Bv9ARM.ch01.html revision 9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdff
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - Copyright (C) 2000-2003 Internet Software Consortium.
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - Permission to use, copy, modify, and distribute this software for any
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - purpose with or without fee is hereby granted, provided that the above
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - copyright notice and this permission notice appear in all copies.
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce - PERFORMANCE OF THIS SOFTWARE.
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<!-- $Id: Bv9ARM.ch01.html,v 1.45 2009/02/26 01:12:16 tbox Exp $ -->
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<link rel="next" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<tr><th colspan="3" align="center">Chapter�1.�Introduction</th></tr>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<div class="titlepage"><div><div><h2 class="title">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<a name="Bv9ARM.ch01"></a>Chapter�1.�Introduction</h2></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce consists of the syntax
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce to specify the names of entities in the Internet in a hierarchical
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce manner, the rules used for delegating authority over names, and the
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce system implementation that actually maps names to Internet
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce addresses. <acronym class="acronym">DNS</acronym> data is maintained in a
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce group of distributed
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce hierarchical databases.
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce<a name="id2563409"></a>Scope of Document</h2></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The Berkeley Internet Name Domain
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce (<acronym class="acronym">BIND</acronym>) implements a
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce domain name server for a number of operating systems. This
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce document provides basic information about the installation and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <acronym class="acronym">BIND</acronym> version 9 software package for
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce system administrators.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce This version of the manual corresponds to BIND version 9.6.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce organized functionally, to aid in the process of installing the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce section is followed by
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce concepts that the system administrator may need for implementing
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce certain options. <span class="emphasis"><em>Chapter 5</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce describes the <acronym class="acronym">BIND</acronym> 9 lightweight
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce organized as in a reference manual to aid in the ongoing
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce security considerations, and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce main body of the document is followed by several
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce <span class="emphasis"><em>appendices</em></span> which contain useful reference
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce information, such as a <span class="emphasis"><em>bibliography</em></span> and
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce historic information related to <acronym class="acronym">BIND</acronym>
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce and the Domain Name
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<a name="id2564528"></a>Conventions Used in This Document</h2></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce In this document, we use the following general typographic
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce conventions:
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>To describe:</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>We use the style:</em></span>
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce a pathname, filename, URL, hostname,
8437e782fdf97945e9e0c2a793ffaf49abc2c0caSimo Sorce mailing list name, or new term or concept
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce literal user
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <strong class="userinput"><code>Fixed Width Bold</code></strong>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce program output
da4c23b6670adb45f71cf51aaeca8df30c2144beSimo Sorce The following conventions are used in descriptions of the
da4c23b6670adb45f71cf51aaeca8df30c2144beSimo Sorce <acronym class="acronym">BIND</acronym> configuration file:</p>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>To describe:</em></span>
da4c23b6670adb45f71cf51aaeca8df30c2144beSimo Sorce <span class="emphasis"><em>We use the style:</em></span>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce Optional input
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce [<span class="optional">Text is enclosed in square brackets</span>]
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<a name="id2564641"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce The purpose of this document is to explain the installation
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce Name Domain) software package, and we
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce begin by reviewing the fundamentals of the Domain Name System
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<div class="titlepage"><div><div><h3 class="title">
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<a name="id2564662"></a>DNS Fundamentals</h3></div></div></div>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce The Domain Name System (DNS) is a hierarchical, distributed
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce database. It stores information for mapping Internet host names to
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce addresses and vice versa, mail routing information, and other data
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce used by Internet applications.
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce Clients look up information in the DNS by calling a
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The <acronym class="acronym">BIND</acronym> 9 software distribution
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce name server, <span><strong class="command">named</strong></span>, and a resolver
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce library, <span><strong class="command">liblwres</strong></span>. The older
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <span><strong class="command">libbind</strong></span> resolver library is also available
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce from ISC as a separate download.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h3 class="title">
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<a name="id2564696"></a>Domains and Domain Names</h3></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce organizational or administrative boundaries. Each node of the tree,
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce node is the concatenation of all the labels on the path from the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce node to the <span class="emphasis"><em>root</em></span> node. This is represented
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce in written form as a string of labels listed from right to left and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce separated by dots. A label need only be unique within its parent
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce For example, a domain name for a host at the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce company <span class="emphasis"><em>Example, Inc.</em></span> could be
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <code class="literal">ourhost.example.com</code>,
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce top level domain to which
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <code class="literal">ourhost.example.com</code> belongs,
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce a subdomain of <code class="literal">com</code>, and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce name of the host.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce For administrative purposes, the name space is partitioned into
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce extending down to the leaf nodes or to nodes where other zones
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>DNS protocol</em></span>.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The data associated with each domain name is stored in the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce Some of the supported resource record types are described in
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce For more detailed information about the design of the DNS and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce the DNS protocol, please refer to the standards documents listed in
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h3 class="title">
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<a name="id2567170"></a>Zones</h3></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce To properly operate a name server, it is important to understand
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce the difference between a <span class="emphasis"><em>zone</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce and a <span class="emphasis"><em>domain</em></span>.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce As stated previously, a zone is a point of delegation in
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce the <acronym class="acronym">DNS</acronym> tree. A zone consists of
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce those contiguous parts of the domain
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce tree for which a name server has complete information and over which
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce it has authority. It contains all domain names from a certain point
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce downward in the domain tree except those which are delegated to
da4c23b6670adb45f71cf51aaeca8df30c2144beSimo Sorce other zones. A delegation point is marked by one or more
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <span class="emphasis"><em>NS records</em></span> in the
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce parent zone, which should be matched by equivalent NS records at
da4c23b6670adb45f71cf51aaeca8df30c2144beSimo Sorce the root of the delegated zone.
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce For instance, consider the <code class="literal">example.com</code>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce domain which includes names
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce such as <code class="literal">host.aaa.example.com</code> and
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <code class="literal">host.bbb.example.com</code> even though
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce the <code class="literal">example.com</code> zone includes
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce only delegations for the <code class="literal">aaa.example.com</code> and
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <code class="literal">bbb.example.com</code> zones. A zone can
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce exactly to a single domain, but could also include only part of a
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce domain, the rest of which could be delegated to other
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce name servers. Every name in the <acronym class="acronym">DNS</acronym>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <span class="emphasis"><em>domain</em></span>, even if it is
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce <span class="emphasis"><em>terminal</em></span>, that is, has no
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce every domain except the root is also a subdomain. The terminology is
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce gain a complete understanding of this difficult and subtle
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce Though <acronym class="acronym">BIND</acronym> is called a "domain name
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce it deals primarily in terms of zones. The master and slave
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce declarations in the <code class="filename">named.conf</code> file
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce zones, not domains. When you ask some other site if it is willing to
13df7b9e400211c717284fb841c849ba034ed348Michal Zidek be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce actually asking for slave service for some collection of zones.
13df7b9e400211c717284fb841c849ba034ed348Michal Zidek<div class="titlepage"><div><div><h3 class="title">
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek<a name="id2567246"></a>Authoritative Name Servers</h3></div></div></div>
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek Each zone is served by at least
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek one <span class="emphasis"><em>authoritative name server</em></span>,
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek which contains the complete data for the zone.
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek To make the DNS tolerant of server and network failures,
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce most zones have two or more authoritative servers, on
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce different networks.
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek Responses from authoritative servers have the "authoritative
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek answer" (AA) bit set in the response packets. This makes them
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek easy to identify when debugging DNS configurations using tools like
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>).
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h4 class="title">
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<a name="id2567270"></a>The Primary Master</h4></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The authoritative server where the master copy of the zone
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce data is maintained is called the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>primary master</em></span> server, or simply the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>primary</em></span>. Typically it loads the zone
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce contents from some local file edited by humans or perhaps
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce generated mechanically from some other local file which is
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce edited by humans. This file is called the
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>zone file</em></span> or
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce <span class="emphasis"><em>master file</em></span>.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce In some cases, however, the master file may not be edited
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce by humans at all, but may instead be the result of
0e6c9d03cacf24de4265ee0f902c216ba5a131c9Simo Sorce <span class="emphasis"><em>dynamic update</em></span> operations.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h4 class="title">
0e6c9d03cacf24de4265ee0f902c216ba5a131c9Simo Sorce<a name="id2567300"></a>Slave Servers</h4></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce the zone contents from another server using a replication process
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce transferred directly from the primary master, but it is also
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce to transfer it from another slave. In other words, a slave server
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce may itself act as a master to a subordinate slave server.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<div class="titlepage"><div><div><h4 class="title">
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<a name="id2567389"></a>Stealth Servers</h4></div></div></div>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce Usually all of the zone's authoritative servers are listed in
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce NS records in the parent zone. These NS records constitute
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce The authoritative servers are also listed in the zone file itself,
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce of the zone. You can list servers in the zone's top-level NS
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce records that are not in the parent's NS delegation, but you cannot
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce list servers in the parent's delegation that are not present at
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce the zone's top level.
0e6c9d03cacf24de4265ee0f902c216ba5a131c9Simo Sorce A <span class="emphasis"><em>stealth server</em></span> is a server that is
0e6c9d03cacf24de4265ee0f902c216ba5a131c9Simo Sorce authoritative for a zone but is not listed in that zone's NS
0e6c9d03cacf24de4265ee0f902c216ba5a131c9Simo Sorce records. Stealth servers can be used for keeping a local copy of
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce zone to speed up access to the zone's records or to make sure that
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce zone is available even if all the "official" servers for the zone
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce inaccessible.
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce A configuration where the primary master server itself is a
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce stealth server is often referred to as a "hidden primary"
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce configuration. One use for this configuration is when the primary
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce is behind a firewall and therefore unable to communicate directly
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce with the outside world.
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<div class="titlepage"><div><div><h3 class="title">
24451a6231ea0b7fd0e98a9931e8254aa17bf4cfSimo Sorce<a name="id2567419"></a>Caching Name Servers</h3></div></div></div>
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce The resolver libraries provided by most operating systems are
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce performing the full DNS resolution process by themselves by talking
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce directly to the authoritative servers. Instead, they rely on a
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce name server to perform the resolution on their behalf. Such a
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce <span class="emphasis"><em>recursive lookups</em></span> for local clients.
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce To improve performance, recursive servers cache the results of
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce the lookups they perform. Since the processes of recursion and
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce caching are intimately connected, the terms
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce <span class="emphasis"><em>recursive server</em></span> and
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce <span class="emphasis"><em>caching server</em></span> are often used synonymously.
b294d4c50ec4431bc07ad7ec5a73e8af0e53c54fSimo Sorce The length of time for which a record may be retained in
eb2e21b764d03544d8161e9956d7f70b07b75f77Simo Sorce the cache of a caching name server is controlled by the
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce Time To Live (TTL) field associated with each resource record.
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce<div class="titlepage"><div><div><h4 class="title">
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce<a name="id2567523"></a>Forwarding</h4></div></div></div>
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce Even a caching name server does not necessarily perform
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce the complete recursive lookup itself. Instead, it can
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce <span class="emphasis"><em>forward</em></span> some or all of the queries
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce that it cannot satisfy from its cache to another caching name
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce There may be one or more forwarders,
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce and they are queried in turn until the list is exhausted or an
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce is found. Forwarders are typically used when you do not
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce wish all the servers at a given site to interact directly with the
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce the Internet servers. A typical scenario would involve a number
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce of internal <acronym class="acronym">DNS</acronym> servers and an
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce Internet firewall. Servers unable
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce to pass packets through the firewall would forward to the server
8088274b2389b76f4be581736e55f26a8322fad1Simo Sorce that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce on the internal server's behalf.
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce<div class="titlepage"><div><div><h3 class="title">
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce<a name="id2567549"></a>Name Servers in Multiple Roles</h3></div></div></div>
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce The <acronym class="acronym">BIND</acronym> name server can
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce simultaneously act as
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce a master for some zones, a slave for other zones, and as a caching
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce (recursive) server for a set of local clients.
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce However, since the functions of authoritative name service
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce and caching/recursive name service are logically separate, it is
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce often advantageous to run them on separate server machines.
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce A server that only provides authoritative name service
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce recursion disabled, improving reliability and security.
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce A server that is not authoritative for any zones and only provides
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce recursive service to local
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce clients (a <span class="emphasis"><em>caching-only</em></span> server)
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce does not need to be reachable from the Internet at large and can
270fcd0ad214d490b6b8e278cdbafda1fb7f9d8fSimo Sorce be placed inside a firewall.
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce<a accesskey="p" href="Bv9ARM.html">Prev</a>�</td>
6cb1a6e7c7517ab4ccb8ad37ade86f95b5c16a01Simo Sorce<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual�</td>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<td width="40%" align="right" valign="top">�Chapter�2.�<acronym class="acronym">BIND</acronym> Resource Requirements</td>