Bv9ARM.1.html revision 15a44745412679c30a6d022733925af70a38b715
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - Copyright (C) 2000 Internet Software Consortium.
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - copyright notice and this permission notice appear in all copies.
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
bb308de9d25db75528605eb733a418c996d416adTimo Sirainen - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen<!-- $Id: Bv9ARM.1.html,v 1.9 2000/07/27 09:41:51 tale Exp $ -->
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
ffe1bb0585ffb6af6830932b147f5711733a9a9eTimo Sirainen<META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen<TITLE> Section 1. Introduction </TITLE></HEAD>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenSection 1. Introduction </H1>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenThe Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses. DNS data is maintained in a group of distributed hierarchical databases.</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen1.1 Scope of Document</H3>
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenThe Berkeley Internet Name Domain (BIND) implements an Internet nameserver for a number of operating systems. This document provides basic information about the installation and care of the Internet Software Consortium (ISC) BIND version 9 software package for system administrators.</P>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen1.2 Organization of This Document</H3>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenSection 1</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen introduces the basic DNS and BIND concepts. <EM CLASS="Emphasis">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenSection 2</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen describes resource requirements for running BIND in various environments. Information in <EM CLASS="Emphasis">
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenSection 3</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainentask-oriented</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen in its presentation and is organized functionally, to aid in the process of installing the BIND 9 software. The task-oriented section is followed by <EM CLASS="Emphasis">
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenSection 4</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen, which contains more advanced concepts that the system administrator may need for implementing certain options. Section 5 describes the BIND 9 lightweight resolver. The contents of <EM CLASS="Emphasis">
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo SirainenSection 6</EM>
5e01988dd73d67437bebac62f78fd81e0bff327dTimo Sirainen are organized as in a reference manual to aid in the ongoing maintenance of the software. <EM CLASS="Emphasis">
5e01988dd73d67437bebac62f78fd81e0bff327dTimo SirainenSection 7 </EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainenaddresses security considerations, and <EM CLASS="Emphasis">
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenSection 8</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen contains troubleshooting help. The main body of the document is followed by several <EM CLASS="Emphasis">
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenAppendices</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen which contain useful reference information, such as a <EM CLASS="Emphasis">
09cdeee873df48373ef834b9a08e326bb609c469Timo SirainenBibliography</EM>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen and historic information related to BIND and the Domain Name System.</P>
09cdeee873df48373ef834b9a08e326bb609c469Timo Sirainen1.3 Conventions Used in This Document</H3>
1c7fa51b35231f375998f66d5756f214519218f8Timo SirainenIn this document, we use the following general typographic conventions:</P>
9ed2951bd0bb1878a27437d7c00611b2baadd614Timo SirainenTo describe:</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenWe use the style:</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainena pathname, filename, URL, hostname,<BR>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenmailing list name, or new term or concept</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenliteral user input</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width Bold</KBD>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenvariable user input</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width Italic</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenprogram output</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width</CODE>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenThe following conventions are used in descriptions of the BIND configuration file:</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenTo describe:</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenWe use the style:</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenSans Serif Bold</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenSans Serif Italic</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen"meta-syntactic" information (within brackets when optional)</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width Italic</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenCommand line input</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width Bold</KBD>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenProgram output</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenFixed Width</CODE>
a64adf62fa33f2463a86f990217b0c9078531a40Timo SirainenOptional input</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenText is enclosed in square brackets</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen1.4 Discussion of Domain Name System (DNS) Basics and BIND</H3>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenThe purpose of this document is to explain the installation and basic upkeep of the BIND software package, and we begin by reviewing the fundamentals of the domain naming system as they relate to BIND. BIND consists of a <EM CLASS="Emphasis">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainennameserver</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen (or "daemon") called <CODE CLASS="Program-Process">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenresolver</CODE>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen library. The BIND server runs in the background, servicing queries on a well known network port. The standard port for the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), usually port 53, is specified in<CODE CLASS="Program-Process">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen is a set of routines residing in a system library that provides the interface that programs can use to access the domain name services.</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen1.4.1 Nameservers</H4>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenA nameserver (NS) is a program that stores information about named resources and responds to queries from programs called <EM CLASS="Emphasis">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainenresolvers</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen which act as client processes. The basic function of an NS is to provide information about network objects by answering queries.</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenWith the nameserver, the network can be broken into a hierarchy of domains. The name space is organized as a tree according to organizational or administrative boundaries. Each node of the tree, called a domain, is given a label. The name of the domain is the concatenation of all the labels of the domains from the root to the current domain. This is represented in written form as a string of labels listed from right to left and separated by dots. A label need only be unique within its domain. The whole name space is partitioned into areas called <EM CLASS="Emphasis">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen, each starting at a domain and extending down to the leaf domains or to domains where other zones start. Zones usually represent administrative boundaries. For example, a domain name for a host at the company <EM CLASS="Emphasis">
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo SirainenExample, Inc.</EM>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen would be:</P>
2c38504860da8a8de915f8e0f5f39d7e7bd00cf8Timo Sirainen is the top level domain to which <EM CLASS="URL">
The specifications for the domain nameserver are defined in the RFC 1034, RFC 1035 and RFC 974. These documents can be found in<BR>
. (See Appendix C for complete information on finding and retrieving RFCs.) It is also recommended that you read the related man pages: <CODE CLASS="Program-Process">
As we stated previously, a zone is a point of delegation in the DNS tree. A zone consists of those contiguous parts of the domain tree for which a domain server has complete information and over which it has authority. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones. A delegation point has one or more NS records in the parent zone, which should be matched by equivalent NS records at the root of the delegated zone.</P>
To properly operate a nameserver, it is important to understand the difference between a <EM CLASS="Emphasis">
zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other nameservers. Every name in the DNS tree is a <EM CLASS="Emphasis">
. Every subdomain is a domain and every domain except the root is also a subdomain. The terminology is not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to gain a complete understanding of this difficult and subtle topic.</P>
Though BIND is a Domain Nameserver, it deals primarily in terms of zones. The master and slave declarations in the <EM CLASS="pathname">
file specify zones, not domains. When you ask some other site if it is willing to be a slave server for your <EM CLASS="Emphasis">
) server which loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file which is edited by humans. There there will be some number of <EM CLASS="Emphasis">
servers, which load the zone contents using the DNS protocol (that is, the secondary servers will contact the primary and fetch the zone data using TCP). This set of servers--the primary and all of its secondaries--should be listed in the NS records in the parent zone and will constitute a <EM CLASS="Emphasis">
. This set of servers must also be listed in the zone file itself, usually under the <CODE CLASS="Program-Process">
NS records that are not in the parent's NS delegation, but you cannot list servers in the parent's delegation that are not present in the zone's <CODE CLASS="Program-Process">
for the zone. A server is authoritative for a zone when it has been configured to answer questions for that zone with authority, which it does by setting the "authoritative answer" (AA) bit in reply packets. A server may be authoritative for more than one zone. The authoritative data for a zone is composed of all of the Resource Records (RRs)--the data associated with names in a tree-structured name space--attached to all of the nodes from the top node of the zone down to leaf nodes or nodes above cuts around the bottom edge of the zone.</P>
Adding a zone as a type master or type slave will tell the server to answer questions for the zone authoritatively. If the server is able to load the zone into memory without any errors it will set the AA bit when it replies to queries for the zone. See RFCs 1034 and 1035 for more information about the AA bit.</P>
A DNS server can be master for some zones and slave for others or can be only a master, or only a slave, or can serve no zones and just answer queries via its <EM CLASS="Emphasis">
All servers keep data in their cache until the data expires, based on a Time To Live (TTL) field which is maintained for all resource records.</P>
is the ultimate source of information about a domain. The primary master is an authoritative server configured to be the source of zone transfer for one or more secondary servers. The primary master server obtains data for the zone from a file on disk.</P>
, is an authoritative server that uses zone transfers from the primary master server to retrieve the zone data. Optionally, the slave server obtains zone data from a cache on disk. Slave servers provide necessary redundancy. All secondary/slave servers are named in the NS RRs for the zone.</P>
. This means that the server caches the information that it receives and uses it until the data expires. A caching only server is a server that is not authoritative for any zone. This server services queries and asks other servers, who have the authority, for the information it needs.</P>
always forwards queries it cannot satisfy from its authoritative data or cache to a fixed list of other servers. The forwarded queries are also known as <EM CLASS="Emphasis">
, the same type as a client would send to a server. There may be one or more servers forwarded to, and they are queried in turn until the list is exhausted or an answer is found. A forwarding server is typically used when you do not wish all the servers at a given site to interact with the rest of the Internet servers. A typical scenario would involve a number of internal DNS servers and an Internet firewall. Servers unable to pass packets through the firewall would forward to the server that can do it, and that server would query the Internet DNS servers on the internal server's behalf. An added benefit of using the forwarding feature is that the central machine develops a much more complete cache of information that all the workstations can take advantage of.</P>
There is no prohibition against declaring a server to be a forwarder even though it has master and/or slave zones as well; the effect will still be that anything in the local server's cache or zones will be answered, and anything else will be forwarded using the forwarders list.</P>
is a server that answers authoritatively for a zone, but is not listed in that zone's NS records. Stealth servers can be used as a way to centralize distribution of a zone, without having to edit the zone on a remote nameserver. Where the master file for a zone resides on a stealth server in this way, it is often referred to as a "hidden primary" configuration. Stealth servers can also be a way to keep a local copy of a zone for rapid access to the zone's records, even if all "official" nameservers for the zone are inaccessible.</P>