keep all dynamically updated DNS data
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonin a subdomain and delegate that subdomain to a separate zone. This
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonway, the top-level zone containing critical data such as the IP addresses
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonof public web and mail servers need not allow dynamic update at
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafssonall.</para>
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson
64291fce5a6b473c2b1df95ec190230fba024030Andreas Gustafsson</sect1></chapter>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<chapter id="ch08">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <title>Troubleshooting</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Common Problems</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>It's not working; how can I figure out what's wrong?</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The best solution to solving installation and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      configuration issues is to take preventative measures by setting
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson      up logging files beforehand. The log files provide a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      source of hints and information that can be used to figure out
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      what went wrong and how to fix the problem.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Incrementing and Changing the Serial Number</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Zone serial numbers are just numbers-they aren't date
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    related.  A lot of people set them to a number that represents a
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    date, usually of the form YYYYMMDDRR. A number of people have been
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    testing these numbers for Y2K compliance and have set the number
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    to the year 2000 to see if it will work. They then try to restore
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the old serial number. This will cause problems because serial
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    numbers are used to indicate that a zone has been updated. If the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    serial number on the slave server is lower than the serial number
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    on the master, the slave server will attempt to update its copy of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>Setting the serial number to a lower number on the master
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    server than the slave server means that the slave will not perform
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    updates to its copy of the zone.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>The solution to this is to add 2147483647 (2^31-1) to the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    number, reload the zone and make sure all slaves have updated to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    the new zone serial number, then reset the number to what you want
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    it to be, and reload the zone again.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Where Can I Get Help?</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    levels of premium support are available and each level includes
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    support for all <acronym>ISC</acronym> programs, significant discounts on products
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    and training, and a recognized priority on bug fixes and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    support agreement package which includes services ranging from bug
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    fix announcements to remote support. It also includes training in
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <para>To discuss arrangements for support, contact
450025a0d1a279a0fdb400764c6baa876bad9d5eAndreas Gustafsson    <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <acronym>ISC</acronym> web page at <ulink
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    to read more.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</chapter>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<appendix id="ch09">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <title>Appendices</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Acknowledgements</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Although the "official" beginning of the Domain Name
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      System occurred in 1984 with the publication of RFC 920, the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      core of the new system was described in 1983 in RFCs 882 and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      883. From 1984 to 1987, the ARPAnet (the precursor to today's
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      Internet) became a testbed of experimentation for developing the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      new naming/addressing scheme in an rapidly expanding,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      operational network environment.  New RFCs were written and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      published in 1987 that modified the original documents to
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      incorporate improvements based on the working model. RFC 1034,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      "Domain Names-Concepts and Facilities," and RFC 1035, "Domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      Names-Implementation and Specification" were published and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      became the standards upon which all <acronym>DNS</acronym> implementations are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      built.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The first working domain name server, called "Jeeves," was
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewritten in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemachines located at the University of Southern California's Information
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSciences Institute (USC-ISI) and SRI International's Network Information
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceCenter (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceName Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucegraduate students at the University of California at Berkeley under
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea grant from the US Defense Advanced Research Projects Administration
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSystems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePainter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceproject team. After that, additional work on the software package
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewas done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceemployee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto 1987. Many other people also contributed to <acronym>BIND</acronym> development
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceduring that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceMike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehandled by Mike Karels and O. Kure.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceCorporation (now Compaq Computer Corporation). Paul Vixie, then
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucea DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePartan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceBaran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceWolfhugel, and others.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceVixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby the Internet Software Consortium with support being provided
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby ISC's sponsors. As co-architects/programmers, Bob Halley and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LucePaul Vixie released the first production-ready version of <acronym>BIND</acronym> version
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce8 in May 1997.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof several corporations, and by the tireless work efforts of numerous
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceindividuals.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="historical_dns_information">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Historical <acronym>DNS</acronym> Information</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="classes_of_resource_records">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Classes of Resource Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>HS = hesiod</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>The <optional>hesiod</optional> class is an information service
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedeveloped by MIT's Project Athena. It is used to share information
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceabout various systems databases, such as users, groups, printers
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceand so on. The keyword <command>hs</command> is a synonym for
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucehesiod.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <title>CH = chaos</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <para>The <command>chaos</command> class is used to specify zone
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucedata for the MIT-developed CHAOSnet, a LAN protocol created in the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucemid-1970s.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </sect3>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>General <acronym>DNS</acronym> Reference Information</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>IPv6 addresses (A6)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>IPv6 addresses are 128-bit identifiers for interfaces and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucesets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucescalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean identifier for a single interface; <emphasis>Anycast</emphasis>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucean identifier for a set of interfaces. Here we describe the global
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUnicast address scheme. For more information, see RFC 2374.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The aggregatable global Unicast address format is as follows:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1" colsep = "1"><para>FP</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3" colsep = "1"><para>RES</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "6"><para>Interface ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry nameend = "4" namest = "1"><para>&#60;------ Public Topology
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce------></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "6"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para>&#60;-Site Topology-></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "6"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "5"><para></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "6"><para>&#60;------ Interface Identifier ------></para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Where
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"  rowsep = "0"><tgroup
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>FP</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Format Prefix (001)</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>TLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>RES</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Reserved for future use</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>NLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>SLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1"><para>INTERFACE ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2"><para>=</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3"><para>Interface Identifier</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The <emphasis>Public Topology</emphasis> is provided by the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceupstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof the address range. The <emphasis>Site Topology</emphasis> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewhere you can subnet this space, much the same as subnetting an
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe address of an individual interface on a given network. (With
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceIPv6, addresses belong to interfaces rather than machines.)</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>The subnetting capability of IPv6 is much more flexible than
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethat of IPv4: subnetting can now be carried out on bit boundaries,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein much the same way as Classless InterDomain Routing (CIDR).</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The internal structure of the Public Topology for an A6 global
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceunicast address consists of:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "4"
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.506in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.662in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.556in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.825in"/>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4" rowsep = "1"><para>24</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<row rowsep = "0">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "1" colsep = "1"><para>FP</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "3" colsep = "1"><para>RES</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<entry colname = "4"><para>NLA ID</para></entry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</row>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tbody>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</tgroup></informaltable>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>A 3 bit FP (Format Prefix) of 001 indicates this is a global
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceUnicast address. FP lengths for other types of addresses may vary.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>13 TLA (Top Level Aggregator) bits give the prefix of your
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucetop-level IP backbone carrier.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>8 Reserved bits</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>24 bits for Next Level Aggregators. This allows organizations
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewith a TLA to hand out portions of their IP space to client organizations,
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceso that the client can then split up the network further by filling
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein more NLA bits, and hand out IPv6 prefixes to their clients, and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceso forth.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>There is no particular structure for the Site topology section.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceOrganizations can allocate these bits in any way they desire.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>The Interface Identifier must be unique on that network. On
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceethernet networks, one way to ensure this is to set the address
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto the first three bytes of the hardware address, "FFFE", then the
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucelast three bytes of the hardware address. The lowest significant
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucebit of the first byte should then be complemented. Addresses are
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucewritten as 32-bit blocks separated with a colon, and leading zeros
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof a block may be omitted, for example:</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para><command>3ffe:8050:201:9:a00:20ff:fe81:2b32</command></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<para>IPv6 address specifications are likely to contain long strings
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof zeros, so the architects have included a shorthand for specifying
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethem. The double colon (`::') indicates the longest possible string
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceof zeros that can fit, and can be used only once in an address.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  <sect1 id="bibliography">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <title>Bibliography (and Suggested Reading)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="rfcs">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Request for Comments (RFCs)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Specification documents for the Internet protocol suite, including
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceseries of technical notes. The standards themselves are defined
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceby the Internet Engineering Task Force (IETF) and the Internet Engineering
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSteering Group (IESG). RFCs can be obtained online via FTP at
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafssonthe number of the RFC). RFCs are also available via the Web at
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
6867b9d347b8c00d56d6e357232d069ab7fb11aaAndreas Gustafsson</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <bibliography>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Standards</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC974</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Partridge</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Mail Routing and the Domain System</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>January 1986</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1034</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Mockapetris</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>P.V.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Domain Names &mdash; Concepts and Facilities</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>November 1987</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1035</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Mockapetris</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>P. V.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author> <title>Domain Names &mdash; Implementation and
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceSpecification</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>November 1987</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce        <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
fafd1d771905532e8dc3efa2ce90ce4c9e74af61Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Proposed Standards</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2181</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Elz</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>R., R. Bush</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Clarifications to the <acronym>DNS</acronym> Specification</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>July 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2308</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Andrews</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>M.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Negative Caching of <acronym>DNS</acronym> Queries</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>March 1998</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1995</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Ohta</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>M.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>August 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1996</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A Mechanism for Prompt Notification of Zone Changes</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>August 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2136</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>S.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Thomson</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>Y.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Rekhter</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>J.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Bound</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Dynamic Updates in the Domain Name System</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>April 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2845</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>O.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Gudmundsson</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Eastlake</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <lineage>3rd</lineage></author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>B.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Wellington</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author></authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>May 2000</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Proposed Standards Still Under Development</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <para><emphasis>Note:</emphasis> the following list of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceRFCs are undergoing major revision by the IETF.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1886</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Thomson</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>S.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Huitema</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title><acronym>DNS</acronym> Extensions to support IP version 6</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>December 1995</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2065</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Eastlake</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <lineage>3rd</lineage>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Kaufman</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Domain Name System Security Extensions</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>January 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2137</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Eastlake</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <lineage>3rd</lineage>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Secure Domain Name System Dynamic Update</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>April 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1535</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Gavron</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>E.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1993</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1536</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Kumar</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>A.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>J.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Postel</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Neuman</surname></author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Danzig</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>S.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Miller</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1993</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1982</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Elz</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Bush</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Serial Number Arithmetic</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>August 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Resource Record Types</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1183</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Everhart</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.F.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>L. A.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Mamakos</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Ullmann</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Mockapetris</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>New <acronym>DNS</acronym> RR Definitions</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1990</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1706</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Manning</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>B.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Colella</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title><acronym>DNS</acronym> NSAP Resource Records</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1994</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2168</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Daniel</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>M.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Mealling</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Resolution of Uniform Resource Identifiers using
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe Domain Name System</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>June 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1876</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Davis</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>T.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>Goodwin</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>I.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Dickinson</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A Means for Expressing Location Information in the Domain
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceName System</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>January 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2052</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Gulbrandsen</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>A.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A <acronym>DNS</acronym> RR for Specifying the Location of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceServices.</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2163</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Allocchio</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>A.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceConformant Global Address Mapping</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>January 1998</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2230</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Atkinson</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title><acronym>DNS</acronym> and the Internet</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1101</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Mockapetris</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>P. V.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>April 1989</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1123</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Braden</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>R.</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Requirements for Internet Hosts - Application and Support</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1989</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1591</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Postel</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>J.</firstname></author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Domain Name System Structure and Delegation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>March 1994</pubdate></biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2317</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Eidnes</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>H.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>G.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>de Groot</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Classless IN-ADDR.ARPA Delegation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>March 1998</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title><acronym>DNS</acronym> Operations</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1537</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Beertema</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1993</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1912</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Barr</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>February 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1912</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Barr</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>February 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2010</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Manning</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>B.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>P.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Vixie</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Operational Criteria for Root Name Servers.</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1996</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2219</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Hamilton</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>M.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Wright</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>October 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Other <acronym>DNS</acronym>-related RFCs</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <para>Note: the following list of RFCs, although
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </note>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1464</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Rosenbaum</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>R.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>May 1993</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1713</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Romao</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>A.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Tools for <acronym>DNS</acronym> Debugging</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>November 1994</pubdate></biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1794</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Brisco</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>T.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title><acronym>DNS</acronym> Support for Load Balancing</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>April 1995</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2240</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Vaughan</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>O.</firstname></author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A Legal Basis for Domain Name Allocation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>November 1997</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2345</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Klensin</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>J.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>T.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Wolf</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>G.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Oglesby</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>Domain Names and Company Name Retrieval</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>May 1998</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC2352</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Vaughan</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>O.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title>A Convention For Using Legal Names as Domain Names</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>May 1998</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title>Obsolete and Unimplemented Experimental RRs</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <abbrev>RFC1712</abbrev>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Farrell</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>C.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>M.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Schulze</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>S.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Pleitner</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <firstname>D.</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce                <surname>Baldoni</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <title><acronym>DNS</acronym> Encoding of Geographical
55c73d07349b0be7d800f39fcc30eba6ab760129Eric LuceLocation</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <pubdate>November 1994</pubdate>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </bibliodiv>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </bibliography>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2 id="internet_drafts">
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Internet Drafts</title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para>Internet Drafts (IDs) are rough-draft working documents of
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethe Internet Engineering Task Force. They are, in essence, RFCs
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein the preliminary stages of development. Implementors are cautioned not
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceto regard IDs as archival, and they should not be quoted or cited
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucein any formal documents unless accompanied by the disclaimer that
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Lucethey are "works in progress." IDs have a lifespan of six months
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luceafter which they are deleted unless updated by their authors.
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    <sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <title>Other Documents About <acronym>BIND</acronym></title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <para></para>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      <bibliography>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        <biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Albitz</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>Paul</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <firstname>Cricket</firstname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce              <surname>Liu</surname>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            </author>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </authorgroup>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          <copyright>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <year>1998</year>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce            <holder>Sebastopol, CA: O'Reilly and Associates</holder>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce          </copyright>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce        </biblioentry>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce      </bibliography>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce    </sect2>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce  </sect1>
87a6678320892395c9f17154085f73e1b86f2ecfAndreas Gustafsson
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</appendix>
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce
55c73d07349b0be7d800f39fcc30eba6ab760129Eric Luce</book>