0N/A - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") 0N/A - Copyright (C) 2000-2003 Internet Software Consortium. 0N/A - Permission to use, copy, modify, and distribute this software for any 0N/A - purpose with or without fee is hereby granted, provided that the above 0N/A - copyright notice and this permission notice appear in all copies. 0N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 0N/A - PERFORMANCE OF THIS SOFTWARE. 0N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0N/A<
title>Chapter�1.�Introduction</
title>
0N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
0N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0N/A<
div class="navheader">
0N/A<
table width="100%" summary="Navigation header">
0N/A<
tr><
th colspan="3" align="center">Chapter�1.�Introduction</
th></
tr>
0N/A<
td width="20%" align="left">
460N/A<
th width="60%" align="center">�</
th>
0N/A<
div class="chapter" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title">
0N/A<
a name="Bv9ARM.ch01"></
a>Chapter�1.�Introduction</
h2></
div></
div></
div>
0N/A<
p><
b>Table of Contents</
b></
p>
0N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch01.html#id2534475">Organization of This Document</
a></
span></
dt>
0N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch01.html#id2532574">Conventions Used in This Document</
a></
span></
dt>
0N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch01.html#id2534053">The Domain Name System (<
span class="acronym">DNS</
span>)</
a></
span></
dt>
0N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch01.html#id2534108">Domains and Domain Names</
a></
span></
dt>
0N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch01.html#id2537341">Authoritative Name Servers</
a></
span></
dt>
0N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch01.html#id2537514">Caching Name Servers</
a></
span></
dt>
0N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch01.html#id2537713">Name Servers in Multiple Roles</
a></
span></
dt>
0N/A The Internet Domain Name System (<
span class="acronym">DNS</
span>)
0N/A consists of the syntax
0N/A to specify the names of entities in the Internet in a hierarchical
0N/A manner, the rules used for delegating authority over names, and the
0N/A system implementation that actually maps names to Internet
0N/A addresses. <
span class="acronym">DNS</
span> data is maintained in a
0N/A group of distributed
0N/A hierarchical databases.
0N/A<
div class="sect1" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id2533837"></
a>Scope of Document</
h2></
div></
div></
div>
0N/A The Berkeley Internet Name Domain
0N/A (<
span class="acronym">BIND</
span>) implements an
0N/A domain name server for a number of operating systems. This
0N/A document provides basic information about the installation and
0N/A care of the Internet Systems Consortium (<
span class="acronym">ISC</
span>)
0N/A <
span class="acronym">BIND</
span> version 9 software package for
0N/A system administrators.
0N/A This version of the manual corresponds to BIND version 9.4.
0N/A<
div class="sect1" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id2534475"></
a>Organization of This Document</
h2></
div></
div></
div>
0N/A In this document, <
span class="emphasis"><
em>Section 1</
em></
span> introduces
0N/A the basic <
span class="acronym">DNS</
span> and <
span class="acronym">BIND</
span> concepts. <
span class="emphasis"><
em>Section 2</
em></
span>
0N/A describes resource requirements for running <
span class="acronym">BIND</
span> in various
0N/A environments. Information in <
span class="emphasis"><
em>Section 3</
em></
span> is
0N/A <
span class="emphasis"><
em>task-oriented</
em></
span> in its presentation and is
0N/A organized functionally, to aid in the process of installing the
0N/A <
span class="acronym">BIND</
span> 9 software. The task-oriented
0N/A section is followed by
0N/A <
span class="emphasis"><
em>Section 4</
em></
span>, which contains more advanced
0N/A concepts that the system administrator may need for implementing
0N/A certain options. <
span class="emphasis"><
em>Section 5</
em></
span>
0N/A describes the <
span class="acronym">BIND</
span> 9 lightweight
0N/A resolver. The contents of <
span class="emphasis"><
em>Section 6</
em></
span> are
0N/A organized as in a reference manual to aid in the ongoing
0N/A maintenance of the software. <
span class="emphasis"><
em>Section 7</
em></
span> addresses
0N/A security considerations, and
0N/A <
span class="emphasis"><
em>Section 8</
em></
span> contains troubleshooting help. The
0N/A main body of the document is followed by several
0N/A <
span class="emphasis"><
em>Appendices</
em></
span> which contain useful reference
0N/A information, such as a <
span class="emphasis"><
em>Bibliography</
em></
span> and
0N/A historic information related to <
span class="acronym">BIND</
span>
0N/A<
div class="sect1" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id2532574"></
a>Conventions Used in This Document</
h2></
div></
div></
div>
0N/A In this document, we use the following general typographic
0N/A<
div class="informaltable"><
table border="1">
0N/A <
span class="emphasis"><
em>To describe:</
em></
span>
0N/A <
span class="emphasis"><
em>We use the style:</
em></
span>
0N/A a pathname, filename, URL, hostname,
0N/A mailing list name, or new term or concept
0N/A <
code class="filename">Fixed width</
code>
0N/A <
strong class="userinput"><
code>Fixed Width Bold</
code></
strong>
0N/A <
code class="computeroutput">Fixed Width</
code>
0N/A The following conventions are used in descriptions of the
0N/A <
span class="acronym">BIND</
span> configuration file:</
p>
0N/A<
div class="informaltable"><
table border="1">
0N/A <
span class="emphasis"><
em>To describe:</
em></
span>
0N/A <
span class="emphasis"><
em>We use the style:</
em></
span>
0N/A <
code class="literal">Fixed Width</
code>
0N/A <
code class="varname">Fixed Width</
code>
0N/A [<
span class="optional">Text is enclosed in square brackets</
span>]
0N/A<
div class="sect1" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id2534053"></
a>The Domain Name System (<
span class="acronym">DNS</
span>)</
h2></
div></
div></
div>
0N/A The purpose of this document is to explain the installation
0N/A and upkeep of the <
span class="acronym">BIND</
span> software
0N/A begin by reviewing the fundamentals of the Domain Name System
0N/A (<
span class="acronym">DNS</
span>) as they relate to <
span class="acronym">BIND</
span>.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="id2534074"></
a>DNS Fundamentals</
h3></
div></
div></
div>
0N/A The Domain Name System (DNS) is a hierarchical, distributed
0N/A database. It stores information for mapping Internet host names to
0N/A addresses and vice versa, mail routing information, and other data
0N/A used by Internet applications.
0N/A Clients look up information in the DNS by calling a
0N/A <
span class="emphasis"><
em>resolver</
em></
span> library, which sends queries to one or
0N/A more <
span class="emphasis"><
em>name servers</
em></
span> and interprets the responses.
0N/A The <
span class="acronym">BIND</
span> 9 software distribution
0N/A name server, <
span><
strong class="command">named</
strong></
span>, and two resolver
0N/A libraries, <
span><
strong class="command">liblwres</
strong></
span> and <
span><
strong class="command">libbind</
strong></
span>.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="id2534108"></
a>Domains and Domain Names</
h3></
div></
div></
div>
0N/A The data stored in the DNS is identified by <
span class="emphasis"><
em>domain names</
em></
span> that are organized as a tree according to
0N/A organizational or administrative boundaries. Each node of the tree,
0N/A called a <
span class="emphasis"><
em>domain</
em></
span>, is given a label. The domain
0N/A node is the concatenation of all the labels on the path from the
0N/A node to the <
span class="emphasis"><
em>root</
em></
span> node. This is represented
0N/A in written form as a string of labels listed from right to left and
0N/A separated by dots. A label need only be unique within its parent
0N/A For example, a domain name for a host at the
0N/A company <
span class="emphasis"><
em>Example, Inc.</
em></
span> could be
0N/A where <
code class="literal">com</
code> is the
0N/A top level domain to which
0N/A <
code class="literal">example</
code> is
0N/A a subdomain of <
code class="literal">com</
code>, and
0N/A <
code class="literal">ourhost</
code> is the
0N/A For administrative purposes, the name space is partitioned into
0N/A areas called <
span class="emphasis"><
em>zones</
em></
span>, each starting at a node and
0N/A extending down to the leaf nodes or to nodes where other zones
0N/A The data for each zone is stored in a <
span class="emphasis"><
em>name server</
em></
span>, which answers queries about the zone using the
0N/A <
span class="emphasis"><
em>DNS protocol</
em></
span>.
0N/A The data associated with each domain name is stored in the
0N/A form of <
span class="emphasis"><
em>resource records</
em></
span> (<
span class="acronym">RR</
span>s).
0N/A Some of the supported resource record types are described in
0N/A <
a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</
a>.
0N/A For more detailed information about the design of the DNS and
0N/A the DNS protocol, please refer to the standards documents listed in
0N/A <
a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</
a>.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="id2534193"></
a>Zones</
h3></
div></
div></
div>
0N/A To properly operate a name server, it is important to understand
0N/A the difference between a <
span class="emphasis"><
em>zone</
em></
span>
0N/A and a <
span class="emphasis"><
em>domain</
em></
span>.
0N/A As stated previously, a zone is a point of delegation in
0N/A the <
span class="acronym">DNS</
span> tree. A zone consists of
0N/A those contiguous parts of the domain
0N/A tree for which a name server has complete information and over which
0N/A it has authority. It contains all domain names from a certain point
0N/A downward in the domain tree except those which are delegated to
0N/A other zones. A delegation point is marked by one or more
0N/A <
span class="emphasis"><
em>NS records</
em></
span> in the
0N/A parent zone, which should be matched by equivalent NS records at
0N/A the root of the delegated zone.
0N/A domain which includes names
0N/A exactly to a single domain, but could also include only part of a
0N/A domain, the rest of which could be delegated to other
0N/A name servers. Every name in the <
span class="acronym">DNS</
span>
0N/A <
span class="emphasis"><
em>domain</
em></
span>, even if it is
0N/A <
span class="emphasis"><
em>terminal</
em></
span>, that is, has no
0N/A <
span class="emphasis"><
em>subdomains</
em></
span>. Every subdomain is a domain and
0N/A every domain except the root is also a subdomain. The terminology is
0N/A not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
0N/A gain a complete understanding of this difficult and subtle
0N/A Though <
span class="acronym">BIND</
span> is called a "domain name
0N/A it deals primarily in terms of zones. The master and slave
0N/A declarations in the <
code class="filename">
named.conf</
code> file
0N/A zones, not domains. When you ask some other site if it is willing to
0N/A be a slave server for your <
span class="emphasis"><
em>domain</
em></
span>, you are
0N/A actually asking for slave service for some collection of zones.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="id2537341"></
a>Authoritative Name Servers</
h3></
div></
div></
div>
0N/A Each zone is served by at least
0N/A one <
span class="emphasis"><
em>authoritative name server</
em></
span>,
0N/A which contains the complete data for the zone.
0N/A To make the DNS tolerant of server and network failures,
0N/A most zones have two or more authoritative servers, on
0N/A Responses from authoritative servers have the "authoritative
0N/A answer" (AA) bit set in the response packets. This makes them
0N/A easy to identify when debugging DNS configurations using tools like
0N/A <
span><
strong class="command">dig</
strong></
span> (<
a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</
a>).
0N/A<
div class="sect3" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h4 class="title">
0N/A<
a name="id2537365"></
a>The Primary Master</
h4></
div></
div></
div>
0N/A The authoritative server where the master copy of the zone
0N/A data is maintained is called the
0N/A <
span class="emphasis"><
em>primary master</
em></
span> server, or simply the
0N/A <
span class="emphasis"><
em>primary</
em></
span>. Typically it loads the zone
0N/A contents from some local file edited by humans or perhaps
0N/A generated mechanically from some other local file which is
0N/A edited by humans. This file is called the
0N/A <
span class="emphasis"><
em>zone file</
em></
span> or
0N/A <
span class="emphasis"><
em>master file</
em></
span>.
0N/A In some cases, however, the master file may not be edited
0N/A by humans at all, but may instead be the result of
0N/A <
span class="emphasis"><
em>dynamic update</
em></
span> operations.
0N/A<
div class="sect3" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h4 class="title">
0N/A<
a name="id2537395"></
a>Slave Servers</
h4></
div></
div></
div>
0N/A The other authoritative servers, the <
span class="emphasis"><
em>slave</
em></
span>
0N/A servers (also known as <
span class="emphasis"><
em>secondary</
em></
span> servers)
0N/A the zone contents from another server using a replication process
0N/A known as a <
span class="emphasis"><
em>zone transfer</
em></
span>. Typically the data
0N/A transferred directly from the primary master, but it is also
0N/A to transfer it from another slave. In other words, a slave server
0N/A may itself act as a master to a subordinate slave server.
0N/A<
div class="sect3" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h4 class="title">
0N/A<
a name="id2537484"></
a>Stealth Servers</
h4></
div></
div></
div>
0N/A Usually all of the zone's authoritative servers are listed in
0N/A NS records in the parent zone. These NS records constitute
0N/A a <
span class="emphasis"><
em>delegation</
em></
span> of the zone from the parent.
0N/A The authoritative servers are also listed in the zone file itself,
0N/A at the <
span class="emphasis"><
em>top level</
em></
span> or <
span class="emphasis"><
em>apex</
em></
span>
0N/A of the zone. You can list servers in the zone's top-level NS
0N/A records that are not in the parent's NS delegation, but you cannot
0N/A list servers in the parent's delegation that are not present at
0N/A the zone's top level.
0N/A A <
span class="emphasis"><
em>stealth server</
em></
span> is a server that is
0N/A authoritative for a zone but is not listed in that zone's NS
0N/A records. Stealth servers can be used for keeping a local copy of
0N/A zone to speed up access to the zone's records or to make sure that
0N/A zone is available even if all the "official" servers for the zone
0N/A A configuration where the primary master server itself is a
0N/A stealth server is often referred to as a "hidden primary"
0N/A configuration. One use for this configuration is when the primary
0N/A is behind a firewall and therefore unable to communicate directly
0N/A with the outside world.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="id2537514"></
a>Caching Name Servers</
h3></
div></
div></
div>
0N/A The resolver libraries provided by most operating systems are
0N/A <
span class="emphasis"><
em>stub resolvers</
em></
span>, meaning that they are not
0N/A performing the full DNS resolution process by themselves by talking
0N/A directly to the authoritative servers. Instead, they rely on a
0N/A name server to perform the resolution on their behalf. Such a
0N/A is called a <
span class="emphasis"><
em>recursive</
em></
span> name server; it performs
0N/A <
span class="emphasis"><
em>recursive lookups</
em></
span> for local clients.
0N/A To improve performance, recursive servers cache the results of
0N/A the lookups they perform. Since the processes of recursion and
0N/A caching are intimately connected, the terms
0N/A <
span class="emphasis"><
em>recursive server</
em></
span> and
0N/A <
span class="emphasis"><
em>caching server</
em></
span> are often used synonymously.
0N/A The length of time for which a record may be retained in
0N/A in the cache of a caching name server is controlled by the
0N/A Time To Live (TTL) field associated with each resource record.
0N/A<
div class="sect3" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h4 class="title">
0N/A<
a name="id2537686"></
a>Forwarding</
h4></
div></
div></
div>
0N/A Even a caching name server does not necessarily perform
0N/A the complete recursive lookup itself. Instead, it can
0N/A <
span class="emphasis"><
em>forward</
em></
span> some or all of the queries
0N/A that it cannot satisfy from its cache to another caching name
0N/A commonly referred to as a <
span class="emphasis"><
em>forwarder</
em></
span>.
0N/A There may be one or more forwarders,
0N/A and they are queried in turn until the list is exhausted or an
0N/A is found. Forwarders are typically used when you do not
0N/A wish all the servers at a given site to interact directly with the
0N/A the Internet servers. A typical scenario would involve a number
0N/A of internal <
span class="acronym">DNS</
span> servers and an
0N/A Internet firewall. Servers unable
0N/A to pass packets through the firewall would forward to the server
0N/A that can do it, and that server would query the Internet <
span class="acronym">DNS</
span> servers
0N/A on the internal server's behalf.
0N/A<
div class="sect2" lang="en">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
<
a name="id2537713"></
a>Name Servers in Multiple Roles</
h3></
div></
div></
div>
The <
span class="acronym">BIND</
span> name server can
a master for some zones, a slave for other zones, and as a caching
(recursive) server for a set of local clients.
However, since the functions of authoritative name service
often advantageous to run them on separate server machines.
A server that only provides authoritative name service
(an <
span class="emphasis"><
em>authoritative-only</
em></
span> server) can run with
recursion disabled, improving reliability and security.
A server that is not authoritative for any zones and only provides
recursive service to local
clients (a <
span class="emphasis"><
em>caching-only</
em></
span> server)
does not need to be reachable from the Internet at large and can
be placed inside a firewall.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center">�</
td>
<
td width="40%" align="right">�<
a accesskey="n" href="Bv9ARM.ch02.html">Next</
a>
<
td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�Chapter�2.�<
span class="acronym">BIND</
span> Resource Requirements</
td>